Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Updated Order COA.doc

Overview

General Information

Sample Name:Updated Order COA.doc
Analysis ID:435312
MD5:59f9c2a162cf48fe5819f58b697c107c
SHA1:f8702f19bae3a9f2dd1fca58f6eae3d6e62d4878
SHA256:23a865d4a1205be496c45012233d96255c90102e3925dab252d30d9a70f82ba9
Tags:doc
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Process Start Without DLL
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Connects to a URL shortener service
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1748 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2624 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • 098765.exe (PID: 2428 cmdline: C:\Users\Public\098765.exe MD5: 5688C69C4379841EEE42DCAEC2DBF55A)
      • RegAsm.exe (PID: 2896 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
        • schtasks.exe (PID: 2456 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • taskeng.exe (PID: 2536 cmdline: taskeng.exe {6204476F-CB6D-41BF-A018-07A92169AAA2} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • RegAsm.exe (PID: 2592 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe 0 MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "18773cd6-e296-4327-b004-0088e2e8", "Group": "WEALTH", "Domain1": "185.140.53.154", "Domain2": "wealthybillionaire.ddns.net", "Port": 5540, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x3185:$a: NanoCore
    • 0x31de:$a: NanoCore
    • 0x321b:$a: NanoCore
    • 0x3294:$a: NanoCore
    • 0x1693f:$a: NanoCore
    • 0x16954:$a: NanoCore
    • 0x16989:$a: NanoCore
    • 0x2f933:$a: NanoCore
    • 0x2f948:$a: NanoCore
    • 0x2f97d:$a: NanoCore
    • 0x31e7:$b: ClientPlugin
    • 0x3224:$b: ClientPlugin
    • 0x3b22:$b: ClientPlugin
    • 0x3b2f:$b: ClientPlugin
    • 0x166fb:$b: ClientPlugin
    • 0x16716:$b: ClientPlugin
    • 0x16746:$b: ClientPlugin
    • 0x1695d:$b: ClientPlugin
    • 0x16992:$b: ClientPlugin
    • 0x2f6ef:$b: ClientPlugin
    • 0x2f70a:$b: ClientPlugin
    00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.098765.exe.35098d0.9.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      4.2.098765.exe.35098d0.9.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      4.2.098765.exe.35098d0.9.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        4.2.098765.exe.35098d0.9.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        4.2.098765.exe.35098d0.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 64 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Exploits:

        barindex
        Sigma detected: File Dropped By EQNEDT32EXEShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2624, TargetFilename: C:\Users\Public\098765.exe

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        System Summary:

        barindex
        Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\098765.exe, CommandLine: C:\Users\Public\098765.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\098765.exe, NewProcessName: C:\Users\Public\098765.exe, OriginalFileName: C:\Users\Public\098765.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2624, ProcessCommandLine: C:\Users\Public\098765.exe, ProcessId: 2428
        Sigma detected: Execution from Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\098765.exe, CommandLine: C:\Users\Public\098765.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\098765.exe, NewProcessName: C:\Users\Public\098765.exe, OriginalFileName: C:\Users\Public\098765.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2624, ProcessCommandLine: C:\Users\Public\098765.exe, ProcessId: 2428
        Sigma detected: Suspicious Process Start Without DLLShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: C:\Users\Public\098765.exe, ParentImage: C:\Users\Public\098765.exe, ParentProcessId: 2428, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: C:\Users\Public\098765.exe, ParentImage: C:\Users\Public\098765.exe, ParentProcessId: 2428, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2896, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "18773cd6-e296-4327-b004-0088e2e8", "Group": "WEALTH", "Domain1": "185.140.53.154", "Domain2": "wealthybillionaire.ddns.net", "Port": 5540, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtReversingLabs: Detection: 22%
        Source: C:\Users\Public\098765.exeReversingLabs: Detection: 22%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Updated Order COA.docReversingLabs: Detection: 17%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtJoe Sandbox ML: detected
        Source: C:\Users\Public\098765.exeJoe Sandbox ML: detected
        Source: 5.2.RegAsm.exe.920000.6.unpackAvira: Label: TR/NanoCore.fadte
        Source: 5.2.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen

        Exploits:

        barindex
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exe
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exeJump to behavior
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: unknownHTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.22:49167 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 82.221.105.125:443 -> 192.168.2.22:49168 version: TLS 1.2
        Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.4.dr
        Source: C:\Users\Public\098765.exeCode function: 4x nop then jmp 002D8BA8h4_2_002D8320
        Source: global trafficDNS query: name: bit.ly
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.10:443
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.10:443

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 185.140.53.154
        Source: Malware configuration extractorURLs: wealthybillionaire.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: wealthybillionaire.ddns.net
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDNS query: name: bit.ly
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDNS query: name: bit.ly
        Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.140.53.154:5540
        Source: Joe Sandbox ViewIP Address: 82.221.105.125 82.221.105.125
        Source: Joe Sandbox ViewIP Address: 185.140.53.154 185.140.53.154
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{248C44A0-30CA-4646-ACFF-79FC9E14ADCB}.tmpJump to behavior
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
        Source: unknownDNS traffic detected: queries for: bit.ly
        Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
        Source: 098765.exe, 00000004.00000002.2125459036.0000000005DFF000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
        Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: RegAsm.exeString found in binary or memory: http://go.microsoft.
        Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpString found in binary or memory: http://n.f
        Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmp, 098765.exe, 00000004.00000003.2117350374.0000000004B43000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/s
        Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobede
        Source: 098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpString found in binary or memory: http://ns.ao
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
        Source: 098765.exe, 00000004.00000002.2125459036.0000000005DFF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
        Source: 098765.exe, 00000004.00000002.2118233396.0000000002320000.00000004.00000001.sdmp, 098765.exe, 00000004.00000002.2118217008.0000000002307000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
        Source: 098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: 098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: 098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
        Source: 2TE7JJq[1].htm.2.drString found in binary or memory: https://offlineclubz.com/PC.txt
        Source: 098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
        Source: 098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
        Source: 098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
        Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
        Source: unknownHTTPS traffic detected: 67.199.248.10:443 -> 192.168.2.22:49167 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 82.221.105.125:443 -> 192.168.2.22:49168 version: TLS 1.2
        Source: RegAsm.exe, 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.760000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.RegAsm.exe.290e00c.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        .NET source code contains very large array initializationsShow sources
        Source: 098765.exe.2.dr, Qb7p/Kg37.csLarge array initialization: .cctor: array initializer size 2653
        Source: 098765.exe.2.dr, e1L/Bs2.csLarge array initialization: .cctor: array initializer size 2943
        Source: 4.0.098765.exe.e30000.0.unpack, Qb7p/Kg37.csLarge array initialization: .cctor: array initializer size 2653
        Source: 4.0.098765.exe.e30000.0.unpack, e1L/Bs2.csLarge array initialization: .cctor: array initializer size 2943
        Source: 4.2.098765.exe.e30000.3.unpack, e1L/Bs2.csLarge array initialization: .cctor: array initializer size 2943
        Source: 4.2.098765.exe.e30000.3.unpack, Qb7p/Kg37.csLarge array initialization: .cctor: array initializer size 2653
        Office equation editor drops PE fileShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\098765.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtJump to dropped file
        Source: C:\Users\Public\098765.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
        Source: C:\Users\Public\098765.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A72D80 CreateProcessAsUserW,4_2_00A72D80
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D83204_2_002D8320
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D6A584_2_002D6A58
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D3E914_2_002D3E91
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D2FD84_2_002D2FD8
        Source: C:\Users\Public\098765.exeCode function: 4_2_002DA2394_2_002DA239
        Source: C:\Users\Public\098765.exeCode function: 4_2_002DA2404_2_002DA240
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D25504_2_002D2550
        Source: C:\Users\Public\098765.exeCode function: 4_2_002DF6804_2_002DF680
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D6A494_2_002D6A49
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D8BC14_2_002D8BC1
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D8BD04_2_002D8BD0
        Source: C:\Users\Public\098765.exeCode function: 4_2_002D3F814_2_002D3F81
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A724904_2_00A72490
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A790E84_2_00A790E8
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A73C594_2_00A73C59
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A7B9884_2_00A7B988
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A731614_2_00A73161
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A771714_2_00A77171
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A76A404_2_00A76A40
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A74F804_2_00A74F80
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A788604_2_00A78860
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A788704_2_00A78870
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A7A8404_2_00A7A840
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A709B84_2_00A709B8
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A709C84_2_00A709C8
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A79B804_2_00A79B80
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A783E84_2_00A783E8
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A783F84_2_00A783F8
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_001F3DFE5_2_001F3DFE
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005FB1985_2_005FB198
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005F43A05_2_005F43A0
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005FDD385_2_005FDD38
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005FBDB05_2_005FBDB0
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005F37885_2_005F3788
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005F44585_2_005F4458
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_005FBE6E5_2_005FBE6E
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 9_2_001F3DFE9_2_001F3DFE
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe 5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
        Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 098765.exe PID: 2428, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.760000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.760000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.RegAsm.exe.290e00c.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.RegAsm.exe.290e00c.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@11/22@9/3
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$dated Order COA.docJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{18773cd6-e296-4327-b004-0088e2e894f7}
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC013.tmpJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ........................................(.P.....`.......<.......$...............................................................................Jump to behavior
        Source: C:\Users\Public\098765.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\098765.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\Public\098765.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Updated Order COA.docReversingLabs: Detection: 17%
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exe C:\Users\Public\098765.exe
        Source: C:\Users\Public\098765.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'
        Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {6204476F-CB6D-41BF-A018-07A92169AAA2} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exe C:\Users\Public\098765.exeJump to behavior
        Source: C:\Users\Public\098765.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'Jump to behavior
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\Public\098765.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
        Source: Updated Order COA.docStatic file information: File size 2676268 > 1048576
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.4.dr

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E343EE push ebx; retf 4_2_00E3440B
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E32FA7 push ds; retf 4_2_00E331D1
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E34CB9 pushad ; retf 4_2_00E34CC0
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E330BD push ds; retf 4_2_00E331D1
        Source: C:\Users\Public\098765.exeCode function: 4_2_00E3433D push ebx; retf 4_2_00E3440B
        Source: C:\Users\Public\098765.exeCode function: 4_2_00A71ED0 push esp; retf 4_2_00A71EE9
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_001F523F push cs; iretd 5_2_001F5240
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_02071B10 push 00000000h; retn 0004h5_2_02071B20
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 5_2_02070172 push 00000000h; ret 5_2_02070180
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 9_2_001F523F push cs; iretd 9_2_001F5240
        Source: 098765.exe.2.dr, Wk7s/Xb3o.csHigh entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
        Source: 4.0.098765.exe.e30000.0.unpack, Wk7s/Xb3o.csHigh entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
        Source: 4.2.098765.exe.e30000.3.unpack, Wk7s/Xb3o.csHigh entropy of concatenated method names: '.ctor', 'Pm5i', 'b3FQ', 'q6Z1', 'f8DT', 's6BP', 'La0j', 'Dz12', 'Zt59', 'e2L8'
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.RegAsm.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\Public\098765.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\098765.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\098765.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txtJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\098765.exeJump to dropped file
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\Public\098765.exeFile opened: C:\Users\Public\098765.exe\:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Temp\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\098765.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\Public\098765.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\Public\098765.exeWindow / User API: threadDelayed 588Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 8756Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 949Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: foregroundWindowGot 445Jump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2488Thread sleep time: -180000s >= -30000sJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2488Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Users\Public\098765.exe TID: 2420Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Users\Public\098765.exe TID: 2976Thread sleep time: -4611686018427385s >= -30000sJump to behavior
        Source: C:\Users\Public\098765.exe TID: 2904Thread sleep count: 588 > 30Jump to behavior
        Source: C:\Users\Public\098765.exe TID: 2696Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2348Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2556Thread sleep time: -7378697629483816s >= -30000sJump to behavior
        Source: C:\Windows\System32\taskeng.exe TID: 2608Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 2988Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\Public\098765.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\Public\098765.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\Public\098765.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\Public\098765.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\Public\098765.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\Public\098765.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000Jump to behavior
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000Jump to behavior
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000Jump to behavior
        Source: C:\Users\Public\098765.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 7EFDE008Jump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\098765.exe C:\Users\Public\098765.exeJump to behavior
        Source: C:\Users\Public\098765.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'Jump to behavior
        Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe 0Jump to behavior
        Source: RegAsm.exe, 00000005.00000002.2357310721.0000000002942000.00000004.00000001.sdmpBinary or memory string: Program Manager48
        Source: RegAsm.exe, 00000005.00000002.2357310721.0000000002942000.00000004.00000001.sdmp, taskeng.exe, 00000008.00000002.2356298735.0000000000820000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: RegAsm.exe, 00000005.00000002.2356755341.0000000000C60000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356298735.0000000000820000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegAsm.exe, 00000005.00000002.2356755341.0000000000C60000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356298735.0000000000820000.00000002.00000001.sdmpBinary or memory string: !Progman
        Source: RegAsm.exe, 00000005.00000002.2359036005.0000000002B68000.00000004.00000001.sdmpBinary or memory string: Program Managerx
        Source: RegAsm.exe, 00000005.00000002.2357310721.0000000002942000.00000004.00000001.sdmpBinary or memory string: Program Manager@
        Source: C:\Users\Public\098765.exeQueries volume information: C:\Users\Public\098765.exe VolumeInformationJump to behavior
        Source: C:\Users\Public\098765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Users\Public\098765.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\Public\098765.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 BlobJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: 098765.exe, 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 098765.exe PID: 2428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORY
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.35098d0.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.924629.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.39401dc.12.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.343e5c2.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.340b8e2.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.3471292.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.3944805.13.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.920000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.098765.exe.34d6c12.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.RegAsm.exe.393b3a6.14.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Spearphishing Link1Exploitation for Client Execution13Valid Accounts1Valid Accounts1Disable or Modify Tools11Input Capture11File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Valid Accounts1Command and Scripting Interpreter1Scheduled Task/Job1Access Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery13Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsScheduled Task/Job1Logon Script (Windows)Process Injection312Obfuscated Files or Information2Security Account ManagerSecurity Software Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading121LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol22Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion21Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 435312 Sample: Updated Order COA.doc Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 16 other signatures 2->52 8 EQNEDT32.EXE 17 2->8         started        13 taskeng.exe 1 2->13         started        15 WINWORD.EXE 291 24 2->15         started        process3 dnsIp4 42 offlineclubz.com 82.221.105.125, 443, 49168 THORDC-ASIS Iceland 8->42 44 bit.ly 67.199.248.10, 443, 49167 GOOGLE-PRIVATE-CLOUDUS United States 8->44 36 C:\Users\user\AppData\Local\...\PC[1].txt, PE32 8->36 dropped 38 C:\Users\Public\098765.exe, PE32 8->38 dropped 66 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->66 17 098765.exe 12 3 8->17         started        21 RegAsm.exe 13->21         started        file5 signatures6 process7 file8 30 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 17->30 dropped 54 Multi AV Scanner detection for dropped file 17->54 56 Machine Learning detection for dropped file 17->56 58 Writes to foreign memory regions 17->58 60 3 other signatures 17->60 23 RegAsm.exe 6 17->23         started        signatures9 process10 dnsIp11 40 wealthybillionaire.ddns.net 185.140.53.154, 5540 DAVID_CRAIGGG Sweden 23->40 32 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 23->32 dropped 34 C:\Users\user\AppData\Local\...\tmp7790.tmp, XML 23->34 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 23->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->64 28 schtasks.exe 23->28         started        file12 signatures13 process14

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Updated Order COA.doc17%ReversingLabsDocument-Office.Exploit.CVE-2018-0802

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt100%Joe Sandbox ML
        C:\Users\Public\098765.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt22%ReversingLabsByteCode-MSIL.Trojan.NanoBot
        C:\Users\user\AppData\Local\Temp\RegAsm.exe0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\RegAsm.exe0%ReversingLabs
        C:\Users\Public\098765.exe22%ReversingLabsByteCode-MSIL.Trojan.NanoBot

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        5.2.RegAsm.exe.920000.6.unpack100%AviraTR/NanoCore.fadteDownload File
        5.2.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://ns.adobe.c/s0%Avira URL Cloudsafe
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
        http://ns.ao0%Avira URL Cloudsafe
        http://ocsp.entrust.net030%URL Reputationsafe
        http://ocsp.entrust.net030%URL Reputationsafe
        http://ocsp.entrust.net030%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://go.microsoft.0%URL Reputationsafe
        http://go.microsoft.0%URL Reputationsafe
        http://go.microsoft.0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        http://n.f0%Avira URL Cloudsafe
        http://ocsp.entrust.net0D0%URL Reputationsafe
        http://ocsp.entrust.net0D0%URL Reputationsafe
        http://ocsp.entrust.net0D0%URL Reputationsafe
        185.140.53.1540%Avira URL Cloudsafe
        wealthybillionaire.ddns.net0%Avira URL Cloudsafe
        https://offlineclubz.com/PC.txt0%Avira URL Cloudsafe
        http://ns.adobede0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bit.ly
        		67.199.248.10
        		truefalse
          		high
          offlineclubz.com
          		82.221.105.125
          		truefalse
            		unknown
            wealthybillionaire.ddns.net
            		185.140.53.154
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              185.140.53.154true
              • Avira URL Cloud: safe
              		unknown
              wealthybillionaire.ddns.nettrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://ns.adobe.c/s098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmp, 098765.exe, 00000004.00000003.2117350374.0000000004B43000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmpfalse
                		high
                http://ns.ao098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.entrust.net/server1.crl0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  		high
                  http://ocsp.entrust.net03098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://go.microsoft.RegAsm.exefalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.%s.comPA098765.exe, 00000004.00000002.2123869777.0000000005A00000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.2356838381.0000000002220000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356343115.0000000001C20000.00000002.00000001.sdmp, RegAsm.exe, 00000009.00000002.2127779177.0000000002370000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		low
                  http://www.diginotar.nl/cps/pkioverheid0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://n.f098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.entrust.net0D098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name098765.exe, 00000004.00000002.2118199877.00000000022E1000.00000004.00000001.sdmpfalse
                    		high
                    https://secure.comodo.com/CPS0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                      		high
                      http://crl.entrust.net/2048ca.crl0098765.exe, 00000004.00000002.2117910114.00000000006E8000.00000004.00000020.sdmpfalse
                        		high
                        http://schema.org/WebPage098765.exe, 00000004.00000002.2118233396.0000000002320000.00000004.00000001.sdmp, 098765.exe, 00000004.00000002.2118217008.0000000002307000.00000004.00000001.sdmpfalse
                          		high
                          https://offlineclubz.com/PC.txt2TE7JJq[1].htm.2.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ns.adobede098765.exe, 00000004.00000003.2105300256.0000000004B43000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          82.221.105.125
                          		offlineclubz.comIceland
                          		50613THORDC-ASISfalse
                          185.140.53.154
                          		wealthybillionaire.ddns.netSweden
                          		209623DAVID_CRAIGGGtrue
                          67.199.248.10
                          		bit.lyUnited States
                          		396982GOOGLE-PRIVATE-CLOUDUSfalse

                          General Information

                          Joe Sandbox Version:32.0.0 Black Diamond
                          Analysis ID:435312
                          Start date:16.06.2021
                          Start time:12:00:52
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 38s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:Updated Order COA.doc
                          Cookbook file name:defaultwindowsofficecookbook.jbs
                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                          Number of analysed new started processes analysed:11
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.expl.evad.winDOC@11/22@9/3
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 5.5% (good quality ratio 2.6%)
                          • Quality average: 24.4%
                          • Quality standard deviation: 30.5%
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 70
                          • Number of non-executed functions: 16
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .doc
                          • Found Word or Excel or PowerPoint or XPS Viewer
                          • Attach to Office via COM
                          • Scroll down
                          • Close Viewer
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 192.35.177.64, 8.238.28.126, 8.241.80.126, 8.241.83.126, 8.238.85.254, 8.241.89.254, 142.250.185.68, 131.253.33.200, 13.107.22.200
                          • Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, audownload.windowsupdate.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, apps.digsigtrust.com, ctldl.windowsupdate.com, www.google.com, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/435312/sample/Updated Order COA.doc

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          12:01:36API Interceptor63x Sleep call for process: EQNEDT32.EXE modified
                          12:01:40API Interceptor133x Sleep call for process: 098765.exe modified
                          12:01:55API Interceptor1419x Sleep call for process: RegAsm.exe modified
                          12:01:57API Interceptor2x Sleep call for process: schtasks.exe modified
                          12:01:58Task SchedulerRun new task: SMTP Service path: "C:\Users\user\AppData\Local\Temp\RegAsm.exe" s>$(Arg0)
                          12:01:58API Interceptor357x Sleep call for process: taskeng.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          82.221.105.125gbqFfT54L.rtfGet hashmaliciousBrowse
                          • mysit.space/123//v/bGo2799
                          65001078.DOCGet hashmaliciousBrowse
                          • uploadtops.is/1//q/grFRBQT
                          Product list - Quotation sheet.docGet hashmaliciousBrowse
                          • uploadtops.is/1//q/8oEITJq
                          17Revenue_doc_id4837726.exeGet hashmaliciousBrowse
                          • uploadtops.is/1//q/lJqqLvC
                          Payment slip.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/NuRHVL9
                          71355881.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/z132Bct
                          ORDER_20180620.DOCGet hashmaliciousBrowse
                          • uploadtops.is/1//f/rihUTZ7
                          Product_details.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/uwkjs1U
                          RE RE Minimum Order Quantity 34562$$.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/RkEXBrB
                          Provision Requisition Quotation 04.05.2018.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/PecgndH
                          2 Remittance Advice.docGet hashmaliciousBrowse
                          • uploadtops.is/1//f/St7GsQ3
                          L6GuxhH6S.rtfGet hashmaliciousBrowse
                          • uploadtops.is/1//f/St7GsQ3
                          185.140.53.154Maersk BL & PL.exeGet hashmaliciousBrowse
                            Quotation.exeGet hashmaliciousBrowse
                              SWIFT.exeGet hashmaliciousBrowse
                                Qotation.exeGet hashmaliciousBrowse
                                  SMJshb9rCD.exeGet hashmaliciousBrowse
                                    3z4ibRIdCl.exeGet hashmaliciousBrowse
                                      UfQ7WpbVPG.exeGet hashmaliciousBrowse
                                        9ieQE1S5ZH.exeGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          bit.ly#Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          P.I-84514.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          P.I-84512.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          #Ud83d#Udcde_#U25b6#Ufe0fPlay_to_Listen.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          #Ud83d#Udcde_Message_Received_05_19_21.htm.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          #Ud83d#Udcde_#U25b6#Ufe0fPlay_to_Listen.htm.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          #Ud83d#Udcde_#U25b6#Ufe0f.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          #U266b Audio_47920.wavv - - Copy.htmlGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          #Ud83d#Udcde_#U25b6#Ufe0fPlay_to_Listen htm.htmGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          kSfW7fFDWa.rtfGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          2020tb3005.doc__.rtfGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          -Recibo de pago.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          Lingarogroup_Scan_item.htmGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          itOr6lv1UH.exeGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          Qgc2Nreer3.exeGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          purchase inquiry 25.5.2021.doc__.rtfGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          purchase order.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          #Ud83d#Udcde(801) 451.htmGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          Revise Order Sheets.docGet hashmaliciousBrowse
                                          • 67.199.248.11
                                          Payoff - 2021AT0514.docGet hashmaliciousBrowse
                                          • 67.199.248.10
                                          wealthybillionaire.ddns.netRevise Order Sheets.docGet hashmaliciousBrowse
                                          • 79.134.225.52
                                          TT SWIFT COPY.exeGet hashmaliciousBrowse
                                          • 41.217.65.85
                                          bedrapes.exeGet hashmaliciousBrowse
                                          • 154.118.68.3

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          DAVID_CRAIGGGPayment confirmation.exeGet hashmaliciousBrowse
                                          • 185.140.53.45
                                          03soKqWLfN.exeGet hashmaliciousBrowse
                                          • 185.140.53.145
                                          installer.exeGet hashmaliciousBrowse
                                          • 185.140.53.145
                                          Maersk BL & PL.exeGet hashmaliciousBrowse
                                          • 185.140.53.154
                                          vmw7WdkJ6k.exeGet hashmaliciousBrowse
                                          • 185.140.53.12
                                          ORDER.exeGet hashmaliciousBrowse
                                          • 185.140.53.135
                                          ORDER-21611docx.exeGet hashmaliciousBrowse
                                          • 185.165.153.116
                                          6VYNUalwUt.exeGet hashmaliciousBrowse
                                          • 185.244.30.92
                                          ORDER-6010.pdf.exeGet hashmaliciousBrowse
                                          • 185.244.30.92
                                          CONTRACT.exeGet hashmaliciousBrowse
                                          • 185.140.53.135
                                          doc03027320210521173305IMG0012.exeGet hashmaliciousBrowse
                                          • 185.140.53.230
                                          yfilQwrYpA.exeGet hashmaliciousBrowse
                                          • 185.140.53.216
                                          Ff6m4N8pog.exeGet hashmaliciousBrowse
                                          • 185.140.53.216
                                          yCdBrRiAN2.exeGet hashmaliciousBrowse
                                          • 185.140.53.216
                                          loKHQzx6Lf.exeGet hashmaliciousBrowse
                                          • 185.140.53.216
                                          SecuriteInfo.com.Program.Win32.Wacapew.Cml.7225.exeGet hashmaliciousBrowse
                                          • 185.140.53.129
                                          Shipping Documents_Bill of Lading 910571880.exeGet hashmaliciousBrowse
                                          • 185.140.53.129
                                          knqh5Hw6gu.exeGet hashmaliciousBrowse
                                          • 185.140.53.13
                                          Container_Deposit_slip_pdf.jarGet hashmaliciousBrowse
                                          • 185.244.30.47
                                          Cargo Charter Request details.vbsGet hashmaliciousBrowse
                                          • 185.244.30.184
                                          THORDC-ASISiGet hashmaliciousBrowse
                                          • 82.221.103.244
                                          Factura_202768456912.htmlGet hashmaliciousBrowse
                                          • 82.221.141.10
                                          sMjtvTsYf5.exeGet hashmaliciousBrowse
                                          • 192.253.250.161
                                          yVn2ywuhEC.exeGet hashmaliciousBrowse
                                          • 82.221.103.244
                                          FickerStealer.exeGet hashmaliciousBrowse
                                          • 82.221.131.102
                                          isb777amx.exeGet hashmaliciousBrowse
                                          • 82.221.131.5
                                          uTorrent.exeGet hashmaliciousBrowse
                                          • 82.221.103.245
                                          9ISF FILLING 10+.exeGet hashmaliciousBrowse
                                          • 82.221.136.4
                                          67Final Draft ISF 10+2 Fillin.exeGet hashmaliciousBrowse
                                          • 82.221.113.145
                                          47Abusive Email Letter.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          14INV NO.35839 - 2018.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          7REQUEST FOR QUOTE LIST-pdf.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          19Document-pdf.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          11112837654201809.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          35doc43288920180918.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          23NF-DOC865443.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          63Document-2.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          18PO45433.docGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          17po029222.exeGet hashmaliciousBrowse
                                          • 82.221.129.19
                                          30Abusive Email Letter.exeGet hashmaliciousBrowse
                                          • 82.221.129.19

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          7dcce5b76c8b17472d024758970a406btender-156639535.xlsmGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Agenda1.docxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          tender-2038988342.xlsmGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Citibank Payment Advice.xlsxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          sentence-1711450431.xlsmGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          RFQ Products.xlsxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Tax Document.docxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          hG6FzLXtsf.xlsGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          P0fhg2Duqa.xlsGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          GENERAL DYNAMICS_WlRE_REMITTANCE.xlsxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          GENERAL DYNAMICS_WlRE_REMITTANCE_virus_scan.xlsxGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.13632.rtfGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          RFQ SI-01.08.062021.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          REQ-54265-CSE-445.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          RFQ-Excel-NPF0140621.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          RFQ#176220621.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Purchase Order.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          Purchase Order.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          New Order PO2193570O1.docGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10
                                          document-47-2637.xlsGet hashmaliciousBrowse
                                          • 82.221.105.125
                                          • 67.199.248.10

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          C:\Users\user\AppData\Local\Temp\RegAsm.exeRef 0180066743.xlsxGet hashmaliciousBrowse
                                            Purchase Order Price List.xlsxGet hashmaliciousBrowse
                                              Quote QU038097.docGet hashmaliciousBrowse
                                                6Cprm97UTl.xlsGet hashmaliciousBrowse
                                                  Payment_Confirmation_Slip.xlsxGet hashmaliciousBrowse
                                                    Overdue Invoice.xlsxGet hashmaliciousBrowse
                                                      Quotation.xlsxGet hashmaliciousBrowse
                                                        ENCLOSE ORDER LIST.xlsxGet hashmaliciousBrowse
                                                          PO INV 195167 & 195324.xlsxGet hashmaliciousBrowse
                                                            Bank letter.xlsxGet hashmaliciousBrowse
                                                              Quotation.xlsxGet hashmaliciousBrowse
                                                                PO 19030004.xlsxGet hashmaliciousBrowse
                                                                  New PO PO20.xlsxGet hashmaliciousBrowse
                                                                    ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                      RFQ 00112.xlsxGet hashmaliciousBrowse
                                                                        inquiry.xlsxGet hashmaliciousBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:Microsoft Cabinet archive data, 60080 bytes, 1 file
                                                                          Category:dropped
                                                                          Size (bytes):60080
                                                                          Entropy (8bit):7.995256720209506
                                                                          Encrypted:true
                                                                          SSDEEP:768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4
                                                                          MD5:6045BACCF49E1EBA0E674945311A06E6
                                                                          SHA1:379C6234849EECEDE26FAD192C2EE59E0F0221CB
                                                                          SHA-256:65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
                                                                          SHA-512:DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: MSCF............,...................I........d.........R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<.......Ab.<..X....sb.....e........dbu.3...0........X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J......wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&...E...g.....>uv."..!......xc......C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wg*X......qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s.......add..)..w.4.&.z...2.&74.5]..w.j.._iK..||[.w.M.!<-.}%.C<tDX5\s._..I..*..nb.....GCQ.V..r..Y.............q...0..V)Tu>.Z..r...I...<.R{Ac..x^. .<A........|.{.....Q...&....X..C$....e9.:..vI..x.R4...L......%g...<..}'{....E8Sl...E".h...*.........ItVs.K......3.9.l..`D..e.i`....y...,..5....aSs`..W...d...t.J..]....'u3..d]7..=e....[R!:........Q.%..@........ga.v.~..q....{.!N.b]x..Zx.../;#}.f.)k.c9..{rmPt..z5.m=..q..%.D#<+Ex....1|.._F.
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):893
                                                                          Entropy (8bit):7.366016576663508
                                                                          Encrypted:false
                                                                          SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                          MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                          SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                          SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                          SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):328
                                                                          Entropy (8bit):3.1202775039435013
                                                                          Encrypted:false
                                                                          SSDEEP:6:kKXx6yMEe8N+SkQlPlEGYRMY9z+4KlDA3RUeWlK1MMx:P8k8kPlE99SNxAhUe3OMx
                                                                          MD5:48AAC9E7FEAD1053A0FA1B4E07DC7919
                                                                          SHA1:4356801A6D304881B661B1E7FE24B4124BB152F6
                                                                          SHA-256:14BE10736942859BA83102FA16C77C1081861A12A9E741AFE502335F8641203A
                                                                          SHA-512:1E10781556327E96C61FEEDAFEEC4418191F6F7061DFF1A78950ACA0654FC711C72AB1EB759E0E51E34B151EB714AEF20D6213FFE9183A4E3D915216DA3B4FB2
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: p...... ........V.T..b..(....................................................... ............L......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.0.e.6.c.f.e.3.4.c.d.7.1.:.0."...
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):252
                                                                          Entropy (8bit):2.96847467253794
                                                                          Encrypted:false
                                                                          SSDEEP:3:kkFklR31fllXlE/+CkJdllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1yR9l1LlN:kKCR5liBAIdQZV7Qrl5
                                                                          MD5:8B5B3FD54D39A3B492C7ADCFFAA709ED
                                                                          SHA1:63158D1BEAE722B6A3996885C29C604ABCC1B7EE
                                                                          SHA-256:C1FB6B3AC300A0FF6F654F684BE82F838676700ED56719848587E329D167C31C
                                                                          SHA-512:C15D22D929BB610BE272CD68D713E7F23BA2480223818C04F88D474EDE7680B974BB4CCC869D7269B9E006A78397E38F530A1A066564FA78ACDDF2E3D3A5C34E
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: p...... ....`..... ..b..(....................................................... ........[..^......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.c.4.8.0.c.7.c.5.2.f.8.0."...
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\PC[1].txt
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:downloaded
                                                                          Size (bytes):659456
                                                                          Entropy (8bit):6.648738100237886
                                                                          Encrypted:false
                                                                          SSDEEP:6144:ie7tkcyarn5KfNZCM2RG+zcwxOVbcEkXd5+d/T7xvoldaoAxKiYe1SvA5UamZ6vh:XFn5W8M4GSYbcb/+V7B+AcigemZ6Xd
                                                                          MD5:5688C69C4379841EEE42DCAEC2DBF55A
                                                                          SHA1:09A30EC730D1FDF77E80F6D31AA4D810E36B1C44
                                                                          SHA-256:62801897AE3411A8F144F2F7290AD2133AD0895F4F1550922DCA9C6F4B9E8114
                                                                          SHA-512:1CEE75D6FFDC9A1E9E903672C83A7E042E9A6A34D42B156BD11A6ED215A82FE336E86158892A6EE129239F52F22CCFE19062D8668C6B9BE5027775BD19424174
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 22%
                                                                          Reputation:low
                                                                          IE Cache URL:https://offlineclubz.com/PC.txt
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....37B............................~'... ...@....@.. ....................................`.................................$'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`'......H..........\...........LY..z-..................................................#Y./..U.[P..c.Q..q<z.....\..k.A..4r..CTd..41n.8.[z..,.4k...f...[....v;+ /...z.p.r..?...ql...Dy9.V..PA..h..c$....o&.tA.6@.!.bo..../.f).a(........x.L.Z......6@......EM$.7^?.0.w.2O......C.R...fc...A.>q..P2...aBZ..&o.p7.RS@<.>.TO6!;..*.....Zn.G.s.....r...j....hi.;.....B..T..Pn.../@!..o.(...d0.'D:....pu.v...^...T..c....B....G0.K}Y......ic@....R..d0q..Q.xn.BR...._8.&V...h2...[./.[..
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\2TE7JJq[1].htm
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:HTML document, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):118
                                                                          Entropy (8bit):4.5727834342595335
                                                                          Encrypted:false
                                                                          SSDEEP:3:qVvzLURODccZ/vXbvx9nDylVbeSkHsIkFSXbKFvNGb:qFzLIeco3XLx92lReNsIMSLWQb
                                                                          MD5:8966664618E37682868AB0D64BEBEBFE
                                                                          SHA1:38FCE0D612CDEFBE2F68194AC0D38BE6FB6D3819
                                                                          SHA-256:A61F7F7C08995E9DF78299E9C8E65EA7FB97639B3DDF6F32B49DAADD155B8D4C
                                                                          SHA-512:8D68BA78CDF5997D9B95D14C70106994AE8C7F2AB02B9F528461F1DF84B7D26AF7BF304056746369D5D168E857182E126F2223EFB9321ACA8E3C75217952DAA8
                                                                          Malicious:false
                                                                          Preview: <html>.<head><title>Bitly</title></head>.<body><a href="https://offlineclubz.com/PC.txt">moved here</a></body>.</html>
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0863C5D3-5908-4917-8F28-8909E0160183}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):2150792
                                                                          Entropy (8bit):4.154182985075007
                                                                          Encrypted:false
                                                                          SSDEEP:49152:y6ugLOlOuO0O0OBwuOu8uiuKuOuFuZuOuOwzuOuN9OuOoSuOugbq:y6ugLOlOuO0O0OBwuOu8uiuKuOuFuZuA
                                                                          MD5:49CA5D1741FDA53C2894B360D1A8D648
                                                                          SHA1:44629C7D28BF1FB4087E0FB72492D2AC083C98F7
                                                                          SHA-256:4E6AE2AA54440C99F7814B49065F3CEE5742EBF6FB019677E2EFBD39958EE19B
                                                                          SHA-512:007A71A497CACD348E6490E7BC627EF6CB237AB9041127EF50F52BE985721D4BF038E6B227A324E0C5E658C04B4EB39200904A7B1FC748011D284445EAEAE328
                                                                          Malicious:false
                                                                          Preview: ..@.a.W.B.N.Z.v.a.u.7.K.A.p.V.5.Z.b.@.-.A.d.V.7.o.Z.3.o.9.t.P.U.M.i.Q.O.<.e.h.&.&.8._.M.-.C._.C.C.-.-._.-.s.,.6.5.>.9.0.0.0.8.6.$.C.v.>.I.t.=.i.9.|.:.%.a.P.d._.>.G.n.3.#.b.m.%.;.=...0.3.+.v.U.~.7...4.H.g.H.m.?.?._.W.~.5.+.T.f.I.?.n.M.[.T.M.2.7.R.w.U.D.^.:.e.].f.s.E.&.Q.k.P.0.?.G.N.D.?.v.R.6.K.P.[.H.I.C.n.9.B.i.P.s.R.^.?.].?.E.a.b.P.x.?.u.X.t.:.N.'.z.^.3.f.w.?.!.K.W.#.c.F.d.%.&.V.5.i.?.I.b.K.[.V.~.r.v.W.a.*.w.E.a.9.k.0.t.N.3.:.V.9.3.Z.?.V.].&.J.Z.0.L.A.E.6.o.>.i.p.F.f.n._.m.Q.Y.#.1.e.P.9.r.#.'.[.z.p.w.X.2.4.$.N.A.R.k.D.V.C.|.6.L.5.y.1.^.~.Q.I.6.q.T.m.>.x.I.g.B.R.G.:.f.L.[.i.0.a.*.V.$.U.r.y.h.r.y.].O.f.F.8.Y.n.y.L.l.a.T.l.I.E.C.E.?.:.b.'._.Q.A.p.H.?.d.l.'.2.F.k.:.W.S.3.L.g.7.^.u.!.|.Z.G.g.M.8.S.m.2.j.P.z.B.?.f.x.1.d.K.M.L.*.V.&.m.].].g.?.x.Y.k.m.I.T.8.j.8.&.2.T.u.'.3.U.h.U.U.Y.w.#.e.^.i.y.N.D.X.=.Z...].u.E.K.$.M.>.#.4.O.>.u.p.>.y.*.z.v.E.0.0.I.d.+.>.2.E.r.G.5.L.%.r.%.h.A.?.t.p.V.b.q.2.i._._.Z.p.'.e.m.9.?.7.W.@.Q.T.R.K.I.j.6.'.D.M.D.8.t.y...G.G.*.Z.K.n.?.A.J.c.w.r.9.S.j.^.*.s.3.*.!.c.e.N.
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{248C44A0-30CA-4646-ACFF-79FC9E14ADCB}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1024
                                                                          Entropy (8bit):0.05390218305374581
                                                                          Encrypted:false
                                                                          SSDEEP:3:ol3lYdn:4Wn
                                                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                          Malicious:false
                                                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C2D3EB9C-AB70-4784-8852-5C03B64EE05D}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1536
                                                                          Entropy (8bit):1.3586208805849456
                                                                          Encrypted:false
                                                                          SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbv:IiiiiiiiiifdLloZQc8++lsJe1Mzon
                                                                          MD5:074A6EF7D45528608B5D3050054D2C36
                                                                          SHA1:FA0468DB929013612B7B3B7C01DED8003CAF3D39
                                                                          SHA-256:28BAF8E05009CC690F7B69EECEB57881D52323E6A9412B10A16F6EBD8A9A8C05
                                                                          SHA-512:DC248B1A54330C0574CB95C9E96C7095562FA9AB9673403FBA8377ACB37035A8448DB3113E7363B28C9A9C2D22C7EA52BC6833739B8801F39E6A7E3027AF994E
                                                                          Malicious:false
                                                                          Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Temp\CabAEF5.tmp
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:Microsoft Cabinet archive data, 60080 bytes, 1 file
                                                                          Category:dropped
                                                                          Size (bytes):60080
                                                                          Entropy (8bit):7.995256720209506
                                                                          Encrypted:true
                                                                          SSDEEP:768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4
                                                                          MD5:6045BACCF49E1EBA0E674945311A06E6
                                                                          SHA1:379C6234849EECEDE26FAD192C2EE59E0F0221CB
                                                                          SHA-256:65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58
                                                                          SHA-512:DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB
                                                                          Malicious:false
                                                                          Preview: MSCF............,...................I........d.........R9b .authroot.stl.3..).4..CK..8T....c_.d....A.K...].M$[v.4.)7-.%.QIR..$t)Kd.-[..T\{..ne.....{..<.......Ab.<..X....sb.....e........dbu.3...0........X..00&Z....C...p0.}..2..0m.}..Cj.9U..J.j.Y...#.L..\X..O.,...,.qu..]..(B.nE~Q...)..Gcx.....}...f....zw.a..9+[.<0.'..2 .s..ya..J......wd....OO!.s....`.WA...F6._f....6...g..2..7.$,....X.k..&...E...g.....>uv."..!......xc......C..?....P0$.Y..?u....Z0.g3.>W0&.y.(....].`>... ..R.q..wg*X......qB!.B....Z.4..>.R.M..0.8...=.8..Ya.s.......add..)..w.4.&.z...2.&74.5]..w.j.._iK..||[.w.M.!<-.}%.C<tDX5\s._..I..*..nb.....GCQ.V..r..Y.............q...0..V)Tu>.Z..r...I...<.R{Ac..x^. .<A........|.{.....Q...&....X..C$....e9.:..vI..x.R4...L......%g...<..}'{....E8Sl...E".h...*.........ItVs.K......3.9.l..`D..e.i`....y...,..5....aSs`..W...d...t.J..]....'u3..d]7..=e....[R!:........Q.%..@........ga.v.~..q....{.!N.b]x..Zx.../;#}.f.)k.c9..{rmPt..z5.m=..q..%.D#<+Ex....1|.._F.
                                                                          C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Process:C:\Users\Public\098765.exe
                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):64672
                                                                          Entropy (8bit):6.033474133573561
                                                                          Encrypted:false
                                                                          SSDEEP:768:PedoViadPL1DI9WzutSjeJan8dBhF541kE6Iq8HaVxlYDKz4yqibwEBbr:XiaFJkobMa8dBXG2zbVUDKz4yq3EBbr
                                                                          MD5:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                          SHA1:017801B7EBD2CC0E1151EEBEC14630DBAEE48229
                                                                          SHA-256:5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
                                                                          SHA-512:9670AC5A10719FA312336B790EAD713D78A9999DB236AD0841A32CD689559B9F5F8469E3AF93400F1BE5BAF2B3723574F16EA554C2AAF638734FFF806F18DB2B
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: Ref 0180066743.xlsx, Detection: malicious, Browse
                                                                          • Filename: Purchase Order Price List.xlsx, Detection: malicious, Browse
                                                                          • Filename: Quote QU038097.doc, Detection: malicious, Browse
                                                                          • Filename: 6Cprm97UTl.xls, Detection: malicious, Browse
                                                                          • Filename: Payment_Confirmation_Slip.xlsx, Detection: malicious, Browse
                                                                          • Filename: Overdue Invoice.xlsx, Detection: malicious, Browse
                                                                          • Filename: Quotation.xlsx, Detection: malicious, Browse
                                                                          • Filename: ENCLOSE ORDER LIST.xlsx, Detection: malicious, Browse
                                                                          • Filename: PO INV 195167 & 195324.xlsx, Detection: malicious, Browse
                                                                          • Filename: Bank letter.xlsx, Detection: malicious, Browse
                                                                          • Filename: Quotation.xlsx, Detection: malicious, Browse
                                                                          • Filename: PO 19030004.xlsx, Detection: malicious, Browse
                                                                          • Filename: New PO PO20.xlsx, Detection: malicious, Browse
                                                                          • Filename: ORDER LIST.xlsx, Detection: malicious, Browse
                                                                          • Filename: RFQ 00112.xlsx, Detection: malicious, Browse
                                                                          • Filename: inquiry.xlsx, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.W..............0.................. ........@.. ....................... ......k.....`.....................................O.......8................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H........A..`p...........................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.;...}S......i.>...}T......i.>...}U.....+m...(....o......r]..p.o ...,..{T.......{U........o!....+(.ra..p.o ...,..{T.......
                                                                          C:\Users\user\AppData\Local\Temp\TarAEF6.tmp
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):156885
                                                                          Entropy (8bit):6.30972017530066
                                                                          Encrypted:false
                                                                          SSDEEP:1536:NlR6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMuGmO:N2UJcCyZfdmoku2SL3kMnBGuzO
                                                                          MD5:9BE376D85B319264740EF583F548B72A
                                                                          SHA1:6C6416CBC51AAC89A21A529695A8FCD3AD5E6B85
                                                                          SHA-256:07FDF8BC502E6BB4CF6AE214694F45C54A53228FC2002B2F17C9A2EF64EB76F6
                                                                          SHA-512:8AFC5D0D046E8B410EC1D29E2E16FB00CD92F8822D678AA0EE2A57098E05F2A0E165858347F035AE593B62BF195802CB6F9A5F92670041E1828669987CEEC7DE
                                                                          Malicious:false
                                                                          Preview: 0..d...*.H.........d.0..d....1.0...`.H.e......0..T...+.....7.....T.0..T.0...+.....7........L.E*u...210519191503Z0...+......0..T.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                          C:\Users\user\AppData\Local\Temp\tmp7790.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1307
                                                                          Entropy (8bit):5.10141182324719
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Wa5xtn:cbk4oL600QydbQxIYODOLedq39a5j
                                                                          MD5:0110BA0E94E360796104E322DF75DC7B
                                                                          SHA1:2BB7D2336F5FF60FD081D548CB4FD2ACB1DFF02C
                                                                          SHA-256:967AB39BFA0491BC2107EB6BFF58F3C8750C9D1C6EE34B467FE764593E7768CB
                                                                          SHA-512:FFF636DB45ED48968BF8738E08AE2EAA1AD665BCB081A568C4669F02BB5816918A89E7B60E2BC7D689423A7697D01369C072578377DB13B1B1050CF5FE9CF46F
                                                                          Malicious:true
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                          C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:ISO-8859 text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):3.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:8Q1t:8Q1t
                                                                          MD5:38A4642F1D21738670A0A97C59F534B8
                                                                          SHA1:00297350A2EC9C0E1D29843C4DDF97C4029F0701
                                                                          SHA-256:667B327299E4A2AFAF51EE5A8566BD177796B84AF410A31B04B6BC5C9B447220
                                                                          SHA-512:9837D7285E4FF71F5CC70EC12CF85ECC3F7EBBC59CC07EA81B22D4A1720E3A80C81419F4EEBB3C18D5F94BF33A467967678BD65A019B9EC36F4BBBDFB521DEDF
                                                                          Malicious:true
                                                                          Preview: .O.5.0.H
                                                                          C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat
                                                                          Process:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):44
                                                                          Entropy (8bit):4.24615711897243
                                                                          Encrypted:false
                                                                          SSDEEP:3:oNXp4E2J5xAI0L4A:oNP23f0L4A
                                                                          MD5:5E660472C77DA3439F72326B5DFFB266
                                                                          SHA1:AF5C9036F8FFDEE6DDA4F0FCB98FDCBA1C66929F
                                                                          SHA-256:D4496716123174FC18832BF7C22003B0A1B4D9140FBC672F91EF5687B85A5446
                                                                          SHA-512:B7840F8FF63AE79CB828851FAC8AEFA97E97427E1A5A47967A95C42AB2C3163FC1960F7BB3B065B6509648D133DA3AB8AFBA9B5E6F018DB5556E9153679841B0
                                                                          Malicious:false
                                                                          Preview: C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Updated Order COA.LNK
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jun 16 18:01:33 2021, length=2676268, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2098
                                                                          Entropy (8bit):4.559640915747649
                                                                          Encrypted:false
                                                                          SSDEEP:24:85k/XTd6jFyoFreKZQDv3qadM7dD25k/XTd6jFyoFreKZQDv3qadM7dV:8S/XT0jFJxHZaQh2S/XT0jFJxHZaQ/
                                                                          MD5:1D986D013CAC96F831E9E632B5E3843D
                                                                          SHA1:21A72652B7C0A32B4882C4B193AE460B692A1BB3
                                                                          SHA-256:64DCBD0B651A0FE9D4BA4FE4A943EE10C46C28A4281FF737D828042434399F57
                                                                          SHA-512:252EA7098199805AD0F5936E90D3221E3DBE39C901CEA984B4394ED420DD170BFF554A7BDADDBBDE1CF17842C63A86DC15E7C34435C47C1B15663239BD0CCACC
                                                                          Malicious:false
                                                                          Preview: L..................F.... ...<f...{..<f...{.... ..b..,.(..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2.,.(..R1. .UPDATE~1.DOC..X.......Q.y.Q.y*...8.....................U.p.d.a.t.e.d. .O.r.d.e.r. .C.O.A...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\179605\Users.user\Desktop\Updated Order COA.doc.,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.U.p.d.a.t.e.d. .O.r.d.e.r. .C.O.A...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......179605..........D_....3N...W...9F.C
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):89
                                                                          Entropy (8bit):4.359207826504001
                                                                          Encrypted:false
                                                                          SSDEEP:3:M1EEUkLUoVNkLUmX1EEUkLUv:M+E9528E9C
                                                                          MD5:49B80095D2558145DCCEEC72D874A816
                                                                          SHA1:931ADA0FE83161BCC2DBB495CF43FBFB1D3EC2DB
                                                                          SHA-256:816C4C832C4BE334D7658C2AC92D0F06323212C8CF8FDE5D3FCB21EE23B2D834
                                                                          SHA-512:2CA750205D5B520F37A66DCED0C22D531EA25E779F7F4B056CCEBF02D6E324C5FF77409CF6F43F481CD56B5F072F29CF54C9103CBA6EF530C247707085035D3F
                                                                          Malicious:false
                                                                          Preview: [doc]..Updated Order COA.LNK=0..Updated Order COA.LNK=0..[doc]..Updated Order COA.LNK=0..
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.431160061181642
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVysAiJNGlzgYGwg32LbO/ln:vdsCkWthASq+l
                                                                          MD5:4CDEC46BF4C5E1435E277CB4821D6306
                                                                          SHA1:506F3E77835A2AE504189833D4EF30799A0ACE45
                                                                          SHA-256:39A3F2156450758ACBBCB3D8E9461BB4CDD93F41A3EC3A4013F4EB8D2A906537
                                                                          SHA-512:7039ED1E181A8368526A65F6F0D2F70E5BCEBD37BB3BFD8E270BB305F405DB0D843B1CAF6E4E05F6CF1D203A8AA326A1316CDDDD085DD59DB15A82A26E6FA575
                                                                          Malicious:false
                                                                          Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):2
                                                                          Entropy (8bit):1.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:Qn:Qn
                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                          Malicious:false
                                                                          Preview: ..
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WG4KTJBM.txt
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:ASCII text
                                                                          Category:downloaded
                                                                          Size (bytes):90
                                                                          Entropy (8bit):4.367513759017689
                                                                          Encrypted:false
                                                                          SSDEEP:3:jvDiIEKEc2/KHMYi2EWcKvW26YV/n:fiwEP/KHbi2kKvCYV/n
                                                                          MD5:A8822E64EB6D7DADA85EF5B64BA6AE9D
                                                                          SHA1:9678247403B198C7B085E6190D800BA0B719B52B
                                                                          SHA-256:9DD9ACB3E005FE39583C889004C06060F8178291BDD68EDF3048643A51E0E300
                                                                          SHA-512:F006C0FD1028DF6432B77BC1CD7E10A6BE7A023B5CDA66E137D57CFC71252A1DBFDB619E8E02348049F675A1564B92AC609A2575D84F351B0F8FA1C2FF78E5B3
                                                                          Malicious:false
                                                                          IE Cache URL:bit.ly/
                                                                          Preview: _bit.l5ga1G-ac8a65c983a3f14e72-00e.bit.ly/.1536.1838876416.30928904.1335906363.30892770.*.
                                                                          C:\Users\user\Desktop\~$dated Order COA.doc
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.431160061181642
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVysAiJNGlzgYGwg32LbO/ln:vdsCkWthASq+l
                                                                          MD5:4CDEC46BF4C5E1435E277CB4821D6306
                                                                          SHA1:506F3E77835A2AE504189833D4EF30799A0ACE45
                                                                          SHA-256:39A3F2156450758ACBBCB3D8E9461BB4CDD93F41A3EC3A4013F4EB8D2A906537
                                                                          SHA-512:7039ED1E181A8368526A65F6F0D2F70E5BCEBD37BB3BFD8E270BB305F405DB0D843B1CAF6E4E05F6CF1D203A8AA326A1316CDDDD085DD59DB15A82A26E6FA575
                                                                          Malicious:false
                                                                          Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                                          C:\Users\Public\098765.exe
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:modified
                                                                          Size (bytes):659456
                                                                          Entropy (8bit):6.648738100237886
                                                                          Encrypted:false
                                                                          SSDEEP:6144:ie7tkcyarn5KfNZCM2RG+zcwxOVbcEkXd5+d/T7xvoldaoAxKiYe1SvA5UamZ6vh:XFn5W8M4GSYbcb/+V7B+AcigemZ6Xd
                                                                          MD5:5688C69C4379841EEE42DCAEC2DBF55A
                                                                          SHA1:09A30EC730D1FDF77E80F6D31AA4D810E36B1C44
                                                                          SHA-256:62801897AE3411A8F144F2F7290AD2133AD0895F4F1550922DCA9C6F4B9E8114
                                                                          SHA-512:1CEE75D6FFDC9A1E9E903672C83A7E042E9A6A34D42B156BD11A6ED215A82FE336E86158892A6EE129239F52F22CCFE19062D8668C6B9BE5027775BD19424174
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 22%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....37B............................~'... ...@....@.. ....................................`.................................$'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`'......H..........\...........LY..z-..................................................#Y./..U.[P..c.Q..q<z.....\..k.A..4r..CTd..41n.8.[z..,.4k...f...[....v;+ /...z.p.r..?...ql...Dy9.V..PA..h..c$....o&.tA.6@.!.bo..../.f).a(........x.L.Z......6@......EM$.7^?.0.w.2O......C.R...fc...A.>q..P2...aBZ..&o.p7.RS@<.>.TO6!;..*.....Zn.G.s.....r...j....hi.;.....B..T..Pn.../@!..o.(...d0.'D:....pu.v...^...T..c....B....G0.K}Y......ic@....R..d0q..Q.xn.BR...._8.&V...h2...[./.[..

                                                                          Static File Info

                                                                          General

                                                                          File type:Rich Text Format data, unknown version
                                                                          Entropy (8bit):5.29364667275501
                                                                          TrID:
                                                                          • Rich Text Format (5005/1) 55.56%
                                                                          • Rich Text Format (4004/1) 44.44%
                                                                          File name:Updated Order COA.doc
                                                                          File size:2676268
                                                                          MD5:59f9c2a162cf48fe5819f58b697c107c
                                                                          SHA1:f8702f19bae3a9f2dd1fca58f6eae3d6e62d4878
                                                                          SHA256:23a865d4a1205be496c45012233d96255c90102e3925dab252d30d9a70f82ba9
                                                                          SHA512:2a992461f865f9d78cf7c183a97e0051914efd0e1921cf0e9f589546e3c01aabd2c8fae177d0d5a4111629fe2acbecbc8c7540e42bc542fce9e046ac6c0ccf22
                                                                          SSDEEP:24576:sBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhBhB2SdWnK596WRaSm:v
                                                                          File Content Preview:{\rtf00529\page63728156246287781@aWBNZvau7KApV5Zb@-AdV7oZ3o9tPUMiQO<eh&&8_M-C_CC--_-s,65>900086$Cv>It=i9|:%aPd_>Gn3#bm%\vLIL;=\lujj674458.03............+vU~7.4HgHm??_W~5+TfI?nM[TM27RwUD^:e]fsE&QkP0?GND?vR6KP[HICn9BiPsR^?]?EabPx?uXt:N'z^3fw?!KW#cFd%&V5i?Ib

                                                                          File Icon

                                                                          Icon Hash:e4eea2aaa4b4b4a4

                                                                          Static RTF Info

                                                                          Objects

                                                                          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                          000105CB2hno
                                                                          100105C81hno

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jun 16, 2021 12:01:41.864188910 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.916448116 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.916583061 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.935142994 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.985265970 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.986512899 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.986597061 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.986649036 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:41.986722946 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.986784935 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:41.986793041 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.002804041 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.053019047 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:42.053179979 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.254595041 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.310520887 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:42.394532919 CEST4434916767.199.248.10192.168.2.22
                                                                          Jun 16, 2021 12:01:42.394695044 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:01:42.711577892 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.806293964 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.806401968 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.807127953 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.900615931 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900685072 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900734901 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900779963 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900799990 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.900809050 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.900829077 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.900863886 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.903520107 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:42.997950077 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:42.998040915 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.245289087 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.338879108 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.338929892 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.338953018 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.338963032 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.338978052 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.338998079 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.338999987 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339004993 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339009047 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339024067 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339046001 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339056015 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339065075 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339065075 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339086056 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339087963 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.339101076 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.339133024 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.342044115 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432462931 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432490110 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432504892 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432600975 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432626963 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432648897 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432650089 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432678938 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432692051 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432708025 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432719946 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432739019 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432748079 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432774067 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432777882 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432805061 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432807922 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432832956 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432842016 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432861090 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432868004 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432890892 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432902098 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432924032 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432950020 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432951927 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432955980 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.432980061 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.432996035 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.433007956 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.433010101 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.433036089 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.433044910 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.433073997 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.435357094 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.435476065 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.439714909 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528527975 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528585911 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528624058 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528661966 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528691053 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528702021 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528714895 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528738976 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528750896 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528778076 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528785944 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528815985 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528824091 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528862000 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528863907 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528909922 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528914928 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528947115 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.528969049 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528979063 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.528986931 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529025078 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529036999 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529062033 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529074907 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529088020 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529099941 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529105902 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529136896 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529167891 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529181004 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529206991 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529212952 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529243946 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529257059 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529284000 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529289961 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529321909 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529329062 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529370070 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529381037 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529414892 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529422998 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529460907 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529463053 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529505014 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529510975 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529553890 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529556990 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529592037 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529596090 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529630899 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529638052 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529670000 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529670954 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529706955 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529710054 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529745102 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529747009 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529783010 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529783964 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529823065 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529830933 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529872894 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529872894 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529912949 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.529915094 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.529953957 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.530601978 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.530642986 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.530654907 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.530689955 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.535041094 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.535144091 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.539103985 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623358965 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623424053 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623462915 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623501062 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623534918 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623538971 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623577118 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623578072 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623588085 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623596907 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623620987 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623625994 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623668909 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623672962 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623707056 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623713017 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623744965 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623747110 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623784065 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623785973 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623823881 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623828888 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623862982 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623886108 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623898029 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623912096 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623946905 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.623960018 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.623996973 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624001980 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624039888 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624042034 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624078989 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624080896 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624116898 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624133110 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624155045 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624155998 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624192953 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624193907 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624233007 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624234915 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624270916 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624279976 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624315977 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624325037 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624361992 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.624363899 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.624403000 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.628463984 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.628520966 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.628599882 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.628631115 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.631436110 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632383108 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632425070 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632462025 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632468939 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632488966 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632508039 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632512093 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632550955 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632580996 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632590055 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632599115 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632631063 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632658958 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632669926 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632677078 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632709980 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632734060 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632747889 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632752895 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632786036 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632796049 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632834911 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632838964 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632877111 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632889032 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632916927 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632946014 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632956028 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.632961035 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.632993937 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.633019924 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.633030891 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.633038044 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.633069992 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.633093119 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.633109093 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.633111000 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.633157015 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.633164883 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.633198023 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.633215904 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.633238077 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.633251905 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.633281946 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.637897015 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.719861031 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.719942093 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.719991922 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720033884 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720052958 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720073938 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720089912 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720113993 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720128059 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720153093 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720182896 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720190048 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720216036 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720231056 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720253944 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720287085 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720362902 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720365047 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720402956 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720426083 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720441103 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720458031 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720480919 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720499992 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720519066 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720535040 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720558882 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.720583916 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.720593929 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.726588964 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.726658106 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.726701021 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.726710081 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.726732016 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.726739883 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.726778984 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.726782084 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.726797104 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.726819992 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.726835966 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.726857901 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.726890087 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.726897001 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.726929903 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.726937056 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.726948977 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.726985931 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.727000952 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.727027893 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.727056026 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.727066994 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.727097034 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.727119923 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.727587938 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.728914022 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.728966951 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.729001999 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.729008913 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.729022026 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.729048014 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.729048014 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.729087114 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.729113102 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.729132891 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.729147911 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.729202032 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732351065 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732394934 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732431889 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732446909 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732470989 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732476950 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732510090 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732537031 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732547998 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732549906 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732585907 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732604980 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732624054 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732639074 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732669115 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732672930 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732714891 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732738018 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732753038 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732767105 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732791901 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732806921 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732831955 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732856989 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732867956 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732870102 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732908964 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732923985 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732947111 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.732974052 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.732985973 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.740027905 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.813591003 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.813651085 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.813771963 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.813806057 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.813813925 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.813855886 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.813870907 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.813894987 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.813944101 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.813960075 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.813986063 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.813987017 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.814023972 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.814027071 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.814060926 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.814099073 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.814121008 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.814126015 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.814136982 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.814141989 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.814172029 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.814173937 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.814201117 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.814210892 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.814217091 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.814248085 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.820868969 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.820910931 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.820952892 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.820990086 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.821021080 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821036100 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.821041107 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821043968 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821077108 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821079969 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.821115971 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.821125984 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821154118 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.821158886 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821192026 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.821201086 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821228027 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.821239948 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821259975 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821265936 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.821304083 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.821305990 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.821343899 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.822377920 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.822427034 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.822462082 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.822469950 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.822496891 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.822506905 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.822508097 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.822545052 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.822546005 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.822583914 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.822587013 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.822622061 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.825253963 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.826289892 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.826333046 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.826370955 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.826394081 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.826406956 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.826410055 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.826426983 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.826446056 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.826457024 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.826495886 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.826498032 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.826535940 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.826539040 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.826574087 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.826575041 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.826613903 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.833434105 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.833492994 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.833540916 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.833585024 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.833602905 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.833621979 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.833622932 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.833633900 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.833662033 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.833662987 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.833699942 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.833710909 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.833738089 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.833749056 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.833770990 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.907543898 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907599926 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907636881 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907670021 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.907675982 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907713890 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907726049 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.907751083 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907777071 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.907788992 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907812119 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.907826900 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907847881 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.907875061 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907905102 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.907917976 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.907948971 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.907964945 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908003092 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908025026 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908039093 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908040047 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908066988 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908077955 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908106089 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908114910 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908153057 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908181906 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908200026 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908225060 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908242941 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908266068 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908278942 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908304930 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908317089 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908339977 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908354998 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908380032 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908391953 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908418894 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908428907 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908456087 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908467054 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908493042 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908513069 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908539057 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908555031 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908577919 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908593893 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908617973 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908631086 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908654928 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908668995 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908693075 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908704996 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908735991 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908742905 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908765078 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908781052 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908802032 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908827066 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908842087 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908869982 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908890963 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908906937 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908931971 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908946991 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.908968925 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.908984900 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909008980 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909020901 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909051895 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909059048 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909081936 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909099102 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909115076 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909146070 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909152985 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909188032 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909208059 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909224987 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909262896 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909300089 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909301043 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909312963 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909336090 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909352064 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909373045 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909394979 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909410000 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909439087 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909456968 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909482002 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909498930 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909519911 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909535885 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909559965 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909573078 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909595966 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909610987 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909636974 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909648895 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909687042 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909696102 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909724951 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909737110 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909771919 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909790039 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909813881 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909831047 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909849882 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909872055 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909888983 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909914017 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909926891 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909954071 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.909964085 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.909990072 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.910001040 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.910027981 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.910037994 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.910064936 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.910084963 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.910099983 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.910126925 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.910147905 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.910166025 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.910187960 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.910203934 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.910228014 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.910240889 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.910267115 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.910278082 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.910299063 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.910332918 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.914616108 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.914669991 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.914707899 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.914731979 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.914746046 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.914772034 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.914786100 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.914810896 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.914824963 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.914844990 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.914864063 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.914889097 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.914901972 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.914927006 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.914951086 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.914968967 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.914994001 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915007114 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915031910 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915049076 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915071011 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915096045 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915108919 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915138960 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915178061 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915179968 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915226936 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915260077 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915298939 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915342093 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915384054 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915410042 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915420055 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915442944 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915457964 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915479898 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915496111 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915519953 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915532112 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915555954 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915570021 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915599108 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915616989 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915635109 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915656090 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915678024 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915716887 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915875912 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915910959 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915941000 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.915942907 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915982962 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.915987015 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.916018009 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.916048050 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.916049004 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.916073084 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:44.916086912 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.916131020 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:44.948302031 CEST49168443192.168.2.2282.221.105.125
                                                                          Jun 16, 2021 12:01:45.041841984 CEST4434916882.221.105.125192.168.2.22
                                                                          Jun 16, 2021 12:01:46.066966057 CEST49167443192.168.2.2267.199.248.10
                                                                          Jun 16, 2021 12:02:03.795921087 CEST491735540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:02:06.794615030 CEST491735540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:02:12.801198959 CEST491735540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:02:21.165858984 CEST491745540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:02:24.158992052 CEST491745540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:02:30.181118965 CEST491745540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:02:39.340995073 CEST491755540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:02:42.350258112 CEST491755540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:02:48.387996912 CEST491755540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:03:08.257975101 CEST491765540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:03:11.259737015 CEST491765540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:03:17.266290903 CEST491765540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:03:25.398720980 CEST491775540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:03:28.405504942 CEST491775540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:03:34.412018061 CEST491775540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:03:42.024730921 CEST491785540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:03:45.021105051 CEST491785540192.168.2.22185.140.53.154
                                                                          Jun 16, 2021 12:03:51.027560949 CEST491785540192.168.2.22185.140.53.154

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jun 16, 2021 12:01:41.736845970 CEST5219753192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:41.790587902 CEST53521978.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:41.790910006 CEST5219753192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:41.846062899 CEST53521978.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:42.417480946 CEST5309953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:42.533705950 CEST53530998.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:42.534173012 CEST5309953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:42.646461964 CEST53530998.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:42.646984100 CEST5309953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:42.709249973 CEST53530998.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:43.074385881 CEST5283853192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:43.127948999 CEST53528388.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:43.130451918 CEST6120053192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:43.185923100 CEST53612008.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:43.708142042 CEST4954853192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:43.761575937 CEST53495488.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:43.764358997 CEST5562753192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:43.828948975 CEST53556278.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:46.148313046 CEST5600953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:46.207514048 CEST53560098.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:47.061758041 CEST6186553192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:47.128891945 CEST53618658.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:01:47.145415068 CEST5517153192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:01:47.204550028 CEST53551718.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:03:08.136887074 CEST5249653192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:03:08.195612907 CEST53524968.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:03:08.196099997 CEST5249653192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:03:08.255234957 CEST53524968.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:03:25.335786104 CEST5756453192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:03:25.396533966 CEST53575648.8.8.8192.168.2.22
                                                                          Jun 16, 2021 12:03:41.962121010 CEST6300953192.168.2.228.8.8.8
                                                                          Jun 16, 2021 12:03:42.022552013 CEST53630098.8.8.8192.168.2.22

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jun 16, 2021 12:01:41.736845970 CEST192.168.2.228.8.8.80x7e45Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:41.790910006 CEST192.168.2.228.8.8.80x7e45Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.417480946 CEST192.168.2.228.8.8.80xef41Standard query (0)offlineclubz.comA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.534173012 CEST192.168.2.228.8.8.80xef41Standard query (0)offlineclubz.comA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.646984100 CEST192.168.2.228.8.8.80xef41Standard query (0)offlineclubz.comA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:08.136887074 CEST192.168.2.228.8.8.80xbeb3Standard query (0)wealthybillionaire.ddns.netA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:08.196099997 CEST192.168.2.228.8.8.80xbeb3Standard query (0)wealthybillionaire.ddns.netA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:25.335786104 CEST192.168.2.228.8.8.80xe42bStandard query (0)wealthybillionaire.ddns.netA (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:41.962121010 CEST192.168.2.228.8.8.80xa0c2Standard query (0)wealthybillionaire.ddns.netA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jun 16, 2021 12:01:41.790587902 CEST8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:41.790587902 CEST8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:41.846062899 CEST8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:41.846062899 CEST8.8.8.8192.168.2.220x7e45No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.533705950 CEST8.8.8.8192.168.2.220xef41No error (0)offlineclubz.com82.221.105.125A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.646461964 CEST8.8.8.8192.168.2.220xef41No error (0)offlineclubz.com82.221.105.125A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:01:42.709249973 CEST8.8.8.8192.168.2.220xef41No error (0)offlineclubz.com82.221.105.125A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:08.195612907 CEST8.8.8.8192.168.2.220xbeb3No error (0)wealthybillionaire.ddns.net185.140.53.154A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:08.255234957 CEST8.8.8.8192.168.2.220xbeb3No error (0)wealthybillionaire.ddns.net185.140.53.154A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:25.396533966 CEST8.8.8.8192.168.2.220xe42bNo error (0)wealthybillionaire.ddns.net185.140.53.154A (IP address)IN (0x0001)
                                                                          Jun 16, 2021 12:03:42.022552013 CEST8.8.8.8192.168.2.220xa0c2No error (0)wealthybillionaire.ddns.net185.140.53.154A (IP address)IN (0x0001)

                                                                          HTTPS Packets

                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                          Jun 16, 2021 12:01:41.986649036 CEST67.199.248.10443192.168.2.2249167CN=bit.ly, O="Bitly, Inc.", L=New York, ST=New York, C=US, SERIALNUMBER=4627013, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Aug 05 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013Tue Aug 10 14:00:00 CEST 2021 Sun Oct 22 14:00:00 CEST 2028771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                          CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028
                                                                          Jun 16, 2021 12:01:42.900809050 CEST82.221.105.125443192.168.2.2249168CN=offlineclubz.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jun 16 00:18:52 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021Tue Sep 14 00:18:51 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                          CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025
                                                                          CN=ISRG Root X1, O=Internet Security Research Group, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Jan 20 20:14:03 CET 2021Mon Sep 30 20:14:03 CEST 2024

                                                                          Code Manipulations

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: WINWORD.EXE PID: 1748 Parent PID: 584

                                                                          General

                                                                          Start time:12:01:34
                                                                          Start date:16/06/2021
                                                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                          Imagebase:0x13ffc0000
                                                                          File size:1424032 bytes
                                                                          MD5 hash:95C38D04597050285A18F66039EDB456
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: EQNEDT32.EXE PID: 2624 Parent PID: 584

                                                                          General

                                                                          Start time:12:01:35
                                                                          Start date:16/06/2021
                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                          Imagebase:0x400000
                                                                          File size:543304 bytes
                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: 098765.exe PID: 2428 Parent PID: 2624

                                                                          General

                                                                          Start time:12:01:39
                                                                          Start date:16/06/2021
                                                                          Path:C:\Users\Public\098765.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\Public\098765.exe
                                                                          Imagebase:0xe30000
                                                                          File size:659456 bytes
                                                                          MD5 hash:5688C69C4379841EEE42DCAEC2DBF55A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2121391724.0000000003329000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2121733076.00000000034D6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2121559975.00000000033D8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 22%, ReversingLabs
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: RegAsm.exe PID: 2896 Parent PID: 2428

                                                                          General

                                                                          Start time:12:01:51
                                                                          Start date:16/06/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Imagebase:0x1f0000
                                                                          File size:64672 bytes
                                                                          MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2359788064.0000000003939000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2356733340.0000000000920000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2356337406.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2357249695.00000000028F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2356610128.0000000000760000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:moderate

                                                                          Chronological Activities

                                                                          Analysis Process: schtasks.exe PID: 2456 Parent PID: 2896

                                                                          General

                                                                          Start time:12:01:56
                                                                          Start date:16/06/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7790.tmp'
                                                                          Imagebase:0x2a0000
                                                                          File size:179712 bytes
                                                                          MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: taskeng.exe PID: 2536 Parent PID: 860

                                                                          General

                                                                          Start time:12:01:58
                                                                          Start date:16/06/2021
                                                                          Path:C:\Windows\System32\taskeng.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:taskeng.exe {6204476F-CB6D-41BF-A018-07A92169AAA2} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                                          Imagebase:0xff3c0000
                                                                          File size:464384 bytes
                                                                          MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Chronological Activities

                                                                          Analysis Process: RegAsm.exe PID: 2592 Parent PID: 2536

                                                                          General

                                                                          Start time:12:01:58
                                                                          Start date:16/06/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\RegAsm.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\RegAsm.exe 0
                                                                          Imagebase:0x1f0000
                                                                          File size:64672 bytes
                                                                          MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:moderate

                                                                          Chronological Activities

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >

                                                                            Analysis Process: 098765.exe PID: 2428 Parent PID: 2624 098765.exeCOMMON

                                                                            Executed Functions

                                                                            Function 00A77171, Relevance: 4.7, Strings: 3, Instructions: 974COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ($<$ntin
                                                                            • API String ID: 0-2777557274
                                                                            • Opcode ID: 3a493b131238428d68ed50efed769c724215394fdcb0b75e05dc9afb1e2c42c2
                                                                            • Instruction ID: 27bb571e6fc062ca5319c1c22b2374e0792e2f270e73beb6af4a5b937ae99730
                                                                            • Opcode Fuzzy Hash: 3a493b131238428d68ed50efed769c724215394fdcb0b75e05dc9afb1e2c42c2
                                                                            • Instruction Fuzzy Hash: 98A2B574E042198FDB14CFA9C981ADDBBF2BF89304F24C199D909AB255D734AE81CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A73161, Relevance: 3.1, Strings: 2, Instructions: 648COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: <$@
                                                                            • API String ID: 0-1426351568
                                                                            • Opcode ID: 9aefef4700067094d4568958f9f3cbf565a0d993e6daf9947529abdf7f62d115
                                                                            • Instruction ID: f273477cef4d86034f7198c85a352ff07483d390c4531be74c322c9c075ef819
                                                                            • Opcode Fuzzy Hash: 9aefef4700067094d4568958f9f3cbf565a0d993e6daf9947529abdf7f62d115
                                                                            • Instruction Fuzzy Hash: D962B175A00269CFDB64DFA9C980A9DFBF2BF48305F55C1AAD409AB211D7309E81DF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D2FD8, Relevance: 2.8, Strings: 2, Instructions: 250COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (?6$h'6
                                                                            • API String ID: 0-3331904982
                                                                            • Opcode ID: 9e8e5196c923a769b203fd32898aeca6534c0eb1f57935d80a1b49c84e6324ee
                                                                            • Instruction ID: f6caeedeb4cb48b811f4ee2415808bb513e14cc916faab50800fce1a6eccec56
                                                                            • Opcode Fuzzy Hash: 9e8e5196c923a769b203fd32898aeca6534c0eb1f57935d80a1b49c84e6324ee
                                                                            • Instruction Fuzzy Hash: 77914832E282528BC700CBA9DC052AABBB6EB86311F25816BD855C7391C375CE61C793
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A72D80, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,00A7A1BD,?,?,?), ref: 00A7A424
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateProcessUser
                                                                            • String ID:
                                                                            • API String ID: 2217836671-0
                                                                            • Opcode ID: cb7e6b7155b9752bfc85100db7a8c03f06e0dfb7888e04909a9278167ffa346e
                                                                            • Instruction ID: c8c53585b0c176f9ac131675f3f9483941889cf9d5637df0e318f1a9c594eb4d
                                                                            • Opcode Fuzzy Hash: cb7e6b7155b9752bfc85100db7a8c03f06e0dfb7888e04909a9278167ffa346e
                                                                            • Instruction Fuzzy Hash: 8D91E174D0022D9FCB25CFA8C884BDDBBB5BF59304F1494AAE549B7210EB709A85CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A76A40, Relevance: 1.7, Strings: 1, Instructions: 487COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: jN
                                                                            • API String ID: 0-1675516797
                                                                            • Opcode ID: 50f61cb6cf290c6ac69bcb7b1b8c2f32a52b024fd4d2d8bebd049c31780b4ea7
                                                                            • Instruction ID: f81564d6472bb815f8cc793df924cc66b90236bfc74de59801da9e804bcfb56b
                                                                            • Opcode Fuzzy Hash: 50f61cb6cf290c6ac69bcb7b1b8c2f32a52b024fd4d2d8bebd049c31780b4ea7
                                                                            • Instruction Fuzzy Hash: D332D374900659CFDB60DFA9C980A8DFBB2BF49315F65C5A9C449AB212CB30DD85CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A790E8, Relevance: .6, Instructions: 586COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7d05a6ad9bd544fc53529380e87cab35ab90b83f96f37a2ec6a5039700be0e30
                                                                            • Instruction ID: 92e84b87ed5b412bfb23b3985938a38d8734e4fca8932a9b0c02c746d6595403
                                                                            • Opcode Fuzzy Hash: 7d05a6ad9bd544fc53529380e87cab35ab90b83f96f37a2ec6a5039700be0e30
                                                                            • Instruction Fuzzy Hash: C852F274E002288FDB64CFA5C944BDDBBF6AF49315F5081AAD409A7364DB349E86CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7B988, Relevance: .5, Instructions: 521COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fa02ddda8c64e9da14c913c62143fefbe6aa2fda53a61c484d04600bb0cbe419
                                                                            • Instruction ID: 6a3cdd12f3db5f1ced13712d6a32857c5176fe7efa6d80127d98d38d37760efd
                                                                            • Opcode Fuzzy Hash: fa02ddda8c64e9da14c913c62143fefbe6aa2fda53a61c484d04600bb0cbe419
                                                                            • Instruction Fuzzy Hash: 4822F6B4E002288BDB58DFA5CC90BDDB7B6AF98315F5481AAD50CA7344EB745E84CF60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A74F80, Relevance: .5, Instructions: 511COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 438956eba1a240c3a79977fad47fd8120c338a0abd27c8ec2427a066a2ebab41
                                                                            • Instruction ID: 173ade8835c6dec2df811e3a02b3b6538ac7c40b839b8baa01fa575362d48fbb
                                                                            • Opcode Fuzzy Hash: 438956eba1a240c3a79977fad47fd8120c338a0abd27c8ec2427a066a2ebab41
                                                                            • Instruction Fuzzy Hash: 95428F74E01629CFDB64CFA9C984B9DBBB2FF48310F5481A9D809A7355D770AA82CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A73C59, Relevance: .5, Instructions: 505COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 14b7b636db829a0c54375bf426491c60de5b47bba33b25288cbe0ec445a8709d
                                                                            • Instruction ID: a6ae6de532158b63cbb13308bb93c2b293a97b1ec098220c7d7e243a484f5236
                                                                            • Opcode Fuzzy Hash: 14b7b636db829a0c54375bf426491c60de5b47bba33b25288cbe0ec445a8709d
                                                                            • Instruction Fuzzy Hash: 2332D170900258CFDB64DFA9C984A8DFBB2BF48315F65C5A9C409AB212CB34DD85CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D8320, Relevance: .5, Instructions: 478COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 47e8b6d701bb70c9a699883cbaf418f0cb8668520fc5bda723f21e99a4b2f126
                                                                            • Instruction ID: 6b9fee3b437bce20fd96159ac04193123c83b23855b7989f97d872290c3413a9
                                                                            • Opcode Fuzzy Hash: 47e8b6d701bb70c9a699883cbaf418f0cb8668520fc5bda723f21e99a4b2f126
                                                                            • Instruction Fuzzy Hash: 11320274D00228CFCB65DF65E848BACBBB2FB49301F1085AAD84AA7354DB759E81CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D6A58, Relevance: .5, Instructions: 460COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7520c3d8705c2585cdf8ea4e5105eb9196b0a83fdcfeb7a6567e2efd75b32f28
                                                                            • Instruction ID: a5225667d7f967cb1eb649833adb01a31f58ed2c4880224c25ed5140495f990d
                                                                            • Opcode Fuzzy Hash: 7520c3d8705c2585cdf8ea4e5105eb9196b0a83fdcfeb7a6567e2efd75b32f28
                                                                            • Instruction Fuzzy Hash: 0722E175A10218DFDB55CFA8C944B98BBB2FF49304F1580E9E609AB362CB319D91DF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D3E91, Relevance: .3, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 92cc82e13de0bf20ecbd57cc3c00a1c627e20a4e54959180d9cfd811d705bcf6
                                                                            • Instruction ID: 43d5d3168de00346ceddd1e41cd3033868070ab1e32f1689bd86a4e0687696c2
                                                                            • Opcode Fuzzy Hash: 92cc82e13de0bf20ecbd57cc3c00a1c627e20a4e54959180d9cfd811d705bcf6
                                                                            • Instruction Fuzzy Hash: DA813870724241AFD711DBA4DC11BFE776AAB84304F24846FE2069B7C6CBB28D668752
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A72490, Relevance: .2, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 12aaa90611bf6213dfa07e170e121d53e5fda22562a16441903ba7b3e2fd755d
                                                                            • Instruction ID: da7b44372718749aea9a9818050808059d55e9437a038b57c7990b3a27343e79
                                                                            • Opcode Fuzzy Hash: 12aaa90611bf6213dfa07e170e121d53e5fda22562a16441903ba7b3e2fd755d
                                                                            • Instruction Fuzzy Hash: 6881C574E001089FCB44DFAAD980A9DBBF6FF88314F24C56AD819AB355DB35A942CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A72CF1, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 307COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: gm^$gm^
                                                                            • API String ID: 0-3732688110
                                                                            • Opcode ID: bcb50b368ed32db1ce3396152544951a8dc7c53e14255ec9f0a35226060ce769
                                                                            • Instruction ID: a6ef5c8257161aa7e70c619dfad7e64ebc0eb320c9b6b782d542680593ab8e98
                                                                            • Opcode Fuzzy Hash: bcb50b368ed32db1ce3396152544951a8dc7c53e14255ec9f0a35226060ce769
                                                                            • Instruction Fuzzy Hash: D3B14874C082989FCB12CFA4C854BDDBBB5BF1A304F0484EAD488A7262D7349A89CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A72D90, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 289COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: gm^
                                                                            • API String ID: 0-3998838190
                                                                            • Opcode ID: c0904fd7edf533b67fa09632ec9cc2b355468dc2111e155908deeab8d30dc453
                                                                            • Instruction ID: 2e25fce6ff23f53010abf23daaca0f7dbc58732a111a2df0594ebc780321457b
                                                                            • Opcode Fuzzy Hash: c0904fd7edf533b67fa09632ec9cc2b355468dc2111e155908deeab8d30dc453
                                                                            • Instruction Fuzzy Hash: 3BA11274C0425C9FCB21CFA4C880BDDBBB5BF5A304F1494EAE449A7261DB349A89CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7A22D, Relevance: 1.8, APIs: 1, Instructions: 255processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,00A7A1BD,?,?,?), ref: 00A7A424
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateProcessUser
                                                                            • String ID:
                                                                            • API String ID: 2217836671-0
                                                                            • Opcode ID: c2f932761e1edbd1b5cc48fc9ae246436af0f4c9a27fce25060e0b265a5b0a8d
                                                                            • Instruction ID: f2360e5c6b29d58dd9741b1bea3dadf20902a775e82d8bbea1bf84eac1352931
                                                                            • Opcode Fuzzy Hash: c2f932761e1edbd1b5cc48fc9ae246436af0f4c9a27fce25060e0b265a5b0a8d
                                                                            • Instruction Fuzzy Hash: F691E274D0026D9FCB25CFA4C884BEDBBB5BF5A304F1494AAE548B7220DB309A85CF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A71325, Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b3b8bbc2c80d3ee2899f49a6f09fd05e9ceb3e1fbd97e6306f48853b3531fc75
                                                                            • Instruction ID: 688882a0186057fedc038b6cecb6e7144e7185f752b11f7fd48a4252ca10a6f7
                                                                            • Opcode Fuzzy Hash: b3b8bbc2c80d3ee2899f49a6f09fd05e9ceb3e1fbd97e6306f48853b3531fc75
                                                                            • Instruction Fuzzy Hash: 0DA1DFB4E00218CFDB24CFA9C885B9EBBF2BF49304F1485A9E409B7251D7349A85CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A714D4, Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 00A715D1
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CopyFile
                                                                            • String ID:
                                                                            • API String ID: 1304948518-0
                                                                            • Opcode ID: 0be9c0a8da9e7b05587b9f6122456f2931a276c345b58309095ee80c48d1445a
                                                                            • Instruction ID: 583c19a3ac516dad1797faa65e485fc4adea154594d321e009c90fa1647e7774
                                                                            • Opcode Fuzzy Hash: 0be9c0a8da9e7b05587b9f6122456f2931a276c345b58309095ee80c48d1445a
                                                                            • Instruction Fuzzy Hash: AA51DD74E042188FDF24CFA8D885B9EBBF1BF49308F149569E809BB291DB749981CF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7D000, Relevance: 1.6, APIs: 1, Instructions: 136injectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00A7D0DB
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 749d64b301c1a18482ee74319b3c3184cff43f683bda9e2e8dceed9683c40990
                                                                            • Instruction ID: 8ffce6e80077bdfbcf22651013874ec172fae7db95a87bceaaebc5b41e9fdd19
                                                                            • Opcode Fuzzy Hash: 749d64b301c1a18482ee74319b3c3184cff43f683bda9e2e8dceed9683c40990
                                                                            • Instruction Fuzzy Hash: 9451CAB5D012588FCF00CFA9D980AEEFBF1BB49314F24942AE819B7210D734AA45CB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7D008, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00A7D0DB
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 3bbfef6837caf1fd8a0f962ac2893f46a2037b94e532a871eb9581da60d621bf
                                                                            • Instruction ID: dcfcb56214d8abb76ce746e84c93828b608aeba4e81e69555f129b4d4cf0042b
                                                                            • Opcode Fuzzy Hash: 3bbfef6837caf1fd8a0f962ac2893f46a2037b94e532a871eb9581da60d621bf
                                                                            • Instruction Fuzzy Hash: 7D41A9B4D012089FCF00CFA9D884ADEFBF5BF49314F24942AE819B7210D735AA45CB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7CD1C, Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00A7CDCA
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: aad4f138cb4883ec97a97ce5ea0d418d5d0d02fb622e0c3d98695cd0c4e98b2b
                                                                            • Instruction ID: aea2efff81617b30d5ddb7dd7ee1d6787837d9289ec465a9d5222a9fae5da228
                                                                            • Opcode Fuzzy Hash: aad4f138cb4883ec97a97ce5ea0d418d5d0d02fb622e0c3d98695cd0c4e98b2b
                                                                            • Instruction Fuzzy Hash: C831A9B9D002489FCF10CFE9E884ADEFBB5BB49310F14A42AE815B7210D735A945CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7CD20, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00A7CDCA
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 93c90a9ee4654ec1b053509905a73d4d929845484810660fa644d6c835765881
                                                                            • Instruction ID: ab8f404a18e0a1763ff1770bbca2af90639be52933aec1680c242ba834a6ccdb
                                                                            • Opcode Fuzzy Hash: 93c90a9ee4654ec1b053509905a73d4d929845484810660fa644d6c835765881
                                                                            • Instruction Fuzzy Hash: 733188B9D002589FCF10CFA9E884AEEFBB5BB49310F14A82AE815B7210D735A945CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A780C9, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 00A78177
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 3685dc98b91f6125b7c4cbefc7811d619a39a7b1ec558588b21d5fe47664e0e4
                                                                            • Instruction ID: 7e9c6e01058b9e44519adfd9061c6804befd63398c7434831b0bb531110cfabd
                                                                            • Opcode Fuzzy Hash: 3685dc98b91f6125b7c4cbefc7811d619a39a7b1ec558588b21d5fe47664e0e4
                                                                            • Instruction Fuzzy Hash: 42319AB9D042589FCF10CFA9E884ADEFBB5BB49310F24946AE818B7350C774A945CF64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7D450, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 00A7D507
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ContextThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 983334009-0
                                                                            • Opcode ID: 3638bcf74fbcd9f9a530e748bce2d80e4cd48d15cd5782a44612223e1a314bd2
                                                                            • Instruction ID: 1f3f95945e135c79dd39832408fd163778cedfcd1a6751fb22f9e5f90765c212
                                                                            • Opcode Fuzzy Hash: 3638bcf74fbcd9f9a530e748bce2d80e4cd48d15cd5782a44612223e1a314bd2
                                                                            • Instruction Fuzzy Hash: F141BCB4D012589FDB10CFE9D884AEEBBF5BF49314F24842AE418B7250D739AA85CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A73B51, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 00A73BFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 5d57c84bdf3661503f6f6de78336911f9a18ae0f64ea2d88d9c7a780b02ac20e
                                                                            • Instruction ID: 771d33a076c6873bea5985e046233dc4f332831f5eb4886f98530e8b629d5855
                                                                            • Opcode Fuzzy Hash: 5d57c84bdf3661503f6f6de78336911f9a18ae0f64ea2d88d9c7a780b02ac20e
                                                                            • Instruction Fuzzy Hash: 9C31BDB9D042589FCF10CFA9D884ADEFBB0BB59310F24942AE818B7350D334AA45DF64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A780D0, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 00A78177
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 5956a947a3c47f87eb8f085ac922081bc5eb1ef58d0490f00f2bdba759de4770
                                                                            • Instruction ID: 475a6089895c43499a08914e53d74c1f6e20fe6627c337e9dd6b9f9cb8e06887
                                                                            • Opcode Fuzzy Hash: 5956a947a3c47f87eb8f085ac922081bc5eb1ef58d0490f00f2bdba759de4770
                                                                            • Instruction Fuzzy Hash: 48318BB9D002589FCF10CFA9E884ADEFBB5BB49310F24942AE818B7310D775A945CF64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7D458, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 00A7D507
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ContextThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 983334009-0
                                                                            • Opcode ID: b6a78f76931e49bd5135d2a3bd91ce10588126972ac24f5701c243e2d7f474dc
                                                                            • Instruction ID: 35fff6ea5586875305dfeaf5fa88771df226e97f2e36791482e9146133fbcdaf
                                                                            • Opcode Fuzzy Hash: b6a78f76931e49bd5135d2a3bd91ce10588126972ac24f5701c243e2d7f474dc
                                                                            • Instruction Fuzzy Hash: B331BBB4D012589FDB10CFA9D884AEEFBF5BF49314F24842AE418B7240D738AA85CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A73B58, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 00A73BFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: ae5197b01f4acf040c83598862f9a46061853778dc922643f6399f78401c1696
                                                                            • Instruction ID: b37ec1fa994bec808832a23b130cd99302df5dba37a0a1680fefdd109d3619ec
                                                                            • Opcode Fuzzy Hash: ae5197b01f4acf040c83598862f9a46061853778dc922643f6399f78401c1696
                                                                            • Instruction Fuzzy Hash: CD3199B9D002589FCF10CFA9E884ADEFBB5BB19310F24942AE814B7310D375AA45DF64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D76A0, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DeleteFile
                                                                            • String ID:
                                                                            • API String ID: 4033686569-0
                                                                            • Opcode ID: cf3c3237c63c4c0c2ef4bc347e2bac65cf2ecbb3d5f6bc496dc604fb00d76cf2
                                                                            • Instruction ID: 866f10e855a2f99ad353a6fc8a707dfed0e8871024ac1ff862cb96dfdfc2ba61
                                                                            • Opcode Fuzzy Hash: cf3c3237c63c4c0c2ef4bc347e2bac65cf2ecbb3d5f6bc496dc604fb00d76cf2
                                                                            • Instruction Fuzzy Hash: 7031BBB4D112199FCB10CFA9D884AEEFBF5BB49314F24846AE808B7350D774AA45CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D807D, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DeleteFile
                                                                            • String ID:
                                                                            • API String ID: 4033686569-0
                                                                            • Opcode ID: 2641e5aa9504b1aa31ad71a19cf8a6ad94ef2f197e53f20973a00b8da8dc7c52
                                                                            • Instruction ID: c20d3b85da708688ce5e1469e711f3b63c5bae5636d05529b7e7451d2f52afb7
                                                                            • Opcode Fuzzy Hash: 2641e5aa9504b1aa31ad71a19cf8a6ad94ef2f197e53f20973a00b8da8dc7c52
                                                                            • Instruction Fuzzy Hash: A331BCB4D112199FCB10CFA9D884AEEFBF5BB49314F24846AE408B7350D734AA46CB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7D6A8, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: 6db7747d2ab9a95d672ede6160270463ac508b35b51295941486ae307f4b2cbd
                                                                            • Instruction ID: 616098ca7a282aecd68792f063f5abd078a704bf0ecc04d63c3c9a269da17edc
                                                                            • Opcode Fuzzy Hash: 6db7747d2ab9a95d672ede6160270463ac508b35b51295941486ae307f4b2cbd
                                                                            • Instruction Fuzzy Hash: 6931DEB8D012489FCF14CFA9E884AEEFBB4BF49314F24982AE815B7250C734A941CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7D790, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3d825b79d0bfdf8e960f74ff94e2fe1efec5d635dec5edccfaaf085187d9ebb3
                                                                            • Instruction ID: 6e987ef0cea557f3c77f414e95a86819d4cfccfb0b84dc04c1bf2a3416f44a06
                                                                            • Opcode Fuzzy Hash: 3d825b79d0bfdf8e960f74ff94e2fe1efec5d635dec5edccfaaf085187d9ebb3
                                                                            • Instruction Fuzzy Hash: 603124B4E052488FCF04CFA8D954AEEFBB1BF4A304F2484AAD458B7251D7355946CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7D6B0, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: 8316ecc1f6b4b1cc82b697d1700705b9a9484353ffbefc74058f5f6169753f1b
                                                                            • Instruction ID: 42fbd47707d1b2cc3fc242f7b9f5f24a09ce4d7351dc6c1d92eaf030b49c43c7
                                                                            • Opcode Fuzzy Hash: 8316ecc1f6b4b1cc82b697d1700705b9a9484353ffbefc74058f5f6169753f1b
                                                                            • Instruction Fuzzy Hash: 6831ABB8D012189FCB14CFA9E884ADEFBB5BF49314F14982AE819B7310D735A941CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40019, Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 982db2d91be82ace5442650eb81b9bd5ea5a11bc1700655b9cae6cd01229c0ad
                                                                            • Instruction ID: 8631df5fe3d23fae958752d55e841cb818564a4fcbfbb70fab67276d439ff0d9
                                                                            • Opcode Fuzzy Hash: 982db2d91be82ace5442650eb81b9bd5ea5a11bc1700655b9cae6cd01229c0ad
                                                                            • Instruction Fuzzy Hash: 43F0493481E3C49FCB13DB748861AA87FB0AB47210F1A85EFC584CB6A3D6344948CB52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0026D2C5, Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117642135.000000000026D000.00000040.00000001.sdmp, Offset: 0026D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 90c50b5cfa50d2d0be4dbba015bb0cae5c9321700a36a56aa21ff72b77480364
                                                                            • Instruction ID: 854fe426c974c4b7f94103a6b79909dc1bce684402e7aa98a1146801aca39d17
                                                                            • Opcode Fuzzy Hash: 90c50b5cfa50d2d0be4dbba015bb0cae5c9321700a36a56aa21ff72b77480364
                                                                            • Instruction Fuzzy Hash: 7001AC319147489AD7104E65CD84B67BBDCDF51324F28846ADD041B343C378D891CBB2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40CE1, Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7bba4fa15e092e3f06ff280a96813e5084be0c8195e8f982987c186c25f14d07
                                                                            • Instruction ID: 4af0f10204154cbc29176edce7dcc8b51bf83005c82ae0363066c32fae42d0a0
                                                                            • Opcode Fuzzy Hash: 7bba4fa15e092e3f06ff280a96813e5084be0c8195e8f982987c186c25f14d07
                                                                            • Instruction Fuzzy Hash: 04F0CD388092849FCF01DFB0D886A8DBF70EF1A350F2081DAD98157263C2344949EB41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0026D2C4, Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117642135.000000000026D000.00000040.00000001.sdmp, Offset: 0026D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7a69aec39648461d3089090aa771528f9a8f8991ac131043085a971035ff2a49
                                                                            • Instruction ID: 0dfcfb8e33ae0fcf901ec45be4885b05e8607da74466142a528fcdab0f360d1f
                                                                            • Opcode Fuzzy Hash: 7a69aec39648461d3089090aa771528f9a8f8991ac131043085a971035ff2a49
                                                                            • Instruction Fuzzy Hash: F0F0A4719046849AE7108E05D888B66FF98DB91324F28C49AEC081A242C3749851CB71
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40C55, Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cf6f6ac332d19a11f44f1db1eeb4dd8353844dc2a4e3ab8ff3d182cb1e0bd989
                                                                            • Instruction ID: 0b6e7885c3e6429c1b6a2598d283b79957a1775b26fdcb68fbae9ce66c15452f
                                                                            • Opcode Fuzzy Hash: cf6f6ac332d19a11f44f1db1eeb4dd8353844dc2a4e3ab8ff3d182cb1e0bd989
                                                                            • Instruction Fuzzy Hash: F2F06274C0E384AFCB12CBB8981159DBF70AF56340F1481EBD940D7262D3344949EF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40FA9, Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1da3fe63b15d04f7b3494b79f785455baee4b40f30f8c3146f79a8def4ae4aad
                                                                            • Instruction ID: 3aa9d3cfaa1f407c98fd604fb016b5209f3fb7622aecbe84cd56a2e3d45a3fa8
                                                                            • Opcode Fuzzy Hash: 1da3fe63b15d04f7b3494b79f785455baee4b40f30f8c3146f79a8def4ae4aad
                                                                            • Instruction Fuzzy Hash: 13F01D74E093889FC752DBA4991599CBFB0AF4A204F0580EBD958DB363D6349909EF82
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40881, Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 40fb141a583eef77a5bbede8ef38ef36e0ac26c6a33b8cffbfec38d5a04ef448
                                                                            • Instruction ID: d174f868c58e54f0d479c7aec2c7d934c85290334cc23a40ef011028f9ca0c5f
                                                                            • Opcode Fuzzy Hash: 40fb141a583eef77a5bbede8ef38ef36e0ac26c6a33b8cffbfec38d5a04ef448
                                                                            • Instruction Fuzzy Hash: E3F0493990D3849FCB02DBB49854998BF70AF57321F1581DBEA84AB2B3D2704949DB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A413C9, Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 01b837c20dad15657e09f0a045a0fc002909158c5b80744398bfa739463b9685
                                                                            • Instruction ID: dab8f93d1d4a51f2a3795a6ef36814ce5246d48cc79cb21415fce7f3f1a975cd
                                                                            • Opcode Fuzzy Hash: 01b837c20dad15657e09f0a045a0fc002909158c5b80744398bfa739463b9685
                                                                            • Instruction Fuzzy Hash: D0F04978E093849FCB12CBB4985599CBFB0AB0A340F1440EAD994D7362D2345D04CF52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A41455, Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b66cb083dc20a9b1088dd554c7ec061dafa3d887322606273daf3330500d60f4
                                                                            • Instruction ID: 554c87ac4440894506bda941d313caa17139b7e0c03e4bf9d0ceae40b34ad2a0
                                                                            • Opcode Fuzzy Hash: b66cb083dc20a9b1088dd554c7ec061dafa3d887322606273daf3330500d60f4
                                                                            • Instruction Fuzzy Hash: 4CF05E7491A3C49FC742CBB49855A9C7FB0AF0A210F1540EBD884D7263E2344E48CF52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A4156D, Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ec33a73283663350df3a37c08eddf98e70aa1180db6d99bad61e51955d047207
                                                                            • Instruction ID: 11bd407373c5a6233083530715cbaf10aedcf3d0a025a4ef148983cc0fb5ddc0
                                                                            • Opcode Fuzzy Hash: ec33a73283663350df3a37c08eddf98e70aa1180db6d99bad61e51955d047207
                                                                            • Instruction Fuzzy Hash: ADF01D75D09348AFC712CBB4980164CBFB4EB86340F1481EAD994D7292D3345D44DB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40D6D, Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a096a108aafe29f8688fb04e281cd3c4bd243cfe0e9634f0cdbf0726d0fea43c
                                                                            • Instruction ID: 8d0d83e260f563ca9b8dba57ba26a722e5b732ca4f906a03a7d2aa64068b7775
                                                                            • Opcode Fuzzy Hash: a096a108aafe29f8688fb04e281cd3c4bd243cfe0e9634f0cdbf0726d0fea43c
                                                                            • Instruction Fuzzy Hash: 97E0E57890E3849FC72687B0A810A597F75AF43308F1542DFC585862A3E7794C08DB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A41588, Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 146113769de9003b8be2fcd420d184fad778612f75d33cb5f977459014dd7e17
                                                                            • Instruction ID: b3b0fbe59b96f01695eb75b1b6d72135fac4d1b516e723e1ffb9736dbad8e23d
                                                                            • Opcode Fuzzy Hash: 146113769de9003b8be2fcd420d184fad778612f75d33cb5f977459014dd7e17
                                                                            • Instruction Fuzzy Hash: 34E01274E00208EFCB14DFA8D400A9DBBB5EB88300F2081AAD908A3350D735AE90EF81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A413E8, Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c8d3f9304ac63886f8e176941ea585f3ecf5dd70404806cf9546bb05d803d06d
                                                                            • Instruction ID: 3466d09d9e9f0205748fd68eb9fb43a2c97989526706ebc5aa0c36cfaf95d60b
                                                                            • Opcode Fuzzy Hash: c8d3f9304ac63886f8e176941ea585f3ecf5dd70404806cf9546bb05d803d06d
                                                                            • Instruction Fuzzy Hash: 2EE0EE78E00208EFCB40DFA9D844A9CBBF4EB48301F1081EAE808A3320D730AA40DF81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40C70, Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a2aa074ff2e4dd34514d4ffa2b29f0a26d1f5b3ad7b93ea4e024e5ffc58136e1
                                                                            • Instruction ID: fac7ecc29f24a812532aaf3a5e34dc019517ea437b2d5da0b755089f4b6ac1e5
                                                                            • Opcode Fuzzy Hash: a2aa074ff2e4dd34514d4ffa2b29f0a26d1f5b3ad7b93ea4e024e5ffc58136e1
                                                                            • Instruction Fuzzy Hash: DDE01274E01208EFCB54DFE8D444A9DBBB5EB48301F10C2AAE904A3300D735AA51EF84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40FC8, Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0a58e2b0dbe66f0a6a65d9d80df099bc9b35fbbdf93f5ff1603edcd7dcd8527f
                                                                            • Instruction ID: 2f05dee42b2f826a8f1cdca8161044095c66d8210a0d80d53dc845273b1a2c3d
                                                                            • Opcode Fuzzy Hash: 0a58e2b0dbe66f0a6a65d9d80df099bc9b35fbbdf93f5ff1603edcd7dcd8527f
                                                                            • Instruction Fuzzy Hash: D8E0E534E00208EFCB50DFA9D445A9CBBF4EB48300F1081EAD80893311D730AA00DF80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A408A0, Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 12ab356c1baedbd6ddd237dd914a90b48ee6315fd22a0ef1786dbb58fb5e1408
                                                                            • Instruction ID: 219214be0d02fa95ba9df22287168a9880908c26408a2c43e4bfb27945e16ba7
                                                                            • Opcode Fuzzy Hash: 12ab356c1baedbd6ddd237dd914a90b48ee6315fd22a0ef1786dbb58fb5e1408
                                                                            • Instruction Fuzzy Hash: 2AE04638900208EFCB00DFA4D844D9CBBB5FF49312F108199F94427321C731AE50EB84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40D00, Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 12ab356c1baedbd6ddd237dd914a90b48ee6315fd22a0ef1786dbb58fb5e1408
                                                                            • Instruction ID: ab6e7f01cd43512189fc23fb41f032c8aa1cf1067925e0c6993ac6315de29b54
                                                                            • Opcode Fuzzy Hash: 12ab356c1baedbd6ddd237dd914a90b48ee6315fd22a0ef1786dbb58fb5e1408
                                                                            • Instruction Fuzzy Hash: 69E0B638900208EFCB45DFA8D845D9DBBB5FF49311F2081A9E9446B361CB31AE54EB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A41470, Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f85a626e636344468fcc605c267c9026352a16aed2b6b8bf05cdfef8c7e6cc65
                                                                            • Instruction ID: b72e6bd7178ff813367e8666b44843e344b6ae63a86423ab9d04920329004cf5
                                                                            • Opcode Fuzzy Hash: f85a626e636344468fcc605c267c9026352a16aed2b6b8bf05cdfef8c7e6cc65
                                                                            • Instruction Fuzzy Hash: 07E0B678A20208DFCB40DFA8D849A9CBBF8EB08715F2041E9D90897361E730AA44CB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40068, Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 88014dc1db7718914edaa0d132d6d9457cc9b5cfed93ed84b17c9ae6f27d07db
                                                                            • Instruction ID: 8df998eed561f983d05dc66373f59369db0dab968724248cc81b10e068f1418a
                                                                            • Opcode Fuzzy Hash: 88014dc1db7718914edaa0d132d6d9457cc9b5cfed93ed84b17c9ae6f27d07db
                                                                            • Instruction Fuzzy Hash: 14E01734D11208EFCB54EFF8D945A9DBBB9EB44315F6041EEC94893740EB319A84DB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A40D88, Relevance: .0, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117964712.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f4386a0fa174a6f40ce9f8b111cc240e69e0b7e00a05cd6ed11f77bc594f62b7
                                                                            • Instruction ID: 6df93f0ebb40bf27d29e2b8543147fea76cbd9baf73ee125e40aaa893c016439
                                                                            • Opcode Fuzzy Hash: f4386a0fa174a6f40ce9f8b111cc240e69e0b7e00a05cd6ed11f77bc594f62b7
                                                                            • Instruction Fuzzy Hash: 77D01234906208DBC725DBF5D801B5DB76DEF42309F1041EDC50913351DB72AD40DAD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00A78870, Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 671fff3a43d58f42a95cfa64965f263f2a600ae10c2d025cf90f8b962ad89bf0
                                                                            • Instruction ID: 88a8b1d8f26d0d959e6466fc7010702113b09352e78689c686313625fb725ed2
                                                                            • Opcode Fuzzy Hash: 671fff3a43d58f42a95cfa64965f263f2a600ae10c2d025cf90f8b962ad89bf0
                                                                            • Instruction Fuzzy Hash: C9E1FC74E001598FCB14DFA9C9849AEFBB2BF89304F24C16AD419AB356DB349D41CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A7A840, Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 37aac8d5386fb65d925e088a4080778b876a64a085a031d0080168275dd54f1f
                                                                            • Instruction ID: 5978c1923105cf2d9fd7a5d9f53df4eb91387a05ca2c59af857c1c347596641c
                                                                            • Opcode Fuzzy Hash: 37aac8d5386fb65d925e088a4080778b876a64a085a031d0080168275dd54f1f
                                                                            • Instruction Fuzzy Hash: ABE10C74E001599FCB14DFA9C5909AEFBB2BF89304F24C16AD819AB356D730AD41CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A79B80, Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 80706d3d2dbd7e0d53d1542be7616f98551e0e1619b854b13ebe7bbbecc84793
                                                                            • Instruction ID: c42827104f6cd31bbd1a8fe4d5cb23b05ba9650f4632b45d85901398b7b37e55
                                                                            • Opcode Fuzzy Hash: 80706d3d2dbd7e0d53d1542be7616f98551e0e1619b854b13ebe7bbbecc84793
                                                                            • Instruction Fuzzy Hash: 48E1FB74E001598FCB14DFA9D9809AEFBB2BF89305F24C16AD819AB356D7319D41CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A783F8, Relevance: .3, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d3f374cb32169ee8a389578af112d072e4bfbf372cb6ae6c0a1e5d0b5d86e79d
                                                                            • Instruction ID: 0a9734bd2986eb850839da2e3328bd51af5e47c3793f04a5ea5b2af277d48a4b
                                                                            • Opcode Fuzzy Hash: d3f374cb32169ee8a389578af112d072e4bfbf372cb6ae6c0a1e5d0b5d86e79d
                                                                            • Instruction Fuzzy Hash: 2EE11D74E001198FCB14DFA9D9849AEFBB2BF49304F24C16AD819AB356DB349D41CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D3F81, Relevance: .2, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f99bc5bba8f971ebc59c86c248d4ceaeb30abf06462604261a7cc6d202b18cc3
                                                                            • Instruction ID: 360d91039765c9ecc7aa850849074cefd184e162a5279ec94f572c6f0c9276bf
                                                                            • Opcode Fuzzy Hash: f99bc5bba8f971ebc59c86c248d4ceaeb30abf06462604261a7cc6d202b18cc3
                                                                            • Instruction Fuzzy Hash: 38512B70764240AFDB14EB54CC02BFE7266AB84704F24446FE20AAF7C6CBB69D764751
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D2550, Relevance: .2, Instructions: 161COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2bd729678be5d0e47d794e0bbf99a28c80b1dfd8d87e42d4ee17e3872b27b442
                                                                            • Instruction ID: 266d21fed56cc03c06813f779eb3361f0d0f5bb75021428f2473546b26486b4b
                                                                            • Opcode Fuzzy Hash: 2bd729678be5d0e47d794e0bbf99a28c80b1dfd8d87e42d4ee17e3872b27b442
                                                                            • Instruction Fuzzy Hash: 43516A31A38286CBC3058A789810BAAB7B9EBA5310F244527E452CB394D2B4CD6CD3D2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A78860, Relevance: .1, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fadb1eeffbce4b693d4932ee2930d117ffc8358eaaaada570190ed5e34f0cbf5
                                                                            • Instruction ID: 523ac722625efeda9bf5601aaf6e7ca8f9be8c1be165909f997564cf6a17ca36
                                                                            • Opcode Fuzzy Hash: fadb1eeffbce4b693d4932ee2930d117ffc8358eaaaada570190ed5e34f0cbf5
                                                                            • Instruction Fuzzy Hash: E0512C70E042598FDB14CFA9C9855AEFBF2BF89304F24C16AD448AB356D7349942CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A783E8, Relevance: .1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a01f8fc6a3bf5a11c27a48016051646f7114a6a52e9fd61874a437713721726e
                                                                            • Instruction ID: 3a9e6c3f77a5d2950ea45fc64df2af29043bc31113e049655fcb5cbbc5cca263
                                                                            • Opcode Fuzzy Hash: a01f8fc6a3bf5a11c27a48016051646f7114a6a52e9fd61874a437713721726e
                                                                            • Instruction Fuzzy Hash: F6512F70E042598FCB14CFA9D9845AEFBF2BF89304F24C16AD418AB356DB349941CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D6A49, Relevance: .1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c84fe06550454bcc0e9f74a1fee83f94024af8eb8cb82db10bdf45992dc59c72
                                                                            • Instruction ID: 20669407f64966cc235b8099cd71bc78db00f94c32499765adfc841fa90847df
                                                                            • Opcode Fuzzy Hash: c84fe06550454bcc0e9f74a1fee83f94024af8eb8cb82db10bdf45992dc59c72
                                                                            • Instruction Fuzzy Hash: D431B7B1E006188BDB18CF6AD9446CEFBF3BFC9304F14C1AAD548AB224EB3059458F51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002DF680, Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c02daac4cacd0e2e4530c7beebc356254c26c01f7253ca051bb880f5e0aab262
                                                                            • Instruction ID: a9da334cd8f77cb30d3826b73e57700b7d953d3f054a4e5afc64a679204a51d8
                                                                            • Opcode Fuzzy Hash: c02daac4cacd0e2e4530c7beebc356254c26c01f7253ca051bb880f5e0aab262
                                                                            • Instruction Fuzzy Hash: C221D671E016188BEB58CF6BD94169EFAF7AFC8300F14C17A981DAB365DB3009428F40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A709B8, Relevance: .1, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 33167299136c7b2fb04c1355a3f36486dabea46941e8625428c299d1f48221cd
                                                                            • Instruction ID: 655896847bcf32ae7677812d46759616e43a180dc856bbc8d1ceb1b88a364df2
                                                                            • Opcode Fuzzy Hash: 33167299136c7b2fb04c1355a3f36486dabea46941e8625428c299d1f48221cd
                                                                            • Instruction Fuzzy Hash: 4621C971E046588BEB18CF6BDD5169AFBF3AFC9300F18C1BAD44DA6265DB3019428F41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D8BC1, Relevance: .1, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 710fa440be297139231a97233d730dafba525056347dbadcfbf62c0bbebbcc64
                                                                            • Instruction ID: 7e1d9652bb488e1dadd72b53c4b0de3add372f14221fc68f60eceb6193569878
                                                                            • Opcode Fuzzy Hash: 710fa440be297139231a97233d730dafba525056347dbadcfbf62c0bbebbcc64
                                                                            • Instruction Fuzzy Hash: 3521A5B1D156588BEB18CFABD94529EFBF3AFC9300F24C16AC418AB265DB750942CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002DA239, Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e91211b1e6ca73c6aef2c4b27a64ef614fb9ec5f8093cbc8cea6dc074969661f
                                                                            • Instruction ID: 7b4a4cca2ac7f42e72c2d6beb8b11b3c7f5755546ae8bcde48b8fe87205453fc
                                                                            • Opcode Fuzzy Hash: e91211b1e6ca73c6aef2c4b27a64ef614fb9ec5f8093cbc8cea6dc074969661f
                                                                            • Instruction Fuzzy Hash: A521C671E056189BEB18CFABD944A9DFAF3AFC8300F24C16AD808A7255EB7109428F00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002DA240, Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: af158060a9f1c234fe22faeaf8a5a270444041d02f225d121e7565e17414a2ea
                                                                            • Instruction ID: e473a291a36c39e53ab51a7e01fb10eb9e6da3a33a20fab011bb8c9b1f7ad646
                                                                            • Opcode Fuzzy Hash: af158060a9f1c234fe22faeaf8a5a270444041d02f225d121e7565e17414a2ea
                                                                            • Instruction Fuzzy Hash: 6621B471E016189BEB18CFABD944B8EFAF7AFC8300F14C16AD818A7255EB3159428F40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A709C8, Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117979395.0000000000A70000.00000040.00000001.sdmp, Offset: 00A70000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fad44d5ea0885fca40d83381d073bfc576ac2cf96c18b2432587f986ef8c4cca
                                                                            • Instruction ID: aed03224f238ef08d26b0468f11373f48c08a8e3e247fbe9c322876573df115a
                                                                            • Opcode Fuzzy Hash: fad44d5ea0885fca40d83381d073bfc576ac2cf96c18b2432587f986ef8c4cca
                                                                            • Instruction Fuzzy Hash: 5921C971E046188BEB18CF6BDD4179AFAF7AFC9300F14C1BAD50CA6265EB3059428F41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002D8BD0, Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2117687100.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3dd6a4ed5e3e15cb5b60daf81f610734bb09eb3bff0968f920d84d58366732d8
                                                                            • Instruction ID: 521cb32ca6652c1ad24d17717ae4aaa8a82ab11986ac4c6a1e4515cc90d7154b
                                                                            • Opcode Fuzzy Hash: 3dd6a4ed5e3e15cb5b60daf81f610734bb09eb3bff0968f920d84d58366732d8
                                                                            • Instruction Fuzzy Hash: B321B971D106088BEB18CFABC94529EFBF7AFC8300F14C17AC418AB265DB355902CE50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Analysis Process: RegAsm.exe PID: 2896 Parent PID: 2428 RegAsm.exeCOMMON

                                                                            Executed Functions

                                                                            Function 02072468, Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356792035.0000000002070000.00000040.00000001.sdmp, Offset: 02070000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1c8c813c9d45b6b834e0c1c79b0c31af75365fd6cbe5a9d001fa654f2278c956
                                                                            • Instruction ID: fef038a922c7236b906d1f5e3a3c8c103d8a830dcf763736a5a10d5d1c2fbbbe
                                                                            • Opcode Fuzzy Hash: 1c8c813c9d45b6b834e0c1c79b0c31af75365fd6cbe5a9d001fa654f2278c956
                                                                            • Instruction Fuzzy Hash: 3E9178B1D043499FCB11CFA5D890BEEBBB5FF89304F24852AD814AB251DB709946CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F5390, Relevance: 1.7, APIs: 1, Instructions: 187registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExA.KERNEL32(00000000,005F5879,00020119,00000000,00000000,?), ref: 005F5C4F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356478866.00000000005F0000.00000040.00000001.sdmp, Offset: 005F0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: 43e7df020f867446e8159944e7113a93cca0a0ac1109f6c7cecc240da5aab498
                                                                            • Instruction ID: 72086edcefbdaa45d1a949de516506a990201ba6f46613e717e175d440982630
                                                                            • Opcode Fuzzy Hash: 43e7df020f867446e8159944e7113a93cca0a0ac1109f6c7cecc240da5aab498
                                                                            • Instruction Fuzzy Hash: 76713A70D0070D9FDB14CFA9C8857AEBBB1FF48314F148529EA16AB251EB749841CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F5A85, Relevance: 1.7, APIs: 1, Instructions: 186registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExA.KERNEL32(00000000,005F5879,00020119,00000000,00000000,?), ref: 005F5C4F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356478866.00000000005F0000.00000040.00000001.sdmp, Offset: 005F0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: eadcdc84db415ff5a14f4f2a5bc76e3da24ceed6417f7c6267e89a84e9ae78f0
                                                                            • Instruction ID: 97f27fe89dda04818b1bad78bda93b44acb0580a5c4db670f3bb5519b563dc57
                                                                            • Opcode Fuzzy Hash: eadcdc84db415ff5a14f4f2a5bc76e3da24ceed6417f7c6267e89a84e9ae78f0
                                                                            • Instruction Fuzzy Hash: B4813770D0070D9FDB14CFA9C885BAEBFB1BF48314F148529EA16AB291EB749841CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02072530, Relevance: 1.6, APIs: 1, Instructions: 139networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 02072658
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356792035.0000000002070000.00000040.00000001.sdmp, Offset: 02070000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Query_
                                                                            • String ID:
                                                                            • API String ID: 428220571-0
                                                                            • Opcode ID: 60b2bfbd47cf8b4557bc00830b65eeebd4c9ac7d08a99ba09bf5a185e20d262c
                                                                            • Instruction ID: e995f3902c56d695cf86e186fb4dbab14aac01a9f5f9f7a080c4f2271dd7afce
                                                                            • Opcode Fuzzy Hash: 60b2bfbd47cf8b4557bc00830b65eeebd4c9ac7d08a99ba09bf5a185e20d262c
                                                                            • Instruction Fuzzy Hash: 0951F3B1D003599FDF10CFA9D8846DEBBB5FF48304F24852AE814AB250DB70A986DF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F1484, Relevance: 1.6, APIs: 1, Instructions: 102registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 005F59F7
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356478866.00000000005F0000.00000040.00000001.sdmp, Offset: 005F0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: 766942fdff191510e815a85e1b23580d31492bc592ec787b067230e16a60fd3f
                                                                            • Instruction ID: a688da96d4734f732ad133b57547113a8fa2c1b8091f6e07386d2117f05ea813
                                                                            • Opcode Fuzzy Hash: 766942fdff191510e815a85e1b23580d31492bc592ec787b067230e16a60fd3f
                                                                            • Instruction Fuzzy Hash: F0415870D0064CDFDB14CF99D8857AEBFB1BF48314F148529EA14A7650E7B89841CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F590E, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 005F59F7
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356478866.00000000005F0000.00000040.00000001.sdmp, Offset: 005F0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: 1e96588e0e8c2df36360e18adda5fcae3388cb256a6e5de13062f78d3d2c6c78
                                                                            • Instruction ID: d203db4d248d5de5da1002bfb1e9bc734d4b5e4fc93514d09e55ce64587fa3ac
                                                                            • Opcode Fuzzy Hash: 1e96588e0e8c2df36360e18adda5fcae3388cb256a6e5de13062f78d3d2c6c78
                                                                            • Instruction Fuzzy Hash: 2F415970D0064CDFDB04CF99D8857AEBFB1BF48314F148529EA54A7650D7789841CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F74E1, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356478866.00000000005F0000.00000040.00000001.sdmp, Offset: 005F0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DeleteFile
                                                                            • String ID:
                                                                            • API String ID: 4033686569-0
                                                                            • Opcode ID: 269b91a2199dd17c2470b3e6451c25d075ef575d001aa58caec6b8954f6d5a54
                                                                            • Instruction ID: 64e29518f49fe3d53a30280205addf2b873407efef9d398744cb3a90ce281166
                                                                            • Opcode Fuzzy Hash: 269b91a2199dd17c2470b3e6451c25d075ef575d001aa58caec6b8954f6d5a54
                                                                            • Instruction Fuzzy Hash: 784144B0D0464C9FDB10CFA9C8457AEBFF1FF48304F14852AE814A7290D7789845CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F74E8, Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356478866.00000000005F0000.00000040.00000001.sdmp, Offset: 005F0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DeleteFile
                                                                            • String ID:
                                                                            • API String ID: 4033686569-0
                                                                            • Opcode ID: 71ff1cb8e3b354f1a88e05846f7287605ed5275129fcae58192d6b3982c672f2
                                                                            • Instruction ID: e15c625e851f7d53eeebea4ab85f9d760d591ca8a032f171fdb497cb5c9b1916
                                                                            • Opcode Fuzzy Hash: 71ff1cb8e3b354f1a88e05846f7287605ed5275129fcae58192d6b3982c672f2
                                                                            • Instruction Fuzzy Hash: 7F4112B0D0465C8FDB10CFA9D8857AEBFF5BB48714F24852AE814AB290D7789845CF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F5D29, Relevance: 1.5, APIs: 1, Instructions: 49registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCloseKey.KERNEL32(00000000), ref: 005F5D8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356478866.00000000005F0000.00000040.00000001.sdmp, Offset: 005F0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 578b2088fece4cc0b0434d5059bd55c8990bc2a84e9fbc0e57c52d964298e531
                                                                            • Instruction ID: be45943da9bac38088d24d9cf2bc639f06f0dc2c79f1815dd8a43107a33d2884
                                                                            • Opcode Fuzzy Hash: 578b2088fece4cc0b0434d5059bd55c8990bc2a84e9fbc0e57c52d964298e531
                                                                            • Instruction Fuzzy Hash: 6F1176B08002098FCB10CF99D4497DEFFF8FB49314F24885AD558A3650D774A905CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F539C, Relevance: 1.5, APIs: 1, Instructions: 48registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCloseKey.KERNEL32(00000000), ref: 005F5D8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356478866.00000000005F0000.00000040.00000001.sdmp, Offset: 005F0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 710ecc1ff3aa925a103d39671bbb422d561d559b131dd0e0548cae4c7b302a36
                                                                            • Instruction ID: 301db2d60123fe663a2704bfb305906c49f04101ef83481d26ab4f948c00db08
                                                                            • Opcode Fuzzy Hash: 710ecc1ff3aa925a103d39671bbb422d561d559b131dd0e0548cae4c7b302a36
                                                                            • Instruction Fuzzy Hash: 7F1146B0900609CFCB10CF89D4487EEFBF8FB48314F24885AD618A7650D779A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005F5EB0, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 005F5F0C
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356478866.00000000005F0000.00000040.00000001.sdmp, Offset: 005F0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: ForegroundWindow
                                                                            • String ID:
                                                                            • API String ID: 2020703349-0
                                                                            • Opcode ID: a8c2866c467177d9c1244d43f2fe9c1a980da8aa2c7c06ca22d461908a8a929e
                                                                            • Instruction ID: 96cd21dd5e3a9781a4bea8380bc9a1edcabdaffdc9718670fd52dddc93c79230
                                                                            • Opcode Fuzzy Hash: a8c2866c467177d9c1244d43f2fe9c1a980da8aa2c7c06ca22d461908a8a929e
                                                                            • Instruction Fuzzy Hash: 851100B5D006098FCB10CF99D489BEEBBF8FB48314F24885AD919A7650D378A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002AD01C, Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356277719.00000000002AD000.00000040.00000001.sdmp, Offset: 002AD000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5c8c42670499625542d9f58778c245379e9d50709328820d1166c321f45a0813
                                                                            • Instruction ID: f5122cccaa2768eb115829effe41f25bc9b682e37c688644fd048de83a79b9cc
                                                                            • Opcode Fuzzy Hash: 5c8c42670499625542d9f58778c245379e9d50709328820d1166c321f45a0813
                                                                            • Instruction Fuzzy Hash: 2E210775614304DFDB14CF20D8C4B16BB65EB85314F34C969D80A4B646CB77D857CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002AD1D4, Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356277719.00000000002AD000.00000040.00000001.sdmp, Offset: 002AD000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f518a44666aa7ffbfc8e27ad24d27c2ad731fac6d4d390dc6a7113a168cb826d
                                                                            • Instruction ID: 85253f715cce298920afac62048ced4db223eada16617be94d097e9a189e9f39
                                                                            • Opcode Fuzzy Hash: f518a44666aa7ffbfc8e27ad24d27c2ad731fac6d4d390dc6a7113a168cb826d
                                                                            • Instruction Fuzzy Hash: F4213774514204EFDB01CF50D5C0B26BBA5FB85318F24C969DC0A4B656CB76D816CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002AD006, Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356277719.00000000002AD000.00000040.00000001.sdmp, Offset: 002AD000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c73f93f4872765e3d862c5e20b1cfba52fa152747404e35b8696fd31c4dbf7f4
                                                                            • Instruction ID: e76becb745de093ea1f17526ddbda2474ed5021b3630105b1d921d21fdb441d9
                                                                            • Opcode Fuzzy Hash: c73f93f4872765e3d862c5e20b1cfba52fa152747404e35b8696fd31c4dbf7f4
                                                                            • Instruction Fuzzy Hash: 592180754083809FCB02CF24D994711BF71EB46314F28C5EAD8498F667C73A985ACB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002AD1CF, Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.2356277719.00000000002AD000.00000040.00000001.sdmp, Offset: 002AD000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dfda98d91f2f5b0161d9f04259e1ae266c26790eb7c3f99474982129a1603c56
                                                                            • Instruction ID: 7f96ec4c87c0d8e668d8b932b6343981272698de57920897b15a0990bcd609ef
                                                                            • Opcode Fuzzy Hash: dfda98d91f2f5b0161d9f04259e1ae266c26790eb7c3f99474982129a1603c56
                                                                            • Instruction Fuzzy Hash: 6011DD75944280DFDB12CF10D5C4B15FBA1FB85314F28C6ADDC0A4B666C33AD85ACB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Analysis Process: RegAsm.exe PID: 2592 Parent PID: 2536 RegAsm.exeCOMMON

                                                                            Executed Functions

                                                                            Function 002B188D, Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 002B1A3B
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2127557159.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: PathSearch
                                                                            • String ID:
                                                                            • API String ID: 2203818243-0
                                                                            • Opcode ID: cbd5229461f0c5c79008a8d3d93ec2535b5ab3802634dc0729adcc5729df5ddf
                                                                            • Instruction ID: 47147dbd992f8c4144b3d91b759e72ef35506e6c6fa3460759c33f272b188db3
                                                                            • Opcode Fuzzy Hash: cbd5229461f0c5c79008a8d3d93ec2535b5ab3802634dc0729adcc5729df5ddf
                                                                            • Instruction Fuzzy Hash: 5F7135B1D106098FDB24CF99C8A4BDEBBB5FF48314F648129E819AB350DB74A955CF80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 002B1898, Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 002B1A3B
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2127557159.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: PathSearch
                                                                            • String ID:
                                                                            • API String ID: 2203818243-0
                                                                            • Opcode ID: 6a3a2291b720c88e322d5d64d5f3de3bb30e23c4ac167a7d8e8809fd5341eed6
                                                                            • Instruction ID: 66153069e3d8055b91d6095f140c445f83e8b2c8b85c284bcf109580e9d9679e
                                                                            • Opcode Fuzzy Hash: 6a3a2291b720c88e322d5d64d5f3de3bb30e23c4ac167a7d8e8809fd5341eed6
                                                                            • Instruction Fuzzy Hash: D97124B0D106098FDB24CF99C894BDEBBB5FF48314F658129E819AB350DB74A955CF80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions